Cisco Wide Area Application Services Configuration Guide (Software Version 4.0.7)
Configuring Traffic Interception
Download this chapter
Configuring Traffic InterceptionConfiguring Traffic Interception
Download the complete book
Cisco Wide Area Application Services Configuration Guide Book-Length PDFCisco Wide Area Application Services Configuration Guide Book-Length PDF (PDF - 9 MB)
give_us_feedback

Table Of Contents

Configuring Traffic Interception

About Request Redirection Methods

Request Redirection of All TCP Traffic

Using WCCP to Transparently Redirect TCP Traffic to WAEs

Guidelines for Configuring WCCP

Guidelines for File Server Access Methods

Configuring Advanced WCCP Features on a WCCP-Enabled Router

Configuring a Router to Support WCCP Service Groups

Configuring IP Access Lists on a Router

Setting a Service Group Password on a Router

Configuring a Loopback Interface on the Router

Centrally Managing WCCP Configurations for WAEs

About Load Balancing and WAEs

About Packet-Forwarding Methods

About WCCP Flow Redirection on WAEs

Viewing or Modifying the General WCCP Settings on WAEs

Viewing a List of Currently Configured WCCP Services for WAEs

Modifying the Current Settings of a WCCP Service for WAEs

Creating a WCCP Service Mask for an Existing WCCP Service

Modifying WCCP Service Masks for WAEs

Viewing a WCCP Router List Configuration for WAEs

Modifying the Configuration of WCCP Router Lists for WAEs

Deleting a WCCP Router List from WAEs

Defining Additional WCCP Router Lists on WAEs

Configuring WAEs for a Graceful Shutdown of WCCP

Configuring Static Bypass Lists for WAEs

Using Policy-Based Routing to Transparently Redirect All TCP Traffic to WAEs

Methods of Verifying PBR Next-Hop Availability

Using Inline Mode to Transparently Intercept TCP Traffic

Configuring Inline Interface Settings

Configuring VLANs for Inline Support

Clustering Inline WAEs

Request Redirection of CIFS Client Requests

Using Inline Mode to Transparently Redirect CIFS Client Requests

Using WCCP to Transparently Redirect CIFS Client Requests

Using Explicit Naming of Shares to Explicitly Intercept CIFS Client Requests

Using Microsoft DFS to Intercept CIFS Client Requests


Configuring Traffic Interception

This chapter describes the WAAS software support for intercepting all TCP traffic in an IP-based network, based on the IP and TCP header information, and redirecting them to wide area application engines (WAEs). This chapter focuses on the use of the Web Cache Communication Protocol (WCCP), policy-based routing (PBR), and inline mode for transparent redirection of traffic to WAEs.

Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network. The term WAE refers to WAE appliances and WAE Network Modules (the NME-WAE family of devices).

This chapter assumes that you have completed a basic initial installation and configuration of your WAAS network, as described in the Cisco Wide Area Application Services Quick Configuration Guide. For detailed command syntax information for any of the CLI commands that are mentioned in this chapter, see the Cisco Wide Area Application Services Command Reference. For further information about WCCP, see the Cisco IOS Configuration Fundamentals Configuration Guide and the Cisco IOS Configuration Fundamentals Command Reference.

This chapter describes how to configure traffic interception in your WAAS network and contains the following sections:

About Request Redirection Methods

Request Redirection of All TCP Traffic

Request Redirection of CIFS Client Requests

About Request Redirection Methods

In a WAAS network, traffic between clients in the branch offices and the servers in the data center can be redirected to WAEs for optimization, redundancy elimination, and compression. Traffic is intercepted and redirected to WAEs based on policies that have been configured on the routers. The network elements that transparently redirect requests to a local WAE can be a router using WCCP version 2 or PBR to transparently redirect traffic to the local WAE or a Layer 4 to Layer 7 switch (for example, the Catalyst 6500 series Content Switching Module [CSM] or Application Control Engine [ACE]). Alternately, you can intercept traffic directly by using the inline mode with a WAE that has a Cisco WAE Inline Network Adapter.

In your WAAS network, traffic can be intercepted in these modes:

Transparent mode (WCCP or PBR)

For application traffic, there are no configuration changes required to the client or the client-server applications. In promiscuous WCCP mode, application traffic is transparently redirected by network elements to the local WAE.

Note The TCP promiscuous mode service (WCCP services 61 and 62) includes all protocols that use TCP as a transport, including the CIFS protocol. When you enable the TCP promiscuous mode service on the routers and the Edge and Core WAEs, CIFS traffic is redirected to the Cisco WAE because CIFS runs over TCP.

For CIFS traffic, the Edge WAEs will accelerate the traffic based on the system configuration and policy. The WAEs do not advertise the names of file servers while operating in transparent mode unless a file server is configured for the disconnected mode of operation and the network becomes disconnected. CIFS traffic between clients and file servers relies on the client's ability to reach the server natively (through directed IP traffic or name resolution). With TCP promiscuous mode, a router redirects CIFS traffic (on TCP ports 139 or 445) to a local WAE, where it is optimized based on the local policy on that WAE. The only name service provided by the Edge WAE in this mode is for local print services if local print services is configured.

Note An Edge WAE operates in only one of two modes: transparent (discussed above) or nontransparent (discussed below). This mode is configured on the WAE and applies to all file servers being accelerated by it. The configured mode is saved on the Central Manager and on the WAE.

Nontransparent (explicit) mode (WCCP Version 2 disabled; applicable only to CIFS traffic)

For CIFS traffic, the Edge WAE publishes a file server name on the branch office network. This published name cannot be identical to the origin file server name due to NetBIOS name conflicts. Client computers must map drives from accelerated file servers using the published name as presented by the Edge WAE. This is the default mode.

For application traffic (non-CIFS), some form of interception is required in order to optimize the traffic. WCCP, PBR, inline mode, or CSM/ACE redirection must be configured; otherwise, non-CIFS traffic is unable to be optimized by Cisco WAAS.

Inline mode

The WAE physically and transparently intercepts traffic between the clients and the router. To use this mode, you must use a WAE with the Cisco WAE Inline Network Adapter installed.

Table 4-1 summarizes the transparent traffic interception methods that are supported in your WAAS network.

Table 4-1 Supported Methods of Transparent Traffic Interception 

Method
Comment

WCCP Version 2

Used for transparent interception of application traffic and WAFS traffic. Used in branch offices and data centers to transparently redirect traffic to the local WAE. The traffic is transparently intercepted and redirected to the local WAE by a WCCP-enabled router or a Layer 3 switch.

You must configure WCCP on the router and Edge WAE in the branch office and the router and Core WAE in the data center. For more information, see the following sections:

Using WCCP to Transparently Redirect TCP Traffic to WAEs

Using WCCP to Transparently Redirect CIFS Client Requests

Microsoft DFS

Used for either transparent or nontransparent interception of WAFS traffic for CIFS clients only. See the "Using Microsoft DFS to Intercept CIFS Client Requests" section.

NETBIOS

Used for nontransparent interception of WAFS traffic for CIFS clients unless the WAE is publishing the origin server name, in which case NETBIOS is used for transparent interception of WAFS traffic for CIFS clients. See the "Using Explicit Naming of Shares to Explicitly Intercept CIFS Client Requests" section.

PBR

In branch offices, used for wide area application optimization. The branch office router is configured to use PBR to transparently intercept and route both client and server traffic to the Edge WAE that resides in the same branch office.

In data centers, used for data center application optimization. The data center router or L3 switch may be configured to use PBR to transparently intercept and route client and server traffic to Core WAE(s) within the data center. PBR, however, does not support load balancing across multiple WAEs (such as WCCP does). Neither does it support load balancing when you are using a hardware load balancer, such as the Cisco CSM or ACE. See the "Using Policy-Based Routing to Transparently Redirect All TCP Traffic to WAEs" section.

Inline

Used for transparent interception of application traffic and WAFS traffic. See the "Using Inline Mode to Transparently Intercept TCP Traffic" section.

CSM or ACE

Cisco Catalyst 6500 Content Switching Module (CSM) or Application Control Engine (ACE) installed in the data center for data center application optimization. The CSM or ACE allows for both traffic interception and load balancing across multiple WAE(s) within the data center


For more information, see the following sections:

Request Redirection of All TCP Traffic

Request Redirection of CIFS Client Requests

Request Redirection of All TCP Traffic

This section describes the methods that are supported for request redirection of TCP traffic and contains the following sections:

Using WCCP to Transparently Redirect TCP Traffic to WAEs

Configuring Advanced WCCP Features on a WCCP-Enabled Router

Centrally Managing WCCP Configurations for WAEs

Using Policy-Based Routing to Transparently Redirect All TCP Traffic to WAEs

Using Inline Mode to Transparently Intercept TCP Traffic

Using WCCP to Transparently Redirect TCP Traffic to WAEs

The WAAS software uses the WCCP standard, Version 2 for redirection. The main features of WCCP Version 2 include support for the following:

Up to 32 WAEs per WCCP service

Multiple routers

Multicasting of protocol messages between the WAE and the WCCP-enabled router

Authentication of protocol packets

Redirection of non-HTTP traffic

Packet return (including GRE, allowing a WAE to reject a redirected packet and to return it to the router to be forwarded)

Layer 2-caching (through router versus GRE) and masking (for improved load balancing)

Multiple forwarding methods

Packet distribution method negotiation within a service group

Command and status interaction between the WAE and a service group

Note WCCP works only with IPv4 networks.

WAAS software supports the WCCP TCP promiscuous mode service (services 61 and 62). This WCCP service requires that WCCP Version 2 is running on the router and the WAE.

The TCP promiscuous mode service is a WCCP service that intercepts all TCP traffic and redirects it to the local WAE.

The WAAS software also supports service passwords, WAE failover, flow protection, and static bypass.

The Cisco 2600, Cisco 2800, Cisco 3600, Cisco 3700, Cisco 3800, and Cisco 7600 series routers are supported, and can be manually configured and enabled with WCCP Version 2 support for use with the Cisco WAEs. The Catalyst 6000 and Catalyst 6500 series switches also support WCCP Version 2.

Note Many legacy Cisco routers, including the 2500, 2600, and 3600 routers, have far less processing power and memory than newer routing platforms such as the Integrated Services Router (ISR) models 2800 and 3800. As such, the use of WCCPv2 or PBR may cause a high level of CPU utilization on the router and cause erratic behavior. WAAS can be configured to work with these routers, but not to the same levels of performance or scalability as can be found with newer routing platforms. The Cisco ISR is the routing platform of choice for the branch office.

If you are experiencing erratic behavior, such as the WAE being ejected from the service group, enable fair-queuing, weighted fair-queuing, or rate-limiting on all physical interfaces on the router that connect to users, servers, WAEs, and the WAN. Fair-queuing cannot be configured on subinterfaces, and should be configured on both ingress and egress physical interfaces. If another form of queuing is already configured on the LAN or WAN interfaces other than fair-queuing that provides similar fairness, it should be sufficient.

Additionally, limit the amount of bandwidth that can be received on the LAN-side interface of the router, to help the router keep its interface queues less congested and provide better performance and lower CPU utilization. Set the maximum interface bandwidth on the router to no more than 10 times the WAN bandwidth capacity. For instance, if the WAN link is a T1, the LAN interface and WAE LAN interface bandwidth should be throttled to 10 * T1 = 10 * 1.544 Mbps, or approximately 15 Mbps. See the Cisco IOS documentation for more information.

This section contains the following topics:

Guidelines for Configuring WCCP

Guidelines for File Server Access Methods

Guidelines for Configuring WCCP

When you configure transparent redirection on a WAE using WCCP Version 2, follow these general guidelines:

Intercept and redirect packets on the inbound interface whenever possible.

WAEs must reside in a subnet that is separate from the traffic's destination and source. For example, an Edge WAE must be on a subnet separate from the clients, and a Core WAE must be on a subnet separate from the file and application servers. If you are deploying only the Wide Area File Services (WAFS) in your WAAS network, this requirement is the same, except that the Core WAE can be on the same subnet as the file and application servers, though this configuration is not recommended because no other WAAS optimizations can be enabled.

Edge WAEs must not have their packets encrypted or compressed and should be part of the "inside" Network Address Translation (NAT) firewall if one is present.

Use Layer 2 redirection as the packet forwarding method if you are using Catalyst 6500 series switches or Cisco 7600 series routers. Use Layer 3 GRE packet redirection if you are using any other Cisco series router.

Use hardware-supported methods (CEF, dCEF) where possible. CEF is not required, but is recommended for improved performance. WCCP can use IP CEF if CEF is enabled on the router.

Place Edge WAEs on the client side of the network to minimize client-side packets through the router.

Use WCCP passwords to avoid denial-of-service attacks. For more information, see the "Setting a Service Group Password on a Router" section.

Use WCCP redirect lists for new implementations to limit client or server populations. For more information, see the "Configuring IP Access Lists on a Router" section.

The WAE must be configured to accept redirected packets from one or more WCCP-enabled routers.

You can quickly view a list of WCCP settings and services that you can configure on a WAE, from the WAAS CLI or the WAAS Central Manager GUI (see Figure 4-4) or the WAAS CLI. From the WAAS CLI, enter the wccp EXEC command followed by a question mark (?). The following sample output is from a WAE with WCCP Version 2 enabled: 

WAE(config)# wccp ?

   access-list      Configure an IP access-list for inbound WCCP encapsulated traffic

   flow-redirect    Redirect moved flows

   router-list      Router List for use in WCCP services

   shutdown         Wccp Shutdown parameters

   slow-start       accept load in slow-start mode

   tcp-promiscuous  TCP promiscuous mode service

   version          WCCP Version Number

To configure basic WCCP, you must enable the WCCP service on at least one router in your network and on the WAE that you want the traffic redirected to. It is not necessary to configure all of the available WCCP features or services to get your WAE up and running. For an example of how to complete a basic WCCP configuration on routers and WAEs in a branch office and data center, see the Cisco Wide Area Application Services Quick Configuration Guide.

You must configure the routers and WAEs to use WCCP Version 2 instead of WCCP Version 1 because WCCP Version 1 only supports web traffic (port 80).

After enabling WCCP on the router, you must configure the TCP promiscuous mode service (WCCP services 61 and 62) on the router and the WAE, as described in the Cisco Wide Area Application Services Quick Configuration Guide.

In order for the WAE to function in TCP promiscuous mode, the WAE uses WCCP Version 2 services 61 and 62. These two WCCP services are represented by the canonical name tcp-promiscuous on the WAE.

You can use CLI commands to configure basic WCCP on both the routers and the WAEs, or you can use CLI commands to configure the router for WCCP and use the WAAS Central Manager GUI to configure basic WCCP on the WAEs. In the configuration example provided in the Cisco Wide Area Application Services Quick Configuration Guide, the CLI is used to configure basic WCCP on the WAEs.

We recommend that you use the WAAS CLI to complete the initial basic configuration of WCCP on your first Edge WAE and Core WAE, as described in the Cisco Wide Area Application Services Quick Configuration Guide.

After you have verified that WCCP transparent redirection is working properly, you can use the WAAS Central Manager GUI to centrally modify this basic WCCP configuration or configure additional WCCP settings (for example, load balancing) for a WAE (or group of WAEs). For more information, see the "Centrally Managing WCCP Configurations for WAEs" section.

After you have configured basic WCCP on the router, you can configure advanced WCCP features on the router, as described in the "Configuring Advanced WCCP Features on a WCCP-Enabled Router" section.

Guidelines for File Server Access Methods

Some file servers have several network interfaces and can be reached through multiple IP addresses. For these server types, you must add all the available IP addresses to the Edge WAE's WCCP accept list. This situation prevents a client from bypassing the Edge WAE by using an unregistered IP address. The WAE Device Manager GUI displays all the IP addresses in the GUI.

Some file servers have several NetBIOS names and only one IP address. For these servers, if the client connects using the IP address in the UNC path (that is, \\IP_address\share instead of \\server\share), WAAS selects the first NetBIOS name from the server list in the WAE Device Manager GUI that matches this IP address. WAAS uses that name to perform NetBIOS negotiations between the Core WAE and the file server, and to create resources in the cache. If a file server uses multiple NetBIOS names to represent virtual servers (possibly with different configurations) and has one NetBIOS name that is identified as the primary server name, put that name in the server list before the other names.

Configuring Advanced WCCP Features on a WCCP-Enabled Router

This section describes how to configure the following advanced WCCP Version 2 features on a WCCP-enabled router that is transparently redirecting requests to WAEs in your WAAS network:

Configuring a Router to Support WCCP Service Groups

Configuring IP Access Lists on a Router

Setting a Service Group Password on a Router

Configuring a Loopback Interface on the Router

Note This section assumes that the router has already been configured for basic WCCP, as described in the Cisco Wide Area Application Services Quick Configuration Guide.

Configuring a Router to Support WCCP Service Groups

WCCP Version 2 enables a set of Edge WAEs in an WAE group to connect to multiple routers. The WAEs in a group and the WCCP Version 2-enabled routers connected to the WAE group that are running the same WCCP service are known as a service group.

Through communication with the Edge WAEs, the WCCP Version 2-enabled routers are aware of the available Edge WAEs. Routers and Edge WAEs become aware of one another and form a service group using WCCP Version 2. See Figure 4-1.

Figure 4-1 Service Groups with WCCP Version 2

1

Clients requesting file services

3

WAEs acting as Edge WAEs

2

Cisco routers

4

WAE service group


If there is a group of Edge WAEs, the one seen by all the WCCP Version 2-enabled routers and the one that has the lowest IP address becomes the lead Edge WAE.

The following procedure describes how an Edge WAE in a service group is designated as the lead:

1. Each Edge WAE is configured with a list of WCCP-enabled routers.

Multiple WCCP-enabled routers can service a group (up to 32 routers can be specified). Any of the available routers in a service group can redirect packets to each of the Edge WAEs in the group.

2. Each Edge WAE announces its presence to each router on the router list. The routers reply with their view of Edge WAEs in the service group.

3. After the view is consistent across all of the Edge WAEs in the group, one Edge WAE is designated as the lead Edge WAE and sets the policy that the WCCP-enabled routers need to deploy in redirecting packets.

The role of this lead Edge WAE is to determine how traffic should be allocated across the Edge WAEs in the group. The assignment information is passed to the entire service group from the designated lead Edge WAE so that the WCCP-enabled routers of the group can redirect the packets properly and the Edge WAEs in the group can better manage their load.

WCCP uses service groups to define WAAS services for a WCCP Version 2-enabled router and Edge WAEs in a group. WCCP also redirects client requests to these groups in real time.

All ports receiving redirected traffic that are configured as members of the same WCCP service group share the following characteristics:

They have the same hash or mask parameters, as configured with the WAAS Central Manager GUI (the "Modifying WCCP Service Masks for WAEs" section) or the WAAS CLI (the wccp service-number mask global configuration command).

The WCCP Version 2 service on individual ports cannot be stopped or started individually (a WCCP Version 2 restriction).

To direct a WCCP Version 2-enabled router to enable or disable support for a WCCP service group, use the ip wccp global configuration command. To remove the ability of a router to control support for a WCCP service group, use the no form of this command.

ip wccp {web-cache | service-number} [group-address groupaddress]

The following example shows how to enable the TCP promiscuous mode service (WCCP Version 2 services 61 and 62) for a group of WAEs that have a group address of 100.10.10.1: 

Router# ip wccp 61 group-address 100.10.10.1

Router# ip wccp 62 group-address 100.10.10.1

When a new WAE is brought online, it joins the WCCP service group, and the router begins redirecting traffic to it. With a new WAE in the service group, the hash tables responsible for distributing the load are changed, and traffic that previously went to WAE1 may now go to WAE2. Flow protection must be enabled in order for WAE2 to forward packets of already connected clients to WAE1. The end result is that all requests that belong to a single session are processed by the same WAE. Should the administrator disable flow protection, adding a WAE to the service group might disconnect some of the existing clients.

When an WAE is removed from the service group, its clients are disconnected (if they reconnect, they will reach another WAE, if one is available, or the origin file server).

WAAS supports WAE failover by reconnecting clients with other Edge WAEs if an Edge WAE crashed. In the event of a crash, the Edge WAE stops issuing WCCP keepalives (constant high CPU load may also result in loss of keepalives and can also be considered a failover case). The router detects the lack of keepalives and removes the Edge WAE from the service group. The designated Edge WAE updates the WCCP configuration hash table to reflect the loss of the Edge WAE and divides its buckets among the remaining Edge WAEs. A new designated lead Edge WAE is elected if the crashed one was the lead Edge WAE. The client is disconnected, but subsequent connections are processed by another Edge WAE.

Once a TCP flow has been intercepted and received by an Edge WAE, the failure behavior is identical to that exhibited during nontransparent mode. For example, Core WAE and file server failure scenarios are not handled any differently as a result of using WCCP interception.

Configuring IP Access Lists on a Router

You can optionally configure the router to redirect traffic from your WAE based on access lists that you define on the router. These access lists are also referred to as redirect lists.

Note You can also configure static bypass lists on the WAE, as described in the "Configuring Static Bypass Lists for WAEs" section. We recommend that you use IP access lists on the WCCP-enabled router, rather than using the static bypass feature, because access lists are more efficient. You can also configure IP access control lists (ACLs) on WAEs to control access to the WAE, as described in "Creating and Managing IP Access Control Lists for WAAS Devices."

IP access lists that are configured on the routers have the highest priority, followed by IP ACLs that are configured on a WAE, and followed by static bypass lists on WAEs. IP ACLs that are configured on WAEs take precedence over any application definition policies that have been defined on the WAE. For more information on this topic, see the "About the Precedence of IP ACLs and Application Definition Policies on WAEs" section.

A WCCP Version 2-enabled router can be configured with access lists to permit or deny redirection of TCP traffic to a WAE. The following example shows that traffic conforming to the following criteria are not redirected by the router to the WAE:

Originating from the host 10.1.1.1 destined for any other host

Originating from any host destined for the host 10.255.1.1 

Router(config)# ip wccp 61 redirect-list 120

Router(config)# ip wccp 62 redirect-list 120

Router(config)# access-list 120 deny ip host 10.1.1.1 any 

Router(config)# access-list 120 deny ip any host 10.1.1.1 

Router(config)# access-list 120 deny ip any host 10.255.1.1 

Router(config)# access-list 120 deny ip host 10.255.1.1 any 

Router(config)# access-list 120 permit ip any

Traffic not explicitly permitted is implicitly denied redirection. The access-list 120 permit ip any command explicitly permits all traffic (from any source on the way to any destination) to be redirected to the WAE. Because criteria matching occurs in the order in which the commands are entered, the global permit command is the last command entered.

To limit the redirection of packets to those packets matching an access list, use the ip wccp redirect-list global configuration command. Use this command to specify which packets should be redirected to the WAE.

When WCCP is enabled but the ip wccp redirect-list command is not used, all packets matching the criteria of a WCCP service are redirected to the WAE. When you specify the ip wccp redirect-list command, only packets that match the access list are redirected.

The ip wccp global configuration command and the ip wccp redirect interface configuration command are the only commands required to start redirecting requests to the WAE using WCCP. To instruct an interface on the WCCP-enabled router to check for appropriate outgoing packets and redirect them to a WAE, use the ip wccp redirect interface configuration command. If the ip wccp command is enabled but the ip wccp redirect command is disabled, the WCCP-enabled router is aware of the WAE but does not use it.

To specify the access list by name or number, use the ip wccp group-list global configuration command, which defines criteria for group membership. In the following example, the access-list 1 permit 10.10.10.1 command is used to define the IP address of the WAE that is allowed to join the WCCP service group: 

Router(config)# ip wccp 61 group-list 1

Router(config)# ip wccp 62 group-list 1

Router(config)# access-list 1 permit 10.10.10.1

For more information on access lists, see the Cisco IOS IP addressing and services software documentation.

Setting a Service Group Password on a Router

For security purposes, you can set a service password for your WCCP Version 2-enabled router and the WAEs that access it. Only devices configured with the correct password are allowed to participate in the WCCP service group.

From the global configuration mode of your WCCP-enabled router, enter the following commands to specify the service group password for the TCP promiscuous mode service (WCCP Version 2 services 61 and 62) on the router: 

Router(config)# ip wccp 61 password [0-7] password

Router(config)# ip wccp 62 password [0-7] password

The required password argument is the string that directs the WCCP Version 2-enabled router to apply MD5 authentication to messages received from the specified service group. Messages that are not accepted by the authentication are discarded. 0-7 is the optional value that indicates the HMAC MD5 algorithm used to encrypt the password. This value is generated when an encrypted password is created for the WAE. 7 is the recommended value. The optional password argument is the optional password name that is combined with the HMAC MD5 value to create security for the connection between the router and the WAE.

For information about how to use the WAAS Central Manager GUI to specify the service group password on a WAE (or device group), see the "Modifying the Current Settings of a WCCP Service for WAEs" section.

Configuring a Loopback Interface on the Router

The IP address of the loopback interface of the router is always used to identify the router to the WAEs. If a loopback address is not present, the highest available IP address on the router is used. If an interface changes state, and no loopback address is used, another IP address is used, which could lead to reconnection problems.

The following example configures the loopback interface, exits configuration mode, and saves the running configuration to the startup configuration: 

Router(config)# interface Loopback0

Router(config-if)# ip address 111.111.111.111 255.255.255.0

Router(config-if)# no shutdown

Router(config-if)# end

Router# copy running-config startup-config

Centrally Managing WCCP Configurations for WAEs

For information about some key conceptions that are related to WCCP configurations on WAEs, see the following sections:

About Load Balancing and WAEs

About Packet-Forwarding Methods

About WCCP Flow Redirection on WAEs

This section describes how to use the WAAS Central Manager GUI to centrally manage the WCCP configurations for a WAE or group of WAEs (that is, a device group):

Viewing or Modifying the General WCCP Settings on WAEs

Viewing a List of Currently Configured WCCP Services for WAEs

Modifying the Current Settings of a WCCP Service for WAEs

Creating a WCCP Service Mask for an Existing WCCP Service

Modifying WCCP Service Masks for WAEs

Viewing a WCCP Router List Configuration for WAEs

Modifying the Configuration of WCCP Router Lists for WAEs

Deleting a WCCP Router List from WAEs

Defining Additional WCCP Router Lists on WAEs

Configuring WAEs for a Graceful Shutdown of WCCP

Configuring Static Bypass Lists for WAEs

Note This section assumes that you have completed an initial configuration of your WAAS network, which includes the basic configuration of WCCP Version 2 and the TCP promiscuous mode service on your routers and WAEs, as described in the Cisco Wide Area Application Services Quick Configuration Guide.

About Load Balancing and WAEs

Multiple Edge WAEs with WCCP support can be deployed in a branch office for dynamic load balancing to enable adjustments to the loads being forwarded to the individual Edge WAEs in a service group. IP packets received by a WCCP-enabled router are examined to determine if it is a request that should be directed to an Edge WAE. Packet examination involves matching the request to a defined service criteria. These packets are passed to the processing routine on the router to determine which Edge WAE, if any, should receive the redirected packets.

Load balancing is a technique used to balance the traffic load across multiple Edge WAEs. This technique allows the set of hash address buckets assigned to an Edge WAE to be adjusted shifting the load from an overwhelmed Edge WAE to other Edge WAEs that have available capacity. Two assignment methods are used by this technique: hashing and masking.

About Load-Balancing Assignment Methods

The term assignment method denotes the method used by WCCP to perform load distribution across Edge WAEs. The two possible load-balancing assignment methods are hashing and masking. If the mask load-balancing method is not specified, then the hash load-balancing method, which is the default method, is used.

WCCP supports redirection based on a hash function. The hash key may be based on the source or destination IP address of the packet. For WAAS, load-balancing hashing is based on a source IP address (default), a destination IP address, or both.

The hash function uses the source IP address to obtain an address bucket to which the packet is assigned. These source address buckets are then mapped to a particular Edge WAE depending on how many Edge WAEs are present and how busy they are. (See Figure 4-2.)

Figure 4-2 Load Balancing Through Hashing of IP Addresses

Note Packets that the Edge WAEs do not service are tunneled back to the same router from which they were received. When a router receives a formerly redirected packet, it knows not to redirect it again.

Destination IP address hashing guarantees that a single Edge WAE caches a given file server. This method, which allows a local coherency directive to be safely applied to the file server content (provided that no other collaboration on the content occurs), improves performance and WAN link and disk utilization. This method may distribute load unevenly, however, because of uneven activity on a file server.

Source IP address hashing has better potential for session distribution between the caches on the Edge WAEs. This method may impact performance and WAN link and disk utilization (see the previous description of factors to be aware of when load balancing is applied). Also, any change in the IP address of a client (which can happen when working in DHCP environments) may cause the client to switch to another Edge WAE, which can cause the client to experience reduced performance until the client's working set is retrieved into the new cache.

Hashing that is based on a client IP address does not guarantee any locality of the hash key. For example, clients from the same subnet (which are likely to share and collaborate on the same content) may be assigned two different hash numbers and may be redirected to different Edge WAEs, while clients from different subnets may be assigned the same hash number and may be redirected to the same Edge WAE. Hashing that is based on a client IP address does guarantee consistency. For example, a client using the same IP address is redirected to the same Edge WAE.

In the service farm, a lead Edge WAE is chosen to build the hash table that distributes the load between the available Edge WAEs. The lead Edge WAE distributes the buckets evenly. The source IP address is hashed and the resulting bucket determines the Edge WAE that will handle the packet (flow protection makes sure that it is the same Edge WAE throughout the session).

WCCP supports redirection by mask value assignments. This method relies on masking to make redirection decisions. The decisions are made using special hardware support in the WCCP-enabled router. This method can be very efficient because packets are switched by the hardware.

Note The masking method can only be used for load balancing with the Catalyst 6500 series switches and Cisco 7600 series routers.

Masking must be explicitly specified. You can specify two mask values based on the source or destination IP address of the packet. For WAAS, the default mask value is based on the destination IP address. You can enable masks by using the default values or specifying a particular mask. The default mask values, specified in hexadecimal notation, are as follows:

dst-ip-mask= 0x0

src-ip-mask= 0x1741

The mask value is specified using a maximum of seven bits. The Edge WAE creates a table of the 27 (or 128) combinations, assigns the Edge WAE IP addresses to them, and sends this table to the WCCP-enabled routers. The router uses this table to distribute the traffic among all the Edge WAEs that are in the service group. Each packet that matches the WCCP service parameters is compared to this table and the packets are sent to the matching Edge WAE.

About Packet-Forwarding Methods

A WCCP-enabled router redirects intercepted TCP segments to a WAE using one of the following two packet-forwarding methods:

Generic routing encapsulation (GRE)—Allows packets to reach the WAE even if there are any number of routers in the path to the WAE.

Layer 2 redirection—Allows packets to be switched at Layer 2 (MAC layer) and reach the WAE.

Table 4-2 describes the packet-forwarding methods.

Table 4-2 Packet-Forwarding Methods 

Packet-Forwarding
Method
Load-Balancing Method:
Hashing
Load-Balancing Method:
Masking

GRE (Layer 3)

Packet redirection is completely handled by the router software.

Packet redirection is handled by the router software. We do not recommend using mask assignment when GRE is being used as the packet-forwarding method.

Layer 2 redirection

First redirected packet is handled by the router software; all subsequent redirected packets are handled by the router hardware.

All packets are handled by the router hardware (currently supported only on the Catalyst 6500 series switches or Cisco 7600 series routers because special hardware is required).


The redirection mode is controlled by the Edge WAE. The first Edge WAE that joins the WCCP service group decides the forwarding method (GRE or Layer 2 redirection) and the assignment method (hashing or masking). The term mask assignment refers to WCCP Layer 2 Policy Feature Card 2 (PFC2) input redirection.

If masking is selected with WCCP output redirection, then the Edge WAE falls back to the original hardware acceleration that is used with the Multilayer Switch Feature Card (MSFC) and the Policy Feature Card (PFC).

For example, WCCP filters the packets to determine which redirected packets have been returned from the Edge WAE and which ones have not. WCCP does not redirect the ones that have been returned because the Edge WAE has determined that the packets should not be processed. WCCP Version 2 returns packets that the Edge WAE does not service to the same router from which they were transmitted.

About Returning Packets

The following are typical reasons why an Edge WAE would reject packets and initiate packet return:

The Edge WAE is filtering out certain conditions that make processing packets unproductive, for example, when IP authentication has been turned on.

CIFS packets are received by the Edge WAE destined to a server that is not configured to be cached by the Edge WAE.

You have configured a static bypass list on the Edge WAE.

Note The packets are redirected to the source of the connection between the WCCP-enabled router and the Edge WAE. Depending on the Cisco IOS software version used, this source could be either the address of the outgoing interface or the router IP address. In the latter case, it is important that the Edge WAE has the IP address of the WCCP-enabled router stored in the router list. For more information on router lists, see the "Modifying the Configuration of WCCP Router Lists for WAEs" section.

Cisco Express Forwarding (CEF) is not required but is recommended for improved performance. WCCP can use IP CEF if CEF is enabled on the router. WCCP also allows you to configure multiple routers (router lists) to support a particular WCCP service (for example, CIFS redirection).

About Layer 3 GRE as a Packet-Forwarding Method

A WCCP-enabled router redirects intercepted requests to a WAE and can encapsulate the packets using generic routing encapsulation (GRE). This method for forwarding packets allows packets to reach the WAE even if there are routers in the path to the WAE. Packet redirection is handled entirely by the router software.

GRE is a Layer 3 technique that allows datagrams to be encapsulated into IP packets at the WCCP-enabled router and then redirected to a WAE (the transparent proxy server). At this intermediate destination, the datagrams are decapsulated and then handled by the WAAS software. If the request cannot be handled locally, the origin server may be contacted by the associated WAE to complete the request. In doing so, the trip to the origin server appears to the inner datagrams as one hop. The redirected traffic using GRE usually is referred to as GRE tunnel traffic. With GRE, all redirection is handled by the router software.

With WCCP redirection, a Cisco router does not forward the TCP SYN packet to the destination because the router has WCCP enabled on the destination port of the connection. Instead, the WCCP-enabled router encapsulates the packet using GRE tunneling and sends it to the WAE that has been configured to accept redirected packets from this WCCP-enabled router.

After receiving the redirected packet, the WAE does the following:

1. Strips the GRE layer from the packet.

2. Decides whether it should accept this redirected packet and process the request for content or deny the redirected packet as follows:

a. If the WAE decides to accept the request, it sends a TCP SYN ACK packet to the client. In this response packet, the WAE uses the IP address of the original destination (origin server) that was specified as the source address so that the WAE can be invisible (transparent) to the client; it pretends to be the destination that the TCP SYN packet from the client was trying to reach.

b. If the WAE decides not to accept the request, it reencapsulates the TCP SYN packet in GRE, and sends it back to the WCCP-enabled router. The router understands that the WAE is not interested in this connection and forwards the packet to its original destination (that is, the origin server).

About Layer 2 Redirection as a Packet-Forwarding Method

Layer 2 redirection is accomplished when a WCCP-enabled router or switch takes advantage of internal switching hardware that either partially or fully implements the WCCP traffic interception and redirection functions at Layer 2. This type of redirection is currently supported only with the Catalyst 6500 series switches and Cisco 7200 and 7600 series routers. With Layer 2 redirection, the first redirected traffic packet is handled by the router software. The rest of the traffic is handled by the router hardware. The Edge WAE instructs the router or switch to apply a bit mask to certain packet fields, which in turn provides a mask result or index mapped to the Edge WAE in the service group in the form of a mask index address table. The redirection process is accelerated in the switching hardware, making Layer 2 redirection more efficient than Layer 3 GRE.

Note WCCP is licensed only on the WAE and not on the redirecting router. WCCP does not interfere with normal router or switch operations.

About WCCP Flow Redirection on WAEs

Flow protection reduces the impact on existing client TCP connections when Edge WAEs are added and removed from a service group. By default, WCCP flow redirection is enabled on a WAE. Flow protection reduces the impact on existing client TCP connections when Edge WAEs are added and removed from a service group. The client impact is reduced because of flow protection in the following situations:

WAAS network expansion—When Edge WAEs are added to the service group, the newly started Edge WAEs receives traffic that was previously processed by a different Edge WAE. It forwards the traffic to the relevant Edge WAE for continued processing. New connections are processed by the new Edge WAE.

Edge WAE replacement following a failure—When an Edge WAE fails, another Edge WAE may receive traffic that was previously processed by either that Edge WAE or the origin file server. The receiving Edge WAE operates according to the previous two use cases.

Without flow protection, established client connections are broken through a TCP RESET in the situations listed earlier. Flow protection applies to all supported WCCP services and cannot be configured on a per-service basis.

Viewing or Modifying the General WCCP Settings on WAEs

In a WAAS network, the following set of configuration parameters for a WAE is collectively referred to as the "WCCP general settings":

WCCP version

Flow redirection

Slow start

Shutdown delay

Table 4-3 lists the default values for the WCCP general settings on a WAE.

Table 4-3 Default Values for the WCCP General Settings on a WAE 

Feature
Default Value
Comment

WCCP Version 2

Disabled

WCCP Version 2 instead of WCCP Version 1 must be used because WCCP Version 1 only supports web traffic (port 80).

Flow redirection

Enabled

Keeps the TCP flow intact and avoids overwhelming the WAE when it comes up and is assigned new traffic.

Slow start

Disabled

Within a service group of WAEs, TCP connections are redirected to other WAEs as units are added or removed. A WAE can be overloaded if it is reassigned new traffic too quickly or it is introduced abruptly into a high-bandwidth connection. WCCP slow start performs the following tasks to prevent a WAE from being overwhelmed when it comes online or is reassigned new traffic:

TCP flow protection when WCCP Version 2 is enabled and a WAE is introduced into the service group

TCP flow protection when WCCP Version 2 is disabled and a WAE is leaving the service group

Load assignment to the WAE in slow increments rather than a full load at bootup

Shutdown delay

120 seconds

To prevent broken TCP connections, the WAE performs a clean shutdown of WCCP after a reload or WCCP is shut down (disabled) on the WAE.


To ensure consistency, we recommend that you change the WCCP general settings on a device group basis instead of on an individual device.

Note This section assumes that you have already completed a basic WCCP configuration for your WAAS network that includes the configuration of the TCP promiscuous mode service (WCCP Version 2 services 61 and 62), as described in the Cisco Wide Area Application Services Quick Configuration Guide.

To centrally view or modify the general WCCP settings for a WAE (or a group of WAEs), follow these steps:

Step 1 From the WAAS Central Manager GUI, choose Devices > Devices (or Devices > Device Groups).

Step 2 Click the Edit icon next to the name of the device (or device group) for which you want to change the values of the WCCP general settings.

Step 3 Click Expand All above the Contents pane.

Step 4 Click Show Advanced to display all menu items in the Contents pane.

Step 5 In the Contents pane, choose Interception > WCCP > General Settings. The WCCP General Configuration Settings window appears. (See Figure 4-3.)

Figure 4-3 WCCP General Configuration Settings Window

Step 6 Check the current settings for the chosen device (or device group).

To keep the current settings and to close the window, click Cancel.

To modify the current settings, change the current setting as described in the rest of this procedure.

By default, WCCP is disabled on a WAE. However, as part of the initial configuration of WCCP in your your WAAS network, you should have enabled WCCP Version 2 on your WAEs (the Edge WAE and the Core WAE) as well as on the routers in the data center and branch office that will be transparently redirecting requests to these WAEs. For information about how to perform a basic WCCP configuration in your WAAS network, see the Cisco Wide Area Application Services Quick Configuration Guide.

Step 7 From the WCCP Version drop-down list, choose 2 to enable WCCP Version 2 on the chosen device (or device group), or choose Disabled to disable WCCP on the chosen device (or device groups).

Note You must configure the chosen device (or device group) to use WCCP Version 2 instead of WCCP Version 1 because WCCP Version 1 only supports web traffic (port 80).

Be sure the routers used in the WCCP environment are running a version of the Cisco IOS software that also supports the WCCP Version 2.

Step 8 To keep the TCP flow intact, and to avoid overwhelming the device (or device groups) when they come up or are reassigned new traffic, check the Enable Flow Redirection check box. For more information on this feature, see the "About WCCP Flow Redirection on WAEs" section.

Step 9 To enable the slow start capability on the device (or device group), check the Slow Start check box. By default, this feature is disabled. Slow start is applicable only in the following cases:

Initial bootup when there is no WAE present in the server farm

When a new WAE is added to a cluster that is not handling the full load (for example, when there are some buckets that are being shed by the cluster)

In all other situations slow start is not necessary and all the WAEs can be assigned their share of traffic immediately.

Step 10 In the Shutdown Delay field, specify the maximum amount of time (in seconds) that the chosen device (or device group) waits to perform a clean shutdown of WCCP. The default is 120 seconds.

The WAE does not reboot until either all connections have been serviced or the maximum wait time (specified through this Shutdown Delay field) has elapsed for WCCP Version 2.

Step 11 Click Submit to save the changes.

To configure WCCP settings from the CLI, you can use the wccp version, wccp flow-redirect, wccp slow-start, and wccp shutdown global configuration commands.

For more information about a graceful shut down of WCCP Version 2 on WAEs, see the "Configuring WAEs for a Graceful Shutdown of WCCP" section.

Viewing a List of Currently Configured WCCP Services for WAEs

To centrally view a list of the WCCP services that are currently configured for a WAE (or group of WAEs), follow these steps:

Step 1 From the WAAS Central Manager GUI, choose Devices > Devices (or Devices > Devices Groups).

The Devices window appears, listing all the device types configured in the WAAS network.

Step 2 Click the Edit icon next to the device (or device group) for which you want to view a list of currently configured WCCP services.

Step 3 Click Expand All above the Contents pane.

Step 4 Click Show Advanced to display all menu items in the Contents pane.

Step 5 In the Contents pane, choose Interception > WCCP > Services.

The WCCP Service Settings for WAE window appears with a list of the currently configured WCCP services for the chosen device (or device group). (See Figure 4-4.)

Figure 4-4 Viewing a List of Currently Configured WCCP Services

In the example shown in Figure 4-4, there is currently one WCCP service, the TCP promiscuous service, configured on the chosen device and this service has been configured to use router list 1.

Step 6 Click the Edit WCCP Service Setting icon next to the service that you want to modify to modify an existing WCCP service.

For more information about modifying a service, see the "Modifying the Current Settings of a WCCP Service for WAEs" section.

Step 7 Click the Create New WCCP Service Setting icon in the taskbar to create a new WCCP service for the chosen device (or device group).

To view currently configured WCCP services from the CLI, you can use the show wccp services EXEC command.

Modifying the Current Settings of a WCCP Service for WAEs

To centrally modify the current settings of a WCCP service for a WAE (or group of WAEs), follow these steps:

Step 1 From the WAAS Central Manager GUI, choose Devices > Devices (or Devices > Device Groups).

Step 2 Click the Edit icon next to the name of the device (or device group) for which you want to modify the WCCP settings or services.

Step 3 Click Expand All above the Contents pane.

Step 4 Click Show Advanced to display all menu items in the Contents pane.

Step 5 In the Contents pane, choose Interception > WCCP > Services.

The WCCP Service Settings window appears with a list of the currently configured WCCP services for the chosen device (or device group).

Step 6 Click the Edit WCCP Service Setting icon next to the service that you want to modify.

The Modifying WCCP Service window appears. (See Figure 4-5.)

Figure 4-5 Modifying the Settings of a WCCP Service

Note You can configure all settings for a WCCP service only after the service has been associated with a router list.

Step 7 Associate a router list with the TCP promiscuous mode service by choosing the appropriate number of the WCCP router list from the Router List drop-down list.

Only configured WCCP router lists are displayed in the drop-down list. As part of the initial configuration of your WAAS network, you will have already created at least one WCCP router list for your Edge WAE and a second WCCP router list for your Core WAE, as described in the Cisco Wide Area Application Services Quick Configuration Guide. For more information about WCCP router lists, see the following sections:

Modifying the Configuration of WCCP Router Lists for WAEs

Deleting a WCCP Router List from WAEs

Defining Additional WCCP Router Lists on WAEs

Step 8 (Optional) Modify the current load-balancing settings for the chosen WCCP service, as follows:

a. To define the load-balancing hash of the destination IP address, check the Destination IP check box.

b. To define the load-balancing hash of the source IP address, check the Source IP check box.

Note For more information about load balancing, see the "About Load Balancing and WAEs" section.

Step 9 (Optional) Modify the other current settings for the WCCP service, as follows:

a. To force WCCP to use the configured assignment method only, check the Use Selected Assignment Method check box. When applied, either of the two load-balancing methods, hash assignment or mask assignment, can be used.

Hash assignment—For the Catalyst 6500 series switches and Cisco 7600 series routers, this load-balancing method is called WCCP Layer 2 Policy Feature Card (PFC) redirection. This method is intended to achieve forwarding performance of up to 3 Gbps using a combination of the Supervisor Engine 1A and the Multilayer Switch Feature Card 2 (MSFC2).

Mask assignment—This type of load balancing is called the WCCP Layer 2 Policy Feature Card 2 (PFC2) redirection. It uses a combination of the Supervisor Engine 2 and the MSFC2.

You can specify only one load-balancing method (hashing or masking) per WCCP service in an Edge WAE group. For more information about load-balancing assignment methods, see the "About Load-Balancing Assignment Methods" section.

b. To permit the WAE (or device group) to receive transparently redirected traffic from a WCCP Version 2-enabled switch or router, if the WAE has a Layer 2 connection with the device, and the device is configured for Layer 2 redirection, check the Layer2 Redirection check box.

WCCP on a router or switch can take advantage of switching hardware that either partially or fully implements the traffic interception and redirection functions of WCCP in hardware at Layer 2. The WAE can then perform a Layer 2 or MAC address rewrite redirection if it is directly connected to a compatible Cisco switch. This redirection processing is accelerated in the switching hardware, which makes this method a more efficient method than Layer 3 redirection using GRE. The WAE must have a Layer 2 connection with the router or switch. Because there is no requirement for a GRE tunnel between the switch and the WAE, the switch can use a cut-through method of forwarding encapsulated packets if you check the Layer2 Redirection check box. For more information, see the "About Packet-Forwarding Methods" section.

c. To permit Layer 2 rewriting to be used for packet return, check the Packet return by Layer 2 rewrite check box.

d. In the Password field, specify the password to be used for secure traffic between the WAEs within a cluster and the router for a specified service. Be sure to enable all other WAEs and routers within the cluster with the same password. Passwords must not exceed 8 characters in length. Reenter the password in the Confirm Password field.

Note For information about how to use the CLI to specify the service group password on a router, see the "Setting a Service Group Password on a Router" section.

e. In the Weight field, specify the weight value that is used for load balancing. The weight value ranges from 0 to 10000. If the total of all the weight values of the WAEs in a service group is less than or equal to 100, then the weight value represents a literal percentage of the total load redirected to the device for load-balancing purposes. For example, a WAE with a weight of 10 receives 10 percent of the total load in a service group where the total of all weight values is 50. If a WAE in such a service group fails, the other WAEs still receive the same load percentages as before the failure; they will not receive the load allocated to the failed WAE.

If the total of all the weight values of the WAEs in a service group is between 101 and 10000, then the weight value is treated as a fraction of the total weight of all the active WAEs in the service group. For example, a WAE with a weight of 200 receives 25 percent of the total load in a service group where the total of all the weight values is 800. If a WAE in such a service group fails, the other WAEs will receive the load previously allocated to the failed WAE. The failover handling is different than if the total weights are less than or equal to 100.

By default, weights are not assigned and the traffic load is distributed evenly between the WAEs in a service group.

f. To use the mask method for WAE assignment, check the Use Mask Assignment check box.

Step 10 (Optional) To modify an existing service mask for the WCCP service, click the Edit Mask button. For more information about modifying service masks, see the "Modifying WCCP Service Masks for WAEs" section.

Step 11 (Optional) To view a list of all configured WCCP service masks for the service, click the View Masks Configured for All Services button. The WCCP Service Mask Settings windows appears. (See Figure 4-6.)

Figure 4-6 Viewing a List of WCCP Service Masks

Step 12 From the WCCP Service Mask Settings window, you can perform the following tasks:

To edit a WCCP service mask, click the Edit WCCP Service Mask icon next to the service mask that you want to modify. The Modifying WCCP Service Mask window appears. (See Figure 4-7.)

Figure 4-7 Modifying a WCCP Service Mask

Change the values of the settings that you want to modify and click Submit, as follows:

In the Source IP Mask field, specify the IP address mask defined by a hexadecimal number (for example, 0xFE000000) used to match the packet source IP address. The range is 0x00000000-0xFE000000. The default is 0x00001741.

In the Destination IP Mask field, specify the IP address mask defined by a hexadecimal number (for example, 0xFE000000) used to match the packet destination IP address. The range is 0x0000000-0XFE000000. The default is 0x00000000.

Note You can also edit a service mask by clicking the Edit Mask button in the Modifying WCCP Service window. (See Figure 4-5.)

To delete an existing WCCP service mask, click the Edit WCCP Service Mask icon next to the service mask that you want to delete. The Modifying WCCP Service Mask window appears. (See Figure 4-7.) Click the Delete WCCP Service Mask icon in the taskbar and click Submit.

To configure the WCCP service from the CLI, you can use the wccp tcp-promiscuous global configuration command.

Creating a WCCP Service Mask for an Existing WCCP Service

To centrally create a service mask for an existing WCCP service for a WAE (or group of WAEs), follow these steps:

Step 1 From the WAAS Central Manager GUI, choose Devices > Devices (or Devices > Devices Group).

Step 2 Click the Edit icon next to the device (or device group) for which you want to a WCCP service mask.

Step 3 Click Expand All above the Contents pane.

Step 4 Click Show Advanced to display all menu items in the Contents pane.

Step 5 In the Contents pane, choose Interception > WCCP > Services.

The WCCP Service Settings for WAE window appears.

Step 6 Click the Create New WCCP Service Setting icon in the taskbar.

The Creating New WCCP Service window appears.

Step 7 Click the Create New Mask button.

The Creating New WCCP Service Mask window appears. (See Figure 4-8.)

Figure 4-8 Creating a WCCP Service M