![]() |
Cisco IOS IP Application Services Command Reference
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip tcp adjust-mss through ip wccp web-cache accelerated
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Contents
ip tcp adjust-mss through ip wccp web-cache accelerated ip tcp adjust-mssTo adjust the maximum segment size (MSS) value of TCP synchronize/start (SYN) packets going through a router, use the ip tcp adjust-mss command in interface configuration mode. To return the MSS value to the default setting, use the no form of this command. Command History
Usage GuidelinesWhen a host (usually a PC) initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes. The PPP over Ethernet (PPPoE) standard supports an MTU of only 1492 bytes. The disparity between the host and PPPoE MTU size can cause the router in between the host and the server to drop 1500-byte packets and terminate TCP sessions over the PPPoE network. Even if the path MTU (which detects the correct MTU across the path) is enabled on the host, sessions may be dropped because system administrators sometimes disable the Internet Control Message Protocol (ICMP) error messages that must be relayed from the host in order for path MTU to work. The ip tcp adjust-mss command helps prevent TCP sessions from being dropped by adjusting the MSS value of the TCP SYN packets. The ip tcp adjust-mss command is effective only for TCP connections passing through the router. In most cases, the optimum value for the max-segment-size argument is 1452 bytes. This value plus the 20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE header add up to a 1500-byte packet that matches the MTU size for the Ethernet link. If you are configuring the ip mtu command on the same interface as the ip tcp adjust-mss command, we recommend that you use the following commands and values: ExamplesThe following example shows the configuration of a PPPoE client with the MSS value set to 1452: vpdn enable no vpdn logging ! vpdn-group 1 request-dialin protocol pppoe ! interface Ethernet0 ip address 192.168.100.1 255.255.255.0 ip tcp adjust-mss 1452 ip nat inside ! interface ATM0 no ip address no atm ilmi-keepalive pvc 8/35 pppoe client dial-pool-number 1 ! dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex B dsl linerate AUTO ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username sohodyn password 7 141B1309000528 ! ip nat inside source list 101 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 access-list 101 permit ip 192.168.100.0 0.0.0.255 any ip tcp chunk-sizeTo alter the TCP maximum read size for Telnet or rlogin, use the ip tcp chunk-size command in global configuration mode. To restore the default value, use the no form of this command. Command Default0, which Telnet and rlogin interpret as the largest possible 32-bit positive number. Command History
ip tcp compression-connectionsTo specify the total number of Transmission Control Protocol (TCP) header compression connections that can exist on an interface, use the ip tcp compression-connections command in interface configuration mode.To restore the default, use the noform of this command. Command DefaultFor PPP and High-Level Data Link Control (HDLC) interfaces, the default is 16 compression connections. For Frame Relay interfaces, the default is 256 compression connections. Command History
Usage GuidelinesYou should configure one connection for each TCP connection through the specified interface. Each connection sets up a compression cache entry, so you are in effect specifying the maximum number of cache entries and the size of the cache. Too few cache entries for the specified interface can lead to degraded performance, and too many cache entries can lead to wasted memory.
ExamplesThe following example sets the first serial interface for header compression with a maximum of ten cache entries: Router> enable Router# configure terminal Router(config)# interface serial 0 Router(config-if)# ip tcp header-compression Router(config-if)# ip tcp compression-connections 10 Router(config-if)# end ip tcp ecnTo enable TCP Explicit Congestion Notification (ECN), use the ip tcp ecn command in global configuration mode. To disable TCP ECN, use the no form of this command. ip tcp header-compressionTo enable Transmission Control Protocol (TCP) header compression, use the ip tcp header-compression command in interface configuration mode.To disable compression, use the noform of this command.
ip
tcp
header-compression
[ {passive | iphc-format | ietf-format} ]
no
ip
tcp
header-compression
[ {passive | iphc-format | ietf-format} ]
Syntax Description
Command DefaultFor PPP interfaces, the default format for header compression is the IPHC format. For High-Level Data Link Control (HDLC) and Frame Relay interfaces, the default format is as described in RFC 1144, Compressing TCP/IP Headers for Low-Speed Serial Links. Command History
Usage GuidelinesYou can compress the headers of your TCP/IP packets in order to reduce the size of your packets. TCP header compression is supported on serial lines using Frame Relay, HDLC, or PPP encapsulation. You must enable compression on both ends of a serial connection. Compressing the TCP header can speed up Telnet connections dramatically. In general, TCP header compression is advantageous when your traffic consists of many small packets, not for traffic that consists of large packets. Transaction processing (usually using terminals) tends to use small packets and file transfers use large packets. This feature only compresses the TCP header, so it has no effect on User Datagram Protocol (UDP) packets or other protocol headers. The passive Keyword By default, the ip tcp header-compression command compresses outgoing TCP traffic. If you specify the passive keyword, outgoing TCP traffic is compressed only if incoming TCP traffic on the same interface is compressed. If you do not specify the passive keyword, all outgoing TCP traffic is compressed. For PPP interfaces, the passive keyword is ignored. PPP interfaces negotiate the use of header-compression, regardless of whether the passive keyword is specified. Therefore, on PPP interfaces, the passive keyword is replaced by the IPHC format, the default format for PPP interfaces. The iphc-format Keyword The iphc-format keyword indicates that the IPHC format of header compression will be used. For PPP and HDLC interfaces, when the iphc-format keyword is specified, Real-Time Transport Protocol (RTP) header compression is also enabled. For this reason, the ip rtp header-compression command appears in the output of the show running-config command. Since both TCP header compression and RTP header compression are enabled, both TCP packets and UDP packets are compressed. The iphc-format keyword is not available for interfaces that use Frame Relay encapsulation. The ietf-format Keyword The ietf-format keyword indicates that the IETF format of header compression will be used. For HDLC interfaces, the ietf-format keyword compresses only TCP packets. For PPP interfaces, when the ietf-format keyword is specified, RTP header compression is also enabled. For this reason, the ip rtp header-compression command appears in the output of the show running-config command. Since both TCP header compression and RTP header compression are enabled, both TCP packets and UDP packets are compressed. The ietf-format keyword is not available for interfaces that use Frame Relay encapsulation. ExamplesThe following example sets the first serial interface for header compression with a maximum of ten cache entries: Router> enable Router# configure terminal Router(config)# interface serial 0 Router(config-if)# ip tcp header-compression Router(config-if)# ip tcp compression-connections 10 Router(config-if)# end The following example enables RTP header compression on the Serial1/0.0 subinterface and limits the number of RTP header compression connections to 10. In this example, the optional iphc-format keyword of the ip tcp header-compression command is specified. Router> enable Router# configure terminal Router(config)# interface Serial1/0.0 Router(config-if)# encapsulation ppp Router(config-if)# ip tcp header-compression iphc-format Router(config-if)# ip tcp compression-connections 10 Router(config-if)# end The following example enables RTP header compression on the Serial2/0.0 subinterface and limits the number of RTP header compression connections to 20. In this example, the optional ietf-format keyword of the ip tcp header-compression command is specified. Router> enable Router# configure terminal Router(config)# interface Serial2/0.0 Router(config-if)# encapsulation ppp Router(config-if)# ip tcp header-compression ietf-format Router(config-if)# ip tcp compression-connections 20 Router(config-if)# end Related Commands
ip tcp mssTo enable a maximum segment size (MSS) for TCP connections originating or terminating on a router, use the ip tcp mss command in global configuration mode. To disable the configuration of the MSS, use the no form of this command. Command History
Usage GuidelinesIf this command is not enabled, the MSS value of 536 bytes is used if the destination is not on a LAN, otherwise the MSS value is 1460 for a local destination. For connections originating from a router, the specified value is used directly as an MSS option in the synchronize (SYN) segment. For connections terminating on a router, the value is used only if the incoming SYN segment has an MSS option value higher than the configured value. Otherwise the incoming value is used as the MSS option in the SYN/acknowledge (ACK) segment. ip tcp path-mtu-discoveryTo enable the Path MTU Discovery feature for all new TCP connections from the router, use the ip tcp path-mtu-discovery command in global configuration mode. To disable the function, use the no form of this command.
ip
tcp
path-mtu-discovery
[age-timer {minutes | infinite} ]
no
ip
tcp
path-mtu-discovery
[age-timer {minutes | infinite} ]
Command History
Usage GuidelinesPath MTU Discovery is a method for maximizing the use of available bandwidth in the network between the endpoints of a TCP connection. It is described in RFC 1191. Existing connections are not affected when this feature is turned on or off. Customers using TCP connections to move bulk data between systems on distinct subnets would benefit most by enabling this feature. The age timer is a time interval for how often TCP reestimates the path MTU with a larger MSS. When the age timer is used, TCP path MTU becomes a dynamic process. If the MSS used for the connection is smaller than what the peer connection can handle, a larger MSS is tried every time the age timer expires. The discovery process is stopped when either the send MSS is as large as the peer negotiated, or the user has disabled the timer on the router. You can turn off the age timer by setting it to infinite. ip tcp queuemaxTo alter the maximum TCP outgoing queue per connection, use the ip tcp queuemax command in global configuration mode. To restore the default value, use the no form of this command. Command DefaultThe default value is 5 segments if the connection has a TTY associated with it. If no TTY is associated with it, the default value is 20 segments. Command History
ip tcp selective-ackTo enable TCP selective acknowledgment, use the ip tcp selective-ack command in global configuration mode. To disable TCP selective acknowledgment, use the no form of this command. Command History
Usage GuidelinesTCP might not experience optimal performance if multiple packets are lost from one window of data. With the limited information available from cumulative acknowledgments, a TCP sender can learn about only one lost packet per round-trip time. An aggressive sender could resend packets early, but such re-sent segments might have already been received. The TCP selective acknowledgment mechanism helps overcome these limitations. The receiving TCP returns selective acknowledgment packets to the sender, informing the sender about data that has been received. The sender can then resend only the missing data segments. TCP selective acknowledgment improves overall performance. The feature is used only when a multiple number of packets drop from a TCP window. There is no performance impact when the feature is enabled but not used. This command becomes effective only on new TCP connections opened after the feature is enabled. This feature must be disabled if you want TCP header compression. You might disable this feature if you have severe TCP problems. Refer to RFC 2018 for more detailed information on TCP selective acknowledgment. ip tcp synwait-timeTo set a period of time the Cisco IOS software waits while attempting to establish a TCP connection before it times out, use the ip tcp synwait-time command in global configuration mode. To restore the default time, use the no form of this command. Command History
Usage GuidelinesIn versions previous to Cisco IOS software Release 10.0, the system would wait a fixed 30 seconds when attempting to establish a TCP connection. If your network contains public switched telephone network (PSTN) dial-on-demand routing (DDR), the call setup time may exceed 30 seconds. This amount of time is not sufficient in networks that have dialup asynchronous connections because it will affect your ability to Telnet over the link (from the router) if the link must be brought up. If you have this type of network, you may want to set this value to the UNIX value of 75. Because this is a host parameter, it does not pertain to traffic going through the router, just for traffic originated at this device. Because UNIX has a fixed 75-second timeout, hosts are unlikely to experience this problem. ip tcp timestampTo enable TCP time stamp, use the ip tcp timestamp command in global configuration mode. To disable TCP time stamp, use the no form of this command. Command History
Usage GuidelinesTCP time stamp improves round-trip time estimates. Refer to RFC 1323 for more detailed information on TCP time stamp. The TCP time stamp must be disabled if you want to use TCP header compression. ip tcp window-sizeTo alter the TCP window size, use the ip tcp window-size command in global configuration mode. To restore the default window size, use the no form of this command. Command DefaultThe default window size is 4128 bytes when window scaling is not enabled. If only one neighbor is configured for the window scaling extension, the default window size is 65535 bytes. Command History
Usage GuidelinesDo not use this command unless you clearly understand why you want to change the default value. To enable window scaling to support Long Fat Networks (LFNs), the TCP window size must be more than 65,535 bytes. The remote side of the link also needs to be configured to support window scaling. If both sides are not configured with window scaling, the default maximum value of 65,535 bytes is applied. The scale factor is automatically calculated based on the window-size that you configure. You cannot directly configure the scale factor. ip unreachablesTo enable the generation of Internet Control Message Protocol (ICMP) unreachable messages, use the ip unreachables command in interface configuration mode.To disable this function, use the no form of this command. Command History
Usage GuidelinesIf the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMP unreachable message to the source. If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP host unreachable message. This command affects all types of ICMP unreachable messages. ip vrfTo define a VPN routing and forwarding (VRF) instance and to enter VRF configuration mode, use the ip vrf command in global configuration mode. To remove a VRF instance, use the no form of this command. Command DefaultNo VRFs are defined. No import or export lists are associated with a VRF. No route maps are associated with a VRF. Command History
Usage GuidelinesThe ip vrf vrf-name command creates a VRF instance named vrf-name. To make the VRF functional, a route distinguisher (RD) must be created using the rd route-distinguisher command in VRF configuration mode. The rd route-distinguisher command creates the routing and forwarding tables and associates the RD with the VRF instance named vrf-name. The ip vrf default command can be used to configure a VRF instance that is a NULL value until a default VRF name can be configured. This is typically before any VRF related AAA commands are configured. ip vrf (tracking)To track an IP route in a specific VPN virtual routing and forwarding (VRF) table, use the ip vrf command in tracking configuration mode. To remove the tracking of the route, use the no form of this command. Command History
Usage GuidelinesThis command is available for all IP-route tracked objects that are tracked by the track ip route global configuration command. Use this command to track a route that belongs to a specific VPN. ExamplesIn the following example, the route associated with a VRF named VRF1 is tracked: Router(config)# track 1 ip route 10.0.0.0 255.0.0.0 metric threshold Router(config-track)# exit Router(config)# ip vrf VRF1 Router(config-vrf)# rd 100:1 Router(config-vrf)# route-target both 100:1 ! Router(config)# interface ethernet0/2 Router(config-if)# no shutdown Router(config-if)# ip vrf forwarding VRF1 Router(config-if)# ip address 10.0.0.2 255.0.0.0 ip wccpTo enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the ip wccp command in global configuration mode. To disable the service group, use the no form of this command.
ip
wccp
[vrf vrf-name]
{web-cache | service-number}
[accelerated]
[service-list service-access-list]
[mode {open | closed} ]
[group-address multicast-address]
[redirect-list access-list]
[group-list access-list]
[password [ {0 | 7} ] password]
no
ip
wccp
[vrf vrf-name]
{web-cache | service-number}
[accelerated]
[service-list service-access-list]
[mode {open | closed} ]
[group-address multicast-address]
[redirect-list access-list]
[group-list access-list]
[password [ {0 | 7} ] password]
Syntax DescriptionCommand History
Usage GuidelinesWCCP transparent caching bypasses Network Address Translation (NAT) when fast (Cisco Express Forwarding [CEF]) switching is enabled. To work around this situation, WCCP transparent caching should be configured in the outgoing direction, fast/CEF switching should be enabled on the content engine interface, and the ip wccp web-cache redirect out command should be specified. Configure WCCP in the incoming direction on the inside interface by specifying the ip wccp redirect exclude in command on the router interface facing the cache. This configuration prevents the redirection of any packets arriving on that interface. You can also include a redirect list when configuring a service group and the specified redirect list will deny packets with a NAT (source) IP address and prevent redirection. Refer to the ip wccp command for configuration of the redirect list and service group. This command instructs a router to enable or disable the support for the specified service number or the web-cache service name. A service number can be from 0 to 254. Once the service number or name is enabled, the router can participate in the establishment of a service group. The vrf vrf-name keyword and argument pair is optional. It allows you to specify a vrf to associate with a service group. You can then specify a web-cache service name or service number. The same service (web-cache or service number) can be configured in different VRF tables. Each service will operate independently. When the no ip wccp command is entered, the router terminates participation in the service group, deallocates space if none of the interfaces still has the service configured, and terminates the WCCP task if no other services are configured. The keywords following the web-cache keyword and the service-number argument are optional and may be specified in any order, but only may be specified once. The following sections outline the specific usage of each of the optional forms of this command. ip wccp [ vrf vrf-name ] web-cache | service-number} group-address multicast-address A WCCP group address can be configured to set up a multicast address that cooperating routers and web caches can use to exchange WCCP protocol messages. If such an address is used, IP multicast routing must be enabled so that the messages that use the configured group (multicast) addresses are received correctly. This option instructs the router to use the specified multicast IP address to coalesce the âI See Youâ responses for the âHere I Amâ messages that it has received on this group address. The response is sent to the group address as well. The default is for no group address to be configured, in which case all âHere I Amâ messages are responded to with a unicast reply. ip wccp [ vrf vrf-name ] { web-cache | service-number} redirect-list access-list This option instructs the router to use an access list to control the traffic that is redirected to the web caches of the service group specified by the service name given. The access-list argument specifies either the number or the name of a standard or extended access list. The access list itself specifies which traffic is permitted to be redirected. The default is for no redirect list to be configured (all traffic is redirected). WCCP requires that the following protocol and ports not be filtered by any access lists:
ip wccp [ vrf vrf-name ] { web-cache | service-number} group-list access-list This option instructs the router to use an access list to control the web caches that are allowed to participate in the specified service group. The access-list argument specifies either the number of a standard or extended access list or the name of any type of named access list. The access list itself specifies which web caches are permitted to participate in the service group. The default is for no group list to be configured, in which case all web caches may participate in the service group.
ip wccp [ vrf vrf-name ] web-cache | service-number} password password This option instructs the router to use MD5 authentication on the messages received from the service group specified by the service name given. Use this form of the command to set the password on the router. You must also configure the same password separately on each web cache. The password can be up to a maximum of eight characters. Messages that do not authenticate when authentication is enabled on the router are discarded. The default is for no authentication password to be configured and for authentication to be disabled. ip wccp service-number service-list service-access-list mode closed In applications where the interception and redirection of WCCP packet flows to external intermediate devices for the purpose of applying feature processing are not available within Cisco IOS software, it is necessary to block packet flows for the application when the intermediary device is not available. This blocking is called a closed service. By default, WCCP operates as an open service, wherein communication between clients and servers proceeds normally in the absence of an intermediary device. The service-listkeyword can only be used for closed mode services. When a WCCP service is configured as closed, WCCP discards packets that do not have a client application registered to receive the traffic. Use the service-list keyword and service-access-list argument to register an application protocol type or port number. When the definition of a service in a service list conflicts with the definition received via WCCP protocol, a warning message similar to the following is displayed: Sep 28 14:06:35.923: %WCCP-5-SERVICEMISMATCH: Service 90 mismatched on WCCP client 10.1.1.13 When there is a conflict in service list definitions, the configured definition takes precedence over the external definition received via WCCP protocol messages. ExamplesThe following example shows how to configure a router to run WCCP reverse-proxy service, using the multicast address of 239.0.0.0: Router(config)# ip multicast-routing Router(config)# ip wccp 99 group-address 239.0.0.0 Router(config)# interface ethernet 0 Router(config-if)# ip wccp 99 group-listen The following example shows how to configure a router to redirect web-related packets without a destination of 10.168.196.51 to the web cache: Router(config)# access-list 100 deny ip any host 10.168.196.51 Router(config)# access-list 100 permit ip any any Router(config)# ip wccp web-cache redirect-list 100 Router(config)# interface ethernet 0 Router(config-if)# ip wccp web-cache redirect out The following example shows how to configure an access list to prevent traffic from network 10.0.0.0 leaving Fast Ethernet interface 0/0. Because the outbound ACL check is enabled, WCCP does not redirect that traffic. WCCP checks packets against the ACL before they are redirected. Router(config)# ip wccp web-cache Router(config)# ip wccp check acl outbound Router(config)# interface fastethernet0/0 Router(config-if)# ip access-group 10 out Router(config-if)# ip wccp web-cache redirect out Router(config-if)# access-list 10 deny 10.0.0.0 0.255.255.255 Router(config-if)# access-list 10 permit any If the outbound ACL check is disabled, HTTP packets from network 10.0.0.0 would be redirected to a cache, and users with that network address could retrieve web pages when the network administrator wanted to prevent this from happening. The following example shows how to configure a closed WCCP service:
Router(config)# ip wccp 99 service-list access1 mode closed
ip wccp check acl outboundTo check the outbound access control list (ACL) for Web Cache Communication Protocol (WCCP), use the ip wccp check acl outbound command in global configuration mode. To disable the outbound check, use the no form of this command. Command History
ExamplesThe following example shows how to configure a router to check the outbound ACL for WCCP:
Router(config)# ip wccp check acl outbound
Related Commands
ip wccp check services allTo enable all Web Cache Communication Protocol (WCCP) services, use the ip wccp check services all command in global configuration mode. To disable all services, use the no form of this command. Usage GuidelinesWith the ip wccp check services all command, WCCP can be configured to check all configured services for a match and perform redirection for those services if appropriate. The caches to which packets are redirected can be controlled by a redirect ACL access control list (ACL) as well as by the priority value of the service. It is possible to configure an interface with more than one WCCP service. When more than one WCCP service is configured on an interface, the precedence of a service depends on the relative priority of the service compared to the priority of the other configured services. Each WCCP service has a priority value as part of its definition. If no WCCP services are configured with a redirect ACL, the services are considered in priority order until a service is found which matches the IP packet. If no services match the packet, the packet is not redirected. If a service matches the packet and the service has a redirect ACL configured, then the IP packet will be checked against the ACL. If the packet is rejected by the ACL, the packet will not be passed down to lower priority services unless the ip wccp check services all command is configured. When the ip wccp check services all command is configured, WCCP will continue to attempt to match the packet against any remaining lower priority services configured on the interface.
ip wccp group-listenTo configure an interface on a router to enable or disable the reception of IP multicast packets for Web Cache Communication Protocol (WCCP), use the ip wccp group-listen command in interface configuration mode. To disable the reception of IP multicast packets for WCCP, use the no form of this command.
ip
wccp
[vrf vrf-name]
{web-cache | service-number}
group-listen
no
ip
wccp
[vrf vrf-name]
{web-cache | service-number}
group-listen
Command History
Usage Guidelines
On Cisco 7600 series routers, the service-number may be either one of the provided standard keyword definitions or a number representing a cache engine dynamically defined definition. Once the service is enabled, the router can participate in the establishment of a service group. On routers that are to be members of a Service Group when IP multicast is used, the following configuration is required:
ExamplesThe following example shows how to enable the multicast packets for a web cache with a multicast address of 224.1.1.100: Router# configure terminal Router(config)# ip multicast-routing Router(config)# ip wccp web-cache group-address 224.1.1.100 Router(config)# interface ethernet 0 Router(config-if)# ip wccp web-cache group-listen ip wccp outbound-acl-checkTo check the outbound access control list (ACL) for Web Cache Communication Protocol (WCCP), use the ip wccp outbound-acl-check command in global configuration mode. To disable the outbound check, use the no form of this command. ExamplesThe following example shows how to configure a router to chec the outbound ACL for WCCP:
Router(config)# ip wccp outbound-acl-check
ip wccp redirectTo enable packet redirection on an outbound or inbound interface using Web Cache Communication Protocol (WCCP), use the ip wccp redirect command in interface configuration mode. To disable WCCP redirection, use the no form of this command.
ip
wccp
[vrf vrf-name]
{web-cache | service-number}
redirect
{in | out}
no
ip
wccp
[vrf vrf-name]
{web-cache | service-number}
redirect
{in | out}
Syntax Description
Command History
Usage GuidelinesWCCP transparent caching bypasses Network Address Translation (NAT) when fast (Cisco Express Forwarding [CEF]) switching is enabled. To work around this situation, WCCP transparent caching should be configured in the outgoing direction, fast/CEF switching enabled on the Content Engine interface, and the ip wccp web-cache redirect out command specified. Configure WCCP in the incoming direction on the inside interface by specifying the ip wccp redirect exclude in command on the router interface facing the cache. This prevents the redirection of any packets arriving on that interface. You can also include a redirect list when configuring a service group and the specified redirect list will deny packets with a NAT (source) IP address and prevent redirection. Refer to the ip wccp command for configuration of the redirect list and service group. The ip wccp redirect in command allows you to configure WCCP redirection on an interface receiving inbound network traffic. When the command is applied to an interface, all packets arriving at that interface will be compared against the criteria defined by the specified WCCP service. If the packets match the criteria, they will be redirected. Likewise, the ip wccp redirect out command allows you to configure the WCCP redirection check at an outbound interface.
ExamplesIn the following configuration, the multilink interface is configured to prevent the bypassing of NAT when fast/CEF switching is enabled: Router(config)# interface multilink2 Router(config-if)# ip address 10.21.21.1 255.255.255.0 Router(config-if)# ip access-group IDS_Multilink2_in_1 in Router(config-if)# ip wccp web-cache redirect out Router(config-if)# ip nat outside Router(config-if)# ip inspect FSB-WALL out Router(config-if)# max-reserved-bandwidth 100 Router(config-if)# service-policy output fsb-policy Router(config-if)# no ip route-cache Router(config-if)# load-interval 30 Router(config-if)# tx-ring-limit 3 Router(config-if)# tx-queue-limit 3 Router(config-if)# ids-service-module monitoring Router(config-if)# ppp multilink Router(config-if)# ppp multilink group 2 Router(config-if)# crypto map abc1 The following example shows how to configure a session in which reverse proxy packets on Ethernet interface 0 are being checked for redirection and redirected to a Cisco Cache Engine: Router(config)# ip wccp 99 Router(config)# interface ethernet 0 Router(config-if)# ip wccp 99 redirect out The following example shows how to configure a session in which HTTP traffic arriving on Ethernet interface 0/1 is redirected to a Cisco Cache Engine: Router(config)# ip wccp web-cache Router(config)# interface ethernet 0/1 Router(config-if)# ip wccp web-cache redirect in ip wccp redirect exclude inTo configure an interface to exclude packets received on an interface from being checked for redirection, use the ip wccp redirect exclude in command in interface configuration mode. To disable the ability of a router to exclude packets from redirection checks, use the no form of this command. Command History
Usage GuidelinesThis configuration command instructs the interface to exclude inbound packets from any redirection check. Note that the command is global to all the services and should be applied to any inbound interface that will be excluded from redirection. This command is intended to be used to accelerate the flow of packets from a cache engine to the Internet as well as allow for the use of the Web Cache Communication Protocol (WCCP) v2 packet return feature. ip wccp source-interfaceTo specify the interface that Web Cache Communication Protocol (WCCP) uses as the preferred router ID and generic routing encapsulation (GRE) source address, use the ip wccp source-interface command in global configuration mode. To enable the WCCP default behavior for router ID selection, use the no form of this command. Command DefaultIf this command is not configured, WCCP selects a loopback interface with the highest IP address as the router ID. Usage GuidelinesUse this command to set the interface from which WCCP may derive the router ID and GRE source address. The router ID must be a reachable IPv4 address. The interface identified by the source-interface argument must be assigned an IPv4 address and be operational before WCCP uses the address as the router ID. If the configured source interface cannot be used to derive the WCCP router ID, a Cisco IOS error message similar to the following is displayed: %WCCP-3-SIFIGNORED: source-interface interface ignored (reason) The reason field in the error output indicates why the interface has been ignored and can include the following:
This command provides control only of the router ID and GRE source address. This command does not influence the source address used by WCCP control protocol (âHere I Amâ and Removal Query messages). The WCCP control protocol is not bound to a specific interface and the source address is always selected based on the destination address of an individual packet. ExamplesThe following example shows how to select Gigabit Ethernet interface 0/0/0 as the WCCP source interface:
Router(config)# ip wccp source-interface gigabitethernet0/0/0
Related Commands
ip wccp versionTo specify the version of Web Cache Communication Protocol (WCCP), use the ip wccp version command in global configuration mode. Command History
Usage GuidelinesConfiguring this command does not have any impact on Cisco ASR 1000 Series Routers because these routers support only WCCPv2. WCCPv2 is enabled by default on Cisco ASR 1000 series routers when a service group is configured or a service group is attached to an interface. ip wccp web-cache acceleratedTo enable the hardware acceleration for WCCP version 1, use the ip wccp web-cache accelerated command in global configuration mode. To disable hardware acceleration, use the no form of this command.
ip
wccp
web-cache
accelerated
[ {group-address group-address} ]
| [ {redirect-list access-list} ]
| [ {group-list access-list} ]
| [ { [password password] } ]
no
ip
wccp
web-cache
accelerated
Syntax Description
Command DefaultWhen this command is not configured, hardware acceleration for WCCPv1 is not enabled. Usage GuidelinesThe group-address group-address option requires a multicast address that is used by the router to determine which cache engine should receive redirected messages. This option instructs the router to use the specified multicast IP address to coalesce the âI See Youâ responses for the âHere I Amâ messages that it has received on this group address. In addition, the response is sent to the group address. The default is for no group-address to be configured, so that all âHere I Amâ messages are responded to with a unicast reply. The redirect-list access-list option instructs the router to use an access list to control the traffic that is redirected to the cache engines of the service group that is specified by the service-name given. The access-list argument specifies either a number from 1 to 99 to represent a standard or extended access list number, or a name to represent a named standard or extended access list. The access list itself specifies the traffic that is permitted to be redirected. The default is for no redirect-list to be configured (all traffic is redirected). The group-list access-list option instructs the router to use an access list to control the cache engines that are allowed to participate in the specified service group. The access-list argument specifies either a number from 1 to 99 to represent a standard access list number, or a name to represent a named standard access list. The access list specifies which cache engines are permitted to participate in the service group. The default is for no group-list to be configured, so that all cache engines may participate in the service group. The password can be up to seven characters. When you designate a password, the messages that are not accepted by the authentication are discarded. The password name is combined with the HMAC MD5 value to create security for the connection between the router and the cache engine. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||