cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9174
Views
5
Helpful
4
Replies

Using multiple WCCP service groups and redirect-lists on the 6500 (ingress for all).

eidumsigfrid
Level 1
Level 1

Hi,

I have a query regarding using multiple WCCP redirect lists on the 6500 chassis (Sup720-10G) running IOS 12.2(33).

  • The customer currently has WCCP 61 and 62 applied on ingress for WAN/LAN interfaces to redirect traffic to WAAS appliances.
  • The WAN/LAN interfaces both have a redirect ACL applied denying certain traffic from redirection.
  • There is a requirement to add another WCCP service group on the same interfaces in order to redirect a specific application to a different set of accellerators (specifically Citrix).
  • I have to use ingress for both otherwise it will be processed in software.
  • The new WCCP service group also needs to have a redirect ACL applied.

How does the 6500 handle the processing of the ACLs when both service groups are assigned to the same interface in the same direction?

Will both redirect ACL's be processed accordingly?

Or will the 6500 dump traffic if it hits a "deny any any" statement in the first ACL before processing the second ACL where the permit statement will be?

4 Replies 4

Matt Rudkowski
Level 1
Level 1

Did you ever recieve a response on this?

Kind Regards,
MTR

Kind Regards, MTR

Hi MTR,

I raised a TAC case and the TAC engineer decided to lab it before giving an answer.

Based on some internal documentation and the lab, the 6500 will process each WCCP service in numerical order (lowest first, eg: 51 and will stop at first ACL match).

As long as the ACL's are in the right order and do not overlap it works without issues.


The TAC tested both L2 and GRE redirection with no issues.

Cheers,

Zig

The reason is unlike in ISRs there is a command "ip wccp check service all" which means that process all wccp service groups on the interfaces on the basis of priority until a match is found. However, with 6500/switching platforms, this command is not available but the behavior is enabled by default. 6500 does not consider the group priority but it looks at the group number instead... least numbered service group is considered first.

CSCO11598534
Level 1
Level 1

A question is raised for both cases (ISR -> Priority or Cat6500 -> Group Number):

Even if we manipulate Priority/Group number in a way that we "reorder" the ACLs to be checked, won't the implicit "deny ip any any" of the first ACL in order, match ALL traffic? How will the checking continue to the other ACL?

Unless this implicit deny in WCCP config is not considered a "match". Or even better, no kind of "deny" line is taken as a "match".

Any thoughts please?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: