The Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing technology that intercepts IP packets and redirects those packets to a destination other than that specified in the IP packet. Typically the packets are redirected from their destination web server on the Internet to a content engine that is local to the client. In some WCCP deployment scenarios, redirection of traffic may also be required from the web server to the client. WCCP enables you to integrate content engines into your network infrastructure.
Cisco IOS Release 12.1 and later releases allow the use of either WCCP Version 1 (WCCPv1) or Version 2 (WCCPv2).
The tasks in this document assume that you have already configured content engines on your network. For specific information on hardware and network planning associated with Cisco Content Engines and WCCP, see the Cisco Content Engines documentation at the following URL:
Your software release
may not support all the features documented in this module. For the latest
caveats and feature information, see
Bug Search Tool and the
release notes for your platform and software release. To find information about
the features documented in this module, and to see a list of the releases in
which each feature is supported, see the feature information table.
Use Cisco Feature
Navigator to find information about platform support and Cisco software image
support. To access Cisco Feature Navigator, go to
An account on Cisco.com is not required.
Prerequisites for WCCP Version 2
IP must be configured on the interface connected to the Internet and another interface must be connected to the content engine.
The interface connected to the content engine must be a Fast Ethernet or Gigabit Ethernet interface.
Only Catalyst 6500 series switches with a PFC4 support the following hardware capabilities:
WCCP generic routing encapsulation (GRE) decapsulation in hardware
WCCP egress mask assignment in hardware
WCCP exclude capability in hardware
Restrictions for WCCP Version 2
The following limitations apply to WCCPv2:
WCCP works only with IPv4 networks.
WCCP bypasses Network Address Translation (NAT) when Cisco Express Forwarding is enabled.
WCCP works only with IPv4 networks.
For routers servicing a multicast cluster, the Time To Live (TTL) value must be set at 15 or fewer.
Service groups can comprise up to 32 content engines and 32 routers.
All content engines in a cluster must be configured to communicate with all routers servicing the cluster.
Multicast addresses must be from 126.96.36.199 to 188.8.131.52.
Cisco Catalyst 4500 Series Switches
Up to eight service groups are supported at the same time on the same client interface.
The Layer 2 (L2) rewrite forwarding method is supported, but generic routing encapsulation (GRE) is not.
Direct L2 connectivity to content engines is required; Layer 3 (L3) connectivity of one or more hops away is not supported.
Ternary content addressable memory (TCAM)-friendly mask-based assignment is supported, but the hash bucket-based method is not.
Redirect access control list (ACL) for WCCP on a client interface is not supported.
Incoming traffic redirection on an interface is supported, but outgoing traffic redirection is not.
When TCAM space is exhausted, traffic is not redirected; it is forwarded normally.
The WCCP version 2 standard allows for support of up to 256 distinct masks. However, a Catalyst 4500 series switch supports only mask assignment tables with a single mask.
Cisco Catalyst 6500 Series Switches
The following limitation apply to Cisco Catalyst 6500 series switches:
With a Policy Feature Card 2 (PFC2), Cisco IOS Release 12.2(17d)SXB and later releases support WCCP.
With a PFC3, Cisco IOS Release 12.2(18)SXD1 and later releases support WCCP.
With a PFC4, Cisco IOS Release 12.2(50)SY and later releases support WCCP and introduce support for WCCP GRE decapsulation, WCCP mask assignment, and WCCP exclude capability in hardware.
To use the WCCP Layer 2 PFC redirection feature, configure WCCP on the Catalyst 6500 series switch and configure accelerated WCCP on the cache engine as described in the
Cisco Application and Content Networking System (ACNS) software releases later than Release 4.2.2 support WCCP Layer 2 Policy Feature Card (PFC) redirection hardware acceleration.
A content engine configured for mask assignment that tries to join a farm where the selected assignment method is hash remains out of the farm as long as the cache engine assignment method does not match that of the existing farm.
When WCCP Layer 2 PFC redirection is the forwarding method for a service group, the packet counters in the
showipwccpservice-number command output display flow counts instead of packet counts.
Catalyst 6500 Series Switches and Cisco 7600 Series Routers Access Control Lists
When WCCP is using mask assignment, any redirect list is merged with the mask information from the appliance and the resulting merged ACL is passed down to the Catalyst 6500 series switch or Cisco 7600 series router hardware. Only Permit or Deny ACL entries from the redirect list in which the protocol is IP or exactly matches the service group protocol are merged with the mask information from the appliance.
The following restrictions apply to the redirect-list ACL:
The ACL must be an IPv4 simple or extended ACL.
Only individual source or destination port numbers may be specified; port ranges cannot be specified.
The only valid matching criteria in addition to individual source or destination port numbers are
The use of
options keywords, or any TCP flags is not permitted.
If the redirect ACL does not meet the restrictions shown, the system will log the following error message:
WCCP-3-BADACE: Service <service group>, invalid access-list entry (seq:<sequence>, reason:<reason>)
WCCP continues to redirect packets, but the redirection is carried out in software (NetFlow Switching) until the access list is adjusted.
WCCP uses Cisco Content Engines (or other content engines running WCCP) to localize web traffic patterns in the network, enabling content requests to be fulfilled locally. Traffic localization reduces transmission costs and download time.
routing platforms to transparently redirect content requests. The main benefit of transparent redirection is that users need not configure their browsers to use a web proxy. Instead, they can use the target URL to request content, and have their requests automatically redirected to a content engine. The word "transparent" in this case means that the end user does not know that a requested file (such as a web page) came from the content engine instead of from the originally specified server.
A content engine receiving a request attempts to service it from its own local cache. If the requested information is not present, the content engine issues its own request to the originally targeted server to get the required information. A content engine retrieving the requested information forwards it to the requesting client and caches it to fulfill future requests, thus maximizing download performance and substantially reducing transmission costs.
WCCP enables a series of content engines, called a content engine cluster, to provide content to a router or multiple routers. Network administrators can easily scale their content engines to manage heavy traffic loads through these clustering capabilities. Cisco clustering technology enables each cluster member to work in parallel, resulting in linear scalability. Clustering content engines greatly improves the scalability, redundancy, and availability of your caching solution. You can cluster up to 32 content engines to scale to your desired capacity.
The WCCP Version 2 feature provides several enhancements and features to the WCCP protocol, including:
The ability of multiple routers to service a content engine cluster.
Redirection of traffic other than HTTP (TCP port 80 traffic), including a variety of UDP and TCP traffic.
Optional authentication that enables you to control which routers and content engines become part of the service group using passwords and the HMAC MD5 standard.
A check on packets that determines which requests have been returned from the content engine unserviced.
Load adjustments for individual content engines to provide an effective use of the available resources while helping to ensure high quality of service (QoS) to the clients.
Multiple routers can use WCCPv2 to service a content engine cluster. In WCCPv1, only one router could redirect content requests to a cluster. The figure below illustrates a sample configuration using multiple routers.
Figure 1. Cisco Content Engine Network Configuration Using WCCPv2
The subset of content engines within a cluster and routers connected to the cluster that are running the same service is known as a service group. Available services include TCP and UDP redirection.
In WCCPv1, the content engines were configured with the address of the single router. WCCPv2 requires that each content engine be aware of all the routers in the service group. To specify the addresses of all the routers in a service group, you must choose one of the following methods:
Unicast—A list of router addresses for each of the routers in the group is configured on each content engine. In this case the address of each router in the group must be explicitly specified for each content engine during configuration.
Multicast—A single multicast address is configured on each content engine. In the multicast address method, the content engine sends a single-address notification that provides coverage for all routers in the service group. For example, a content engine could indicate that packets should be sent to a multicast address of 184.108.40.206, which would send a multicast packet to all routers in the service group configured for group listening using WCCP (see the
ipwccpgroup-listen or the
ipv6wccpgroup-listen interface configuration command for details).
The multicast option is easier to configure because you need only specify a single address on each content engine. This option also allows you to add and remove routers from a service group dynamically, without needing to reconfigure the content engines with a different list of addresses each time.
The following sequence of events details how WCCPv2 configuration works:
Each content engine is configured with a list of routers.
Each content engine announces its presence and a list of all routers with which it has established communications. The routers reply with their view (list) of content engines in the group.
When the view is consistent across all content engines in the cluster, one content engine is designated as the lead and sets the policy that the routers need to deploy in redirecting packets.
WCCPv2 Support for Services
Other Than HTTP
redirection of traffic other than HTTP (TCP port 80 traffic), including a
variety of UDP and TCP traffic. WCCPv2 supports the redirection of packets
intended for other ports, including those used for proxy-web cache handling,
File Transfer Protocol (FTP) caching, FTP proxy handling, web caching for ports
other than 80, and Real Audio, video, and telephony applications.
To accommodate the
various types of services available, WCCPv2 introduced the concept of multiple
groups. Service information is specified in the WCCP configuration commands
using dynamic services identification numbers (such as 98) or a predefined
service keyword (such as
This information is used to validate that service group members are all using
or providing the same service.
The content engines
in a service group specify traffic to be redirected by protocol (TCP or UDP)
and up to eight source or destination ports. Each service group has a priority
status assigned to it. The priority of a dynamic service is assigned by the
content engine. The priority value is in the range of 0 to 255 where 0 is the
lowest priority. The predefined web-cache service has an assigned priority of
WCCPv2 Support for Multiple Routers
WCCPv2 allows multiple routers to be attached to a cluster of cache engines. The use of multiple routers in a service group allows for redundancy, interface aggregation, and distribution of the redirection load. WCCPv2 supports up to 32 routers per service group. Each service group is established and maintained independently.
WCCPv2 MD5 Security
WCCPv2 provides optional authentication that enables you to control which routers and content engines become part of the service group using passwords and the Hashed Message Authentication Code—Message Digest (HMAC MD5) standard. Shared-secret MD5 one-time authentication (set using the
ipwccp [password [0 |
password] global configuration command) enables messages to be protected against interception, inspection, and replay.
WCCPv2 Web Cache Packet Return
If a content engine is unable to provide a requested object it has cached due to error or overload, the content engine will return the request to the router for onward transmission to the originally specified destination server. WCCPv2 provides a check on packets that determines which requests have been returned from the content engine unserviced. Using this information, the router can then forward the request to the originally targeted server (rather than attempting to resend the request to the content engine cluster). This process provides error handling transparency to clients.
Typical reasons why a content engine would reject packets and initiate the packet return feature include the following:
Instances when the content engine is overloaded and has no room to service the packets
Instances when the content engine is filtering for certain conditions that make caching packets counterproductive (for example, when IP authentication has been turned on)
WCCPv2 Load Distribution
WCCPv2 can be used to adjust the load being offered to individual content engines to provide an effective use of the available resources while helping to ensure high quality of service (QoS) to the clients. WCCPv2 allows the designated content engine to adjust the load on a particular content engine and balance the load across the content engines in a cluster. WCCPv2 uses three techniques to perform load distribution:
Hot spot handling—Allows an individual hash bucket to be distributed across all the content engines. Prior to WCCPv2, information from one hash bucket could go to only one content engine.
Load balancing—Allows the set of hash buckets assigned to a content engine to be adjusted so that the load can be shifted from an overwhelmed content engine to other members that have available capacity.
Load shedding—Enables the router to selectively redirect the load to avoid exceeding the capacity of a content engine.
The use of these hashing parameters prevents one content engine from being overloaded and reduces the potential for bottlenecking.
WCCP Troubleshooting Tips
CPU usage may be very high when WCCP is enabled. The WCCP counters enable a determination of the bypass traffic directly on the router and can indicate whether the cause is high CPU usage due to enablement of WCCP. In some situations, 10 percent bypass traffic may be normal; in other situations, 10 percent may be high. However, any figure above 25 percent should prompt a closer investigation of what is occurring in the web cache.
If the counters suggest that the level of bypass traffic is high, the next step is to examine the bypass counters in the content engine and determine why the content engine is choosing to bypass the traffic. You can log in to the content engine console and use the CLI to investigate further. The counters allow you to determine the percent of traffic being bypassed.
You can use the
command to remove the IPv6 WCCP statistics (counts) maintained on the router for a particular service.
You can use the
clearwccp command to remove all (IPv4 and IPv6) WCCP statistics (counts) maintained on the router for a particular service.
You can use the
showipv6 wccp command to display the IPv6 WCCP global statistics (counts).
You can use the
showwccp command to display all (IPv4 and IPv6) WCCP global statistics (counts).
Until you configure
a WCCP service using the
global configuration command, WCCP is disabled on the device. The first use of
a form of the
ipwccp command enables WCCP. By default WCCPv2 is
used for services, but you can use WCCPv1 functionality instead. To change the
running version of WCCP from Version 2 to Version 1, or to return to WCCPv2
after an initial change, use the
ipwccpversion command in global configuration mode.
If a function is
not allowed in WCCPv1, an error prompt will be printed to the screen. For
example, if WCCPv1 is running on the device and you try to configure a dynamic
service, the following message will be displayed: “WCCP V1 only supports the
web-cache service.” The
showipwccp EXEC command will display the WCCP protocol
version number that is running on your device.
ipwccpweb-cachepassword command to set a password for a device
and the content engines in a service group. MD5 password security requires that
each device and content engine that wants to join a service group be configured
with the service group password. The password must be up to eight characters in
length. Each content engine or device in the service group will authenticate
the security component in a received WCCP packet immediately after validating
the WCCP message header. Packets failing authentication will be discarded.
web-cache or dynamic service to enable on a device, specifies a VRF-name to
associate with the service group, specifies the IP multicast address used by
the service group, specifies any access lists to use, specifies whether to use
MD5 authentication, and enables the WCCP service.
password length must not exceed 8 characters.
Device(config)# interface Gigabitethernet 0/0
interface number for which the web cache service will run, and enters interface
information related to WCCP, including the protocol version running, the number
of content engines in the router service group, which content engine group is
allowed to connect to the router, and which access list is being used.
vrfvrf-name—(Optional) Virtual routing and forwarding
(VRF) instance associated with a service group.
service-number—(Optional) Dynamic number of the
web-cache service group being controlled by the content engine. The range is
from 0 to 99. For web caches that use Cisco Content Engines, the reverse proxy
service is indicated by a value of 99.
web-cache—(Optional) statistics for the web-cache
detail—(Optional) other members of a particular
service group or web cache that have or have not been detected.
view—(Optional) information about a router or all
Device# show ip interface
about whether any
ipwccpredirection commands are configured on an
interface; for example, “Web Cache Redirect is enabled / disabled.”
Device# more system:running-config
Displays contents of the running configuration file (equivalent to the
example shows how to change the WCCP version from the default of WCCPv2 to
WCCPv1, and enabling the web-cache service in WCCPv1:
Device# show ip wccp
% WCCP version 2 is not enabled
Device# configure terminal
Device(config)# ip wccp version 1
Device# show ip wccp
% WCCP version 1 is not enabled
Device# configure terminal
Device(config)# ip wccp web-cache
Device# show ip wccp
Global WCCP information:
Router Identifier: 10.4.9.8
Protocol Version: 1.0
Example: Configuring a
General WCCPv2 Session
Device# configure terminal
Device(config)# ip wccp web-cache group-address 220.127.116.11 password password
Device(config)# ip wccp source-interface GigabitEthernet 0/1/0
Device(config)# ip wccp check services all
! Configures a check of all WCCP services.
Device(config)# interface GigabitEthernet 0/1/0
Device(config-if)# ip wccp web-cache redirect in
Device(config)# interface GigabitEthernet 0/2/0
Device(config-if)# ip wccp redirect exclude in
No new or modified RFCs are supported, and support for existing RFCs has not been modified.
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
The following table
provides release information about the feature or features described in this
module. This table lists only the software release that introduced support for
a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform
support and Cisco software image support. To access Cisco Feature Navigator, go
An account on Cisco.com is not required.
Table 1 Feature Information for WCCP
Cisco IOS XE Release 3.3SE
Version 2 feature provides several enhancements and features to the WCCP
ability of multiple routers to service a content engine cluster.
Redirection of traffic other than HTTP (TCP port 80 traffic), including a
variety of UDP and TCP traffic.
Optional authentication that enables you to control which routers and content
engines become part of the service group using passwords and the HMAC MD5
on packets that determines which requests have been returned from the content
adjustments for individual content engines to provide an effective use of the
available resources while helping to ensure high quality of service (QoS) to
following commands were introduced or modified by this feature:
In Cisco IOS XE Release 3.3SE, this feature is supported on
Cisco Catalyst 3850 Series Switches.