Difference between WCCP v2 or L4 SWITCH

Unanswered Question
Jul 12th, 2010

I have to install a Ironport S660 on a client and was checking what would be the best implementation. I'm going to install in Transparent Mode and I would like to know the difference between WCCP v2 or L4 SWITCH .

I hope you can help me.

Best Regards,

Jaime.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ana.peric Tue, 07/13/2010 - 00:35

Hi,

I hope my answer does not come too late for you...

1. L4 switch in IronPort terminology represents any network device that can differentiate web traffic from traffic flow, based on L4 packet information (IP and port) and redirect it to the WSA-s.

     L4 switch in practice would be policy based routing...

     In this design you can even achieve redundancy in your deployments, but in the practice, use of PBR can be a little bit harder to controll...

2. WCCP (Web Cache Communication protocol) is Cisco's proprietary protocol that was developed in order to achieve transparent rediraction of web traffic towards web proxies (cache engines), and speed up web service using caching machanisam...

WCCP is supported by Cisco routers and ASA (with some limitations)...

Depending on your network design, you could deploy any of the transparent redirection models.

With WCCP you can provideweb traffic load balancing funcionalities in multi-web cache scenario.

WCCP works just fine with routers from my experience...

Depending on the router you are going to use for rediraction, it can be done either in hardwer (L2 redirection with mac-addrs rewrite - supported on 7600 for instance), or using GRE tunnels (in software)... But in most of the cases, you do not have to worry how is WCCP redirection actually performed, because WCCP between cache angines (IronPorts) and WCCP routers will do all the negotiation for you...

I hope I helped... Someone

Best Regards,

Ana

Jaime Soto Vale... Wed, 07/14/2010 - 07:12

Hi Ana,

Thanks for your response, you have help me clarify my doubts.

I think I will use WCCP for implementation. I will install the IronPort connected to a Catalyst 6509 and the scenario I attached. My idea is install the IronPort before Exinda. Any ideas?.

Thanks and regards.

Jaime.

ana.peric Wed, 07/14/2010 - 23:11

Hi Jaime,

Ok. You are doploying Exinda in transparent L2 bridge mode, and you are performing VLAN translation as I can see from your picture...

I suppose your customers come from Gi 5/1 interface...

I see potential problem here, because you configure wccp redirection on int VLAN, and as I can see it, you terminate vlans logically "after" Exinda...

So traffic is first forwarded through Exinda, and then redirected... Hm... I'll have to think about it...

Is vlan 215 the only vlan going through Exinda ?

You are terminating vlan 215 traffic on int vlan 216 interface, am I right ?

Wccp can be set like this (but as I'm concerned, as I mentioned you'll perform wan opt before wccp redirection).

This is the main idea and configuration you need...

Create new int vlan that is going to be dedicated to WSA cluster...

Let us presume you'll use vlan id X for this.

Connect and address your WSA (or WSA cluster) to 6509.

6509 can perform wccp in hardvare (using L2 forwarding method), so I suggest you to use L2 wccp mode because it is faster and less CPU consuming, since IronPort WSA are connected directly to the 6509. Depending on IOS and SUP you are using, I must mention that you will problably have to use GRE as return method (not L2), because there are few know caveties with L2 redirection (ie. CSCsl04908 or CSCsl65335 or...).

Also PFC3  will provide GRE acceleration in hardware (SUP720 and SXF)...

If L2 mode is not working, and you have problems with bringing up wccp, try to enforce GRE as forward and return method on WSA...

Enable and configure WCCPv2

on 6509:

ip wccp ver 2

ip wccp redirect-list REDIRECT_LIST_NAME

Redirect list will allow you to control what kind of traffic and for whithc clients will be redirected via wccp to WSAs.

ip access-list ext REDIRECT_LIST_NAME

... put here inside network ranges that should be redirected to WSA (for example 192.168.2.0 0.0.0.255 eq www and 192.168.2.0 0.0.0.255 443)

On selected incoming interface vlans set wccp redirection:

For int VLAN 110, you'll use:

int vlan 110

ip wccp redirect in

Ofcourse, perform this on any int vlan you'd like to redirect traffic to WSA...

On WSA:

Network->Transparent redirection

create new profile.

Configure group id value "", and ports that shuld be redirected (up to 8 - ie 80, 443, 8080 etc...).

You can set wccp forwarding or return method on advanced link on wccp config page.

First go with (L2 or GRE forward method), to see what will be negotiated ion 6509 side (for just in case)... Later you can se L2 fw method or gre - it is up to you... Or you do not have to change the config...

That would be it for now...

Jaime Soto Vale... Thu, 07/15/2010 - 14:10

Hi Ana,

Thaks for your answer, very complete an clear. The problem is that I was reviewing and the IOS version installed there are several bugs that would prevent me implementing WCCP.

The other opcion would be implement Explicit Forward Mode. In these mode I should put the IronPort in the 6509 in a new network and then configure the web client to Proxy (Ironport). I´m right?

Regard to WCCP, If i want redirect variuos VLAN Interfaces, Do I have configuring a one group per VLAN Interface?. For example:

int vlan 110

ip wccp redirect in

int vlan 120

ip wccp   redirect in

int vlan 130

ip wccp   redirect in

Regards,

Jaime

ana.peric Thu, 07/15/2010 - 14:41

Hi,

On all L3 interfaces from where your web clients are coming, you should configure wccp redirection.

You use the same WCCP id, and just configure redirection for each int vlan facing your clients...

So you are right:

int vlan X

ip wccp 91 redirect in

and if you want it on int vlan Y, you must also put;

int vlan Y

ip wccp 91 redirect in

It's really copy paste thing .

I hope you'll manage to make it work with appropriate IOS...

Anyhow, I think if L2 is does not work on your IOS, first try GRE, and then consult Cisco Bug toolkit, and maybe upgrade IOS ver...

Hope I helped .

BR,

Ana

Actions

This Discussion