WCCP with Catalyst6500 version 12.2(33)SXI

Answered Question
Mar 27th, 2009

Hi,

I deployed 2x6500 and 3xWAE in a branch. Problem is when I set wccp on - all traffic is cut off for the interface with service 61. I've ACL considering traffic which have to be redirected but there is no any match in this ACL.

Each WAE is connected to both 6500 (FE, full-duplex). I've also another branch in the same configuration working (but WAE is connected by GE - this is only one difference)

WAAS 4.1.1c

any idea?

Correct Answer by dstolt about 7 years 10 months ago

You need to intercept in both directions (61 and 62) for full optimization to work. You also need service 62 working for tcp-promiscuous to function with the WAE. I would recommend either moving interception further into the infrastructure (towards the local hosts), terminate the tunnel on a different box upstream towards the WAN or look at inline or other interception methods outside the tunnel. Your software based routers can do interception successfully on tunnels as you have found out, but the 6500 cannot do it on the hardware asics yet, maybe in the next generation SUP.

For best practices on egress method on the 6500, you should not use negotiated return, but Generic GRE with a GRE tunnel between the WAE and the router per the last posting. The 6500 hardware doesn't support L2 return or Negotiated return yet, so either just use the default (IP forwarding) or Generic GRE.

Hope that helps,

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dstolt Fri, 03/27/2009 - 19:55

Hi,

Can you post a diagram to show your topology where you are doing interception? Please also post the WAE/6500 WCCP configs.

Also, are you using standby interfaces on the WAEs or some other connectivity to both 6500s?

Thanks,

Dan

dkrupanext Mon, 03/30/2009 - 15:58

hi,

I attached files with short version of configuration I hope that it's enough.

on wae in router list a put ip addresses from 6500 interfaces (A & B) not a standby ip address.

Regards

Darek

Attachment: 
dstolt Mon, 03/30/2009 - 18:34

Darek,

A couple of comments on your configs. I would not use the following configs with a hardware based redirection on a CAT-6K.

int tunnel x

ip wccp 62 redirect in

- As far as I know, this should not work for redirection on a hardware based platform, however, it WILL work on a software based IOS platform.

egress-method negotiated-return intercept-method wccp (on the WAE)

- This should cause your egress traffic to be all prossess by the CPU as it cannot do WCCP-GRE on the SUP. Use Generic GRE egress instead for CAT6Ks. http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v411/configuration/guide/traffic.html#wp1106308

Both of those configs will give you trouble on a hardware based platform. I might recommend that you move away from the tunnel interface if at all possible. As a side note, on the newer ASR-1000 platform, we can do interception on tunnels as well as negotiated return in hardware.

Hope that helps,

Dan

dkrupanext Tue, 03/31/2009 - 00:38

Hi,

Thanks Dan.

I'm confuse becouse I cannot move outgoing traffic from tunnel :(

do You think if I remove comletely service 62 it will be ok? I noticed that for optimalization it's enough if there is only 61 service but I donot know if it's acceptable in general?

On IOS based platform it's working ok on tunnels :)

According egress-method earlier I configured L2 return but with cut off the traffic I remove this - maybe it wasn't a problem :)

Correct Answer
dstolt Tue, 03/31/2009 - 06:59

You need to intercept in both directions (61 and 62) for full optimization to work. You also need service 62 working for tcp-promiscuous to function with the WAE. I would recommend either moving interception further into the infrastructure (towards the local hosts), terminate the tunnel on a different box upstream towards the WAN or look at inline or other interception methods outside the tunnel. Your software based routers can do interception successfully on tunnels as you have found out, but the 6500 cannot do it on the hardware asics yet, maybe in the next generation SUP.

For best practices on egress method on the 6500, you should not use negotiated return, but Generic GRE with a GRE tunnel between the WAE and the router per the last posting. The 6500 hardware doesn't support L2 return or Negotiated return yet, so either just use the default (IP forwarding) or Generic GRE.

Hope that helps,

Dan

Actions

This Discussion