Configuring Cache Services Using the Web Cache Communication Protocol

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for WCCP

Before configuring WCCP on your switch, make sure you adhere to the following configuration prerequisites:

  • The application engines and switches in the same service group must be in the same subnetwork directly connected to the switch that has WCCP enabled.

  • Configure the switch interfaces that are connected to the clients, the application engines, and the server as Layer 3 interfaces (routed ports and switch virtual interfaces [SVIs]). For WCCP packet redirection to work, the servers, application engines, and clients must be on different subnets.

  • Use only nonreserved multicast addresses when configuring a single multicast address for each application engine.

  • WCCP entries and PBR entries use the same TCAM region. WCCP is supported only on the templates that support PBR: access, routing, and dual IPv4/v6 routing.

  • When TCAM entries are not available to add WCCP entries, packets are not redirected and are forwarded by using the standard routing tables.

  • The number of available policy-based routing (PBR) labels are reduced as more interfaces are enabled for WCCP ingress redirection. For every interface that supports service groups, one label is consumed. The WCCP labels are taken from the PBR labels. You need to monitor and manage the labels that are available between PBR and WCCP. When labels are not available, the switch cannot add service groups. However, if another interface has the same sequence of service groups, a new label is not needed, and the group can be added to the interface.

  • The routing maximum transmission unit (MTU) size configured on the stack member switches should be larger than the client MTU size. The MAC-layer MTU size configured on ports connected to application engines should consider the GRE tunnel header bytes.

Restrictions for WCCP

Unsupported WCCP Features

The following WCCP features are not supported in this software release:

  • Packet redirection on an outbound interface that is configured by using the ip wccp redirect out interface configuration command.

  • The GRE forwarding method for packet redirection.

  • GRE redirect and return.

  • The hash assignment method for load balancing.

  • SNMP support for WCCP.

  • Hash assignments in hardware. You can load balance using mask assignments only.

  • Redirection for fragmented packets. This is a security feature.

General Restrictions

  • Maximum number of service groups: eight ingress and eight egress.

  • You cannot configure WCCP and VPN routing/forwarding (VRF) on the same switch interface.

  • You cannot configure WCCP and PBR on the same switch interface.

  • You cannot configure WCCP and a private VLAN (PVLAN) on the same switch interface.

  • The ip wccp redirect exclude in command allows you to exclude ingress packets from egress WCCP methods. It is not needed on the interface to CE.

  • When no cache engine is available, matching packets are dropped. This is closed group support. There is no VRF-aware WCCP support and no IPv6 WCCP.

  • When the device is configured with the ip wccp check services all command, if the redirect ACL fails to match on packet, it will be checked against the next priority service group.

Information About WCCP

WCCP Overview

Note
Note

To use this feature, the device must be running the IP Services or IP base feature set.


WCCP is a Cisco-developed content-routing technology that you can use to integrate wide-area application engines (referred to as application engines) into your network infrastructure. The application engines transparently store frequently accessed content and then fulfill successive requests for the same content, eliminating repetitive transmissions of identical content from servers. Application engines accelerate content delivery and ensure maximum scalability and availability of content. In a service-provider network, you can deploy the WCCP and application engine solution at the points of presence (POPs). In an enterprise network, you can deploy the WCCP and application engine solution at a regional site or small branch office.

The WCCP and Cisco cache engines (or other application engines running WCCP) localize traffic patterns in the network, enabling content requests to be fulfilled locally.

WCCP enables supported Cisco routers and switches to transparently redirect content requests. With transparent redirection, users do not have to configure their browsers to use a web proxy. Instead, they can use the target URL to request content, and their requests are automatically redirected to an application engine. The word transparent means that the end user does not know that a requested file (such as a web page) came from the application engine instead of from the originally specified server.

When an application engine receives a request, it attempts to service it from its own local cache. If the requested information is not present, the application engine sends a separate request to the end server to retrieve the requested information. After receiving the requested information, the application engine forwards it to the requesting client and also caches it to fulfill future requests.

With WCCP, the application-engine cluster (a series of application engines) can service multiple routers or switches, as shown in the figure below.
Figure 1. Cisco Cache Engine and WCCP Network Configuration

WCCP Message Exchange

The following sequence of events describes the WCCP message exchange:

  1. The application engines send their IP addresses to the WCCP-enabled switch by using WCCP, signaling their presence through a Here I am message. The switch and application engines communicate to each other through a control channel based on UDP port 2048.

  2. The WCCP-enabled switch uses the application engine IP information to create a cluster view (a list of application engines in the cluster). This view is sent through an I see you message to each application engine in the cluster, essentially making all the application engines aware of each other. A stable view is established after the membership of the cluster remains the same for a certain amount of time.

  3. When a stable view is established, the application engine in the cluster with the lowest IP address is elected as the designated application engine.

WCCP Negotiation

In the exchange of WCCP protocol messages, the designated application engine and the WCCP-enabled switch negotiate these items:

  • Forwarding method (the method by which the switch forwards packets to the application engine). The switch rewrites the Layer 2 header by replacing the packet destination MAC address with the target application engine MAC address. It then forwards the packet to the application engine. This forwarding method requires the target application engine to be directly connected to the switch at Layer 2.

  • Assignment method (the method by which packets are distributed among the application engines in the cluster). The switch uses some bits of the destination IP address, the source IP address, the destination Layer 4 port, and the source Layer 4 port to determine which application engine receives the redirected packets.

  • Packet-return method (the method by which packets are returned from the application engine to the switch for normal forwarding). These are the typical reasons why an application engine rejects packets and starts the packet-return feature:

    • The application engine is overloaded and has no room to service the packets.

    • The application engine receives an error message (such as a protocol or authentication error) from the server and uses the dynamic client bypass feature. The bypass enables clients to bypass the application engines and to connect directly to the server.

The application engine returns a packet to the WCCP-enabled switch to forward to the server as if the application engine is not present. The application engine does not intercept the reconnection attempt. In this way, the application engine effectively cancels the redirection of a packet to the application engine and creates a bypass flow. If the return method is Layer 2 rewrite, the packets are forwarded in hardware to the target server. When the server responds with the information, the switch uses normal Layer 3 forwarding to return the information to the requesting client.

MD5 Security

WCCP provides an optional security component in each protocol message to enable the switch to use MD5 authentication on messages between the switch and the application engine. Messages that do not authenticate by MD5 (when authentication of the switch is enabled) are discarded by the switch. The password string is combined with the MD5 value to create security for the connection between the switch and the application engine. You must configure the same password on each application engine.

Packet Redirection and Service Groups

You can configure WCCP to classify traffic for redirection, such as FTP, proxy-web-cache handling, and audio and video applications. This classification, known as a service group, is based on the protocol type (TCP or UDP) and the Layer 4 source destination port numbers. The service groups are identified either by well-known names such as web-cache, which means TCP port 80, or a service number, 0 to 99. Service groups are configured to map to a protocol and Layer 4 port numbers and are established and maintained independently. WCCP allows dynamic service groups, where the classification criteria are provided dynamically by a participating application engine.

You can configure up to 8 service groups on a switch or switch stack and up to 32 cache engines per service group. WCCP maintains the priority of the service group in the group definition. WCCP uses the priority to configure the service groups in the switch hardware. For example, if service group 1 has a priority of 100 and looks for destination port 80, and service group 2 has a priority of 50 and looks for source port 80, the incoming packet with source and destination port 80 is forwarded by using service group 1 because it has the higher priority.

WCCP supports a cluster of application engines for every service group. Redirected traffic can be sent to any one of the application engines. The switch supports the mask assignment method of load balancing the traffic among the application engines in the cluster for a service group.

After WCCP is configured on the switch, the switch forwards all service group packets received from clients to the application engines. However, the following packets are not redirected:

  • Packets originating from the application engine and targeted to the server.

  • Packets originating from the application engine and targeted to the client.

  • Packets returned or rejected by the application engine. These packets are sent to the server.

You can configure a single multicast address per service group for sending and receiving protocol messages. When there is a single multicast address, the application engine sends a notification to one address, which provides coverage for all routers in the service group, for example, 225.0.0.0. If you add and remove routers dynamically, using a single multicast address provides easier configuration because you do not need to specifically enter the addresses of all devices in the WCCP network.

You can use a router group list to validate the protocol packets received from the application engine. Packets matching the address in the group list are processed, packets not matching the group list address are dropped.

To disable caching for specific clients, servers, or client/server pairs, you can use a WCCP redirect access control list (ACL). Packets that do not match the redirect ACL bypass the cache and are forwarded normally.

Before WCCP packets are redirected, the switch examines ACLs associated with all inbound features configured on the interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL.

Note
Note

Both permit and deny ACL entries are supported in WCCP redirect lists.

When packets are redirected, the output ACLs associated with the redirected interface are applied to the packets. Any ACLs associated with the original port are not applied unless you specifically configure the required output ACLs on the redirected interfaces.

Unsupported WCCP Features

These WCCP features are not supported in this software release:

  • Packet redirection on an outbound interface that is configured by using the ip wccp redirect out interface configuration command. This command is not supported.
  • The GRE forwarding method for packet redirection is not supported.
  • The hash assignment method for load balancing is not supported.
  • There is no SNMP support for WCCP.

How to Configure WCCP

WCCP Configuration Guidelines

Before configuring WCCP on your switch, make sure to follow these configuration guidelines:

  • The application engines and switches in the same service group must be in the same subnetwork directly connected to the switch that has WCCP enabled.
  • Configure the switch interfaces that are connected to the clients, the application engines, and the server as Layer 3 interfaces (routed ports and switch virtual interfaces [SVIs]). For WCCP packet redirection to work, the servers, application engines, and clients must be on different subnets.
  • Use only nonreserved multicast addresses when configuring a single multicast address for each application engine.
  • WCCP entries and PBR entries use the same TCAM region. WCCP is supported only on the templates that support PBR: access, routing, and dual IPv4/v6 routing.
  • When TCAM entries are not available to add WCCP entries, packets are not redirected and are forwarded by using the standard routing tables.
  • The number of available policy-based routing (PBR) labels are reduced as more interfaces are enabled for WCCP ingress redirection. For every interface that supports service groups, one label is consumed. The WCCP labels are taken from the PBR labels. You need to monitor and manage the labels that are available between PBR and WCCP. When labels are not available, the switch cannot add service groups. However, if another interface has the same sequence of service groups, a new label is not needed, and the group can be added to the interface.
  • You cannot configure WCCP and VPN routing/forwarding (VRF) on the same switch interface.
  • You cannot configure WCCP and PBR on the same switch interface.
  • You cannot configure WCCP and a private VLAN (PVLAN) on the same switch interface.

Enabling the Cache Service

For WCCP packet redirection to operate, you must configure the switch interface connected to the client to redirect inbound packets.

This procedure shows how to configure these features on routed ports. To configure these features on SVIs, see the configuration examples that follow the procedure.

Follow these steps to enable the cache service, to set a multicast group address or group list, to configure routed interfaces, to redirect inbound packets received from a client to the application engine, enable an interface to listen for a multicast address, and to set a password. This procedure is required.

Before you begin

Configure the SDM template, and reboot the device.

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Switch> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:


Switch# configure terminal

Enters the global configuration mode.

Step 3

ip wccp { web-cache | service-number} [ group-address groupaddress] [ group-list access-list] [ redirect-list access-list] [ password encryption-number password]

Example:


Switch(config)# ip wccp web-cache

Enables the cache service, and specifies the service number that corresponds to a dynamic service that is defined by the application engine. By default, this feature is disabled.

(Optional) For group-address groupaddress , specifies the multicast group address used by the switches and the application engines to participate in the service group.

(Optional) For group-list access-list , if a multicast group address is not used, specify a list of valid IP addresses that correspond to the application engines that are participating in the service group.

(Optional) For redirect-list access-list , specify the redirect service for specific hosts or specific packets from hosts.

(Optional) For password encryption-number password , specify an encryption number. The range is 0 to 7. Use 0 for not encrypted, and use 7 for proprietary. Specify a password name up to seven characters in length. The switch combines the password with the MD5 authentication value to create security for the connection between the switch and the application engine. By default, no password is configured, and no authentication is performed.

You must configure the same password on each application engine.

When authentication is enabled, the switch discards messages that are not authenticated.

Step 4

interface interface-id

Example:


Switch(config)# interface gigabitethernet1/0/1

Specifies the interface connected to the application engine or the server, and enters interface configuration mode.

Step 5

no switchport

Example:


Switch(config-if)# no switchport

Enters Layer 3 mode.

Step 6

ip address ip-address subnet-mask

Example:


Switch(config-if)# ip address 172.20.10.30 255.255.255.0

Configures the IP address and subnet mask.

Step 7

no shutdown

Example:


Switch(config-if)# no shutdown

Enables the interface.

Step 8

exit

Example:


Switch(config-if)# exit

Returns to global configuration mode. Repeat Steps 4 through 8 for each application engine and server.

Step 9

interface interface-id

Example:


Switch(config)# interface gigabitethernet1/0/2

Specifies the interface connected to the client, and enters interface configuration mode.

Step 10

no switchport

Example:


Switch(config-if)# no switchport

Enters Layer 3 mode.

Step 11

ip address ip-address subnet-mask

Example:


Switch(config-if)# ip address 175.20.20.10 255.255.255.0

Configures the IP address and subnet mask.

Step 12

no shutdown

Example:


Switch(config-if)# no shutdown

Enables the interface.

Step 13

ip wccp { web-cache | service-number} redirect in

Example:


Switch(config-if)# ip wccp web-cache redirect in

Redirects packets received from the client to the application engine. Enable this on the interface connected to the client.

Step 14

ip wccp { web-cache | service-number} group-listen

Example:


Switch(config-if)# ip wccp web-cache group-listen

(Optional) When using a multicast group address, the group-listen keyword enables the interface to listen for the multicast address. Enable this on the interface connected to the application engine.

Step 15

exit

Example:


Switch(config-if)# exit

Returns to global configuration mode. Repeat Steps 9 through 15 for each client.

Step 16

end

Example:


Switch(config)# end

Returns to privileged EXEC mode.

Step 17

show running-config

Example:


Switch# show running-config 

Verifies your entries.

Step 18

copy running-config startup-config

Example:


Switch# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Configuration Examples

This example shows how to configure routed interfaces and to enable the cache service with a multicast group address and a redirect access list. Gigabit Ethernet port 1 is connected to the application engine, is configured as a routed port with an IP address of 172.20.10.30, and is reenabled. Gigabit Ethernet port 2 is connected through the Internet to the server, is configured as a routed port with an IP address of 175.20.20.10, and is reenabled. Gigabit Ethernet ports 3 to 6 are connected to the clients and are configured as routed ports with IP addresses 175.20.30.20, 175.20.40.30, 175.20.50.40, and 175.20.60.50. The switch listens for multicast traffic and redirects packets received from the client interfaces to the application engine.

Switch# configure terminal
Switch(config)# ip wccp web-cache group-address 224.1.1.100 redirect list 12
Switch(config)# access-list 12 permit host 10.1.1.1
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# ip address 172.20.10.30 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# ip wccp web-cache group-listen
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# no switchport
Switch(config-if)# ip address 175.20.20.10 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# no switchport
Switch(config-if)# ip address 175.20.30.20 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# ip wccp web-cache redirect in
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/4
Switch(config-if)# no switchport
Switch(config-if)# ip address 175.20.40.30 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# ip wccp web-cache redirect in
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/5
Switch(config-if)# no switchport
Switch(config-if)# ip address 175.20.50.40 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# ip wccp web-cache redirect in
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/6
Switch(config-if)# no switchport
Switch(config-if)# ip address 175.20.60.50 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# ip wccp web-cache redirect in
Switch(config-if)# exit

This example shows how to configure SVIs and how to enable the cache service with a multicast group list. VLAN 299 is created and configured with an IP address of 175.20.20.10. Gigabit Ethernet port 1 is connected through the Internet to the server and is configured as an access port in VLAN 299. VLAN 300 is created and configured with an IP address of 172.20.10.30. Gigabit Ethernet port 2 is connected to the application engine and is configured as an access port in VLAN 300. VLAN 301 is created and configured with an IP address of 175.20.30.50. Fast Ethernet ports 3 to 6, which are connected to the clients, are configured as access ports in VLAN 301. The switch redirects packets received from the client interfaces to the application engine.

Note
Note

Both permit and deny ACL entries are supported in WCCP redirect lists.
Switch# configure terminal
Switch(config)# ip wccp web-cache group-list 15
Switch(config)# access-list 15 permit host 171.69.198.102
Switch(config)# access-list 15 permit host 171.69.198.104
Switch(config)# access-list 15 permit host 171.69.198.106
Switch(config)# vlan 299
Switch(config-vlan)# exit
Switch(config)# interface vlan 299
Switch(config-if)# ip address 175.20.20.10 255.255.255.0
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 299
Switch(config)# vlan 300
Switch(config-vlan)# exit
Switch(config)# interface vlan 300
Switch(config-if)# ip address 171.69.198.100 255.255.255.0
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 300
Switch(config-if)# exit
Switch(config)# vlan 301
Switch(config-vlan)# exit
Switch(config)# interface vlan 301
Switch(config-if)# ip address 175.20.30.20 255.255.255.0
Switch(config-if)# ip wccp web-cache redirect in
Switch(config-if)# exit
Switch(config)# interface range gigabitethernet1/0/3 - 6
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 301
Switch(config-if-range)# exit

What to do next

To disable the cache service, use the no ip wccp web-cache global configuration command. To disable inbound packet redirection, use the no ip wccp web-cache redirect in interface configuration command. After completing this procedure, configure the application engines in the network.

Monitoring and Maintaining WCCP

To monitor and maintain WCCP, use one or more of the privileged EXEC commands shown in the table below.

Table 1. Commands for Monitoring and Maintaining WCCP
Command Purpose
clear ip wccp web-cache

Removes statistics for the web-cache service.

show ip wccp web-cache

Displays global information related to WCCP.

show ip wccp web-cache detail

Displays information for the switch and all application engines in the WCCP cluster.

show ip interface

Displays status about any IP WCCP redirection commands that are configured on an interface; for example, Web Cache Redirect is enabled / disabled.

show ip wccp web-cache view

Displays which other members have or have not been detected.

Additional References

Related Documents

Related Topic Document Title

SNMP Commands

Command Reference, Cisco IOS Release 15.2(2)E

Error Message Decoder

Description Link

To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi

Standards and RFCs

Standard/RFC Title

None

-

MIBs

MIB MIBs Link

All supported MIBs for this release.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature History and Information for Web Cache Communication Protocol

Release

Modification

This feature was introduced.