WCCP was initially designed as a component of Cisco IOS Software whose purpose was to intercept HTTP traffic traversing a router and redirect that traffic to a local cache with the aim of reducing access times to websites and conserving wide area link upstream bandwidth. With the introduction of WCCPv2, the scope of the protocol widened to include traffic types other than HTTP, allowing the protocol to be used as a more general interception mechanism. In WCCPv2 clients specify the nature of the traffic to be intercepted and forwarded to external devices, which are then in a position to provide services, based upon the traffic type, such as WAN optimization and application acceleration.
The assignment method determines how traffic will be distributed among multiple WCCP clients in a given service group. There are two assignment methods available, hash-based and mask-based. The assignment method chosen for a given service-group is negotiated between the router and the WCCP clients.
There are two primary recommendations for the assignment method on a Cisco Catalyst 6500:
• Use mask assignment.
The combination of an ingress traffic intercept method with mask-based assignment provides a full hardware-based traffic assignment method. Traffic is filtered for WCCP redirection using an Access Control List. The WCCP mask value is then applied to the redirect ACL to create entries in the Cisco Catalyst 6500 ACL TCAM.
• Minimize the number of mask bits when using WCCP redirect ACL.
The Cisco Catalyst 6500 has a finite number of ACL TCAM entries (Table 2). If the TCAM resources are exceeded, the Cisco Catalyst 6500 will revert to software-based forwarding for any traffic that meets the ACL criteria.
Some WCCP clients, such as a Cisco WAE, use the terminology egress method to describe traffic that has been successfully serviced by the WAE. The WCCP client may support a number of different egress transport method options including:
• IP Forward: Traffic is simply sent back using the original source and destination IP addresses. The Cisco Catalyst 6500 supports this method in hardware.
• WCCP GRE: Traffic is sent back to the WCCP server encapsulated within a WCCP and a GRE header similar to the WCCP GRE return traffic method. Again, the Cisco Catalyst 6500 supports this transport method in software only.
• Generic GRE: Traffic is sent back using a GRE header only. The Cisco Catalyst 6500 supports this method in hardware. The generic GRE egress method is supported only when the WCCP GRE interception method is used.
WCCP Client Connect
The following best practices are recommended for connecting a WCCP client to WCCP server:
• For a single WCCP server (router) to a single WCCP client configuration, use and etherchannel if it is supported by the client.
• For a pair of redundant WCCP servers with an SVI between them, connect the WCCP clients using standby NIC teaming for N+1 availability. Implement Multigroup Hot Standby Redundancy Protocol on the WAE client subnet to load balance WAE IP forwarded return traffic.
• For a pair of redundant WCCP servers with a routed link between them, connect the WCCP clients using etherchannel for N:N availability.
• For Layer 2 redirect configurations use a dedicated subnet for WCCP clients.
WCCP Operational Best Practices
The following operational best practices are recommended while configuring/modifying the WCCP.
Router Initial Configuration
1. Create WCCP redirect ACL
2. Configure global IP WCCP # redirect-list
3. Enable WCCP service IDs with redirect-list ACL
For changes made to an existing configuration:
• Global service group configuration changes
1. Unregister all affected WCCP clients with no WCCP version 2
1. Disable WCCP on all the WAEs. By default WCCP will wait for 180 seconds for the existing TCP sessions to close by the end hosts.
2. Disable WCCP globally using `no ip wccp 61/62' on all the routers that are part of WCCP farm.
3. Remove the failed WAE from the network.
4. Add the new WAE and enabled WCCP version 2 on all WAEs in the WCCP farm.
5. After all WAEs are enabled for WCCP then enable WCCP globally for WCCP service group (61 and 62 for WAAS).
Issue command "show ip wccp" and check for the following.
On platforms that use software-based redirection, verify that the Total Packets s/w Redirected counters are incrementing in the above command output. On platforms that use hardware-based redirection, these counters should not be incrementing much. If you are seeing these counters increment significantly on hardware-based platforms, WCCP could be misconfigured on the router (WCCP GRE is processed in software by default), or the router could be falling back to software redirection due to hardware resources issues such as running out of TCAM resources. More investigation is required if you see these counters incrementing on a hardware-based platform, which could lead to high CPU usage.
The Total Packets Denied Redirect counter increments for packets that match the service group but do not match the redirect list.
The Total Authentication failures counter increments for packets that are received with the incorrect service group password.