To enable support
of the specified Web Cache Communication Protocol (WCCP) service for
participation in a service group, use the
ip
wccp command in global configuration mode. To
disable the service group, use the
no form of this
command.
ip wccp [vrf vrf-name] {web-cache | service-number} [accelerated] [service-list service-access-list] [mode {open | closed}] [group-address multicast-address] [redirect-list access-list] [group-list access-list] [password [0 | 7] password]
no ip wccp [vrf vrf-name] {web-cache | service-number} [accelerated] [service-list service-access-list] [mode {open | closed}] [group-address multicast-address] [redirect-list access-list] [group-list access-list] [password [0 | 7] password]
Syntax Description
vrf
vrf-name
|
(Optional) Specifies a virtual routing and forwarding instance (VRF) to
associate with a service group.
|
web-cache
|
Specifies the web-cache service (WCCP Version 1 and Version 2).
Note
|
Web-cache counts as one of the services. The maximum number of services,
including those assigned with the
service-number argument, is 256.
|
|
service-number
|
Dynamic
service identifier, which means the service definition is dictated by the
cache. The dynamic service number can be from 0 to 254. The maximum number of
services is 256, which includes the web-cache service specified with the
web-cache
keyword.
Note
|
If
Cisco cache engines are used in the cache cluster, the reverse proxy service is
indicated by a value of 99.
|
|
accelerated
|
(Optional) This option applies only to hardware-accelerated routers. This
keyword configures the service group to prevent a connection being formed with
a cache engine unless the cache engine is configured in a way that allows
redirection on the router to benefit from hardware acceleration.
|
service-list
service-access-list
|
(Optional) Identifies a named extended IP access list that defines the packets
that will match the service.
|
mode open
|
(Optional) Identifies the service as open. This is the default service mode.
|
mode closed
|
(Optional) Identifies the service as closed.
|
group-address
multicast-address
|
(Optional) Specifies the multicast IP address that communicates with the WCCP
service group. The multicast address is used by the router to determine which
web cache should receive redirected messages.
|
redirect-list
access-list
|
(Optional) Specifies the access list that controls traffic redirected to this
service group. The
access-list
argument should consist of a string of no more than 64 characters (name or
number) in length that specifies the access list.
|
group-list
access-list
|
(Optional) Specifies the access list that determines which web caches are
allowed to participate in the service group. The
access-list
argument specifies either the number or the name of a standard or extended
access list.
|
password [0 |
7]
password
|
(Optional) Specifies the message digest algorithm 5 (MD5) authentication for
messages received from the service group. Messages that are not accepted by the
authentication are discarded. The encryption type can be 0 or 7, with 0
specifying not yet encrypted and 7 for proprietary. The
password
argument can be up to eight characters in length.
|
Command Default
WCCP services are
not enabled on the router.
Command Modes
Global
configuration (config)
Command History
Release
|
Modification
|
12.0(3)T
|
This
command was introduced.
|
12.1
|
This
command replaced the
ip
wccp
enable ,
ip
wccp
redirect-list , and
ip
wccp
group-list commands.
|
12.2(25)S
|
This
command was integrated into Cisco IOS Release 12.2(25)S.
|
12.3(14)T
|
The
maximum value for the
service-number argument was increased to 254.
|
12.2(27)SBC
|
This
command was integrated into Cisco IOS Release 12.2(27)SBC.
|
12.2(33)SRA
|
This
command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.4(11)T
|
The
service-list
service-access-list keyword and argument pair and
the
mode
open and
mode
closed keywords were added.
|
12.2(33)SXH
|
This
command was integrated into Cisco IOS Release 12.2(33)SXH.
|
Cisco
IOS XE Release 2.2
|
This
command was integrated into Cisco IOS XE Release 2.2.
|
15.0(1)M
|
This
command was modified. The
vrf keyword
and
vrf-name
argument pair were added.
|
12.2(33)SRE
|
This
command was modified. The
vrf keyword
and
vrf-name
argument pair were added.
|
12.2(50)SY
|
This
command was modified. The
vrf keyword
and
vrf-name
argument pair were added.
|
Cisco
IOS XE Release 3.3SG
|
This
command was integrated into Cisco IOS XE Release 3.3SG.
|
Cisco
IOS XE 3.3SE
|
This
command was implemented in Cisco IOS XE Release 3.3SE.
|
Usage Guidelines
WCCP transparent
caching bypasses Network Address Translation (NAT) when Cisco Express
Forwarding switching is enabled. To work around this situation, configure WCCP
transparent caching in the outgoing direction, enable Cisco Express Forwarding
switching on the content engine interface, and specify the
ip
wccp
web-cache
redirect
out command. Configure WCCP in the incoming
direction on the inside interface by specifying the
ip
wccp
redirect
exclude
in command on the router interface facing the
cache. This configuration prevents the redirection of any packets arriving on
that interface.
You can also
include a redirect list when configuring a service group. The specified
redirect list will deny packets with a NAT (source) IP address and prevent
redirection.
This command
instructs a router to enable or disable support for the specified service
number or the web-cache service name. A service number can be from 0 to 254.
Once the service number or name is enabled, the router can participate in the
establishment of a service group.
Note |
All WCCP parameters must be included in a single IP WCCP command.
For example:
ip wccp 61 redirect-list 10 password password.
|
The
vrf
vrf-name keyword and argument pair is optional. It
allows you to specify a VRF to associate with a service group. You can then
specify a web-cache service name or service number.
The same service
(web-cache or service number) can be configured in different VRF tables. Each
service will operate independently.
When the
no
ip
wccp command is entered, the router terminates
participation in the service group, deallocates space if none of the interfaces
still has the service configured, and terminates the WCCP task if no other
services are configured.
The keywords
following the
web-cache
keyword and the
service-number argument are optional and may be
specified in any order, but only may be specified once. The following sections
outline the specific usage of each of the optional forms of this command.
ip
wccp
[vrf
vrf-name] {web-cache |
service-number}
group-address
multicast-address
A WCCP group
address can be configured to set up a multicast address that cooperating
routers and web caches can use to exchange WCCP protocol messages. If such an
address is used, IP multicast routing must be enabled so that the messages that
use the configured group (multicast) addresses are received correctly.
This option
instructs the router to use the specified multicast IP address to coalesce the
"I See You" responses for the "Here I Am" messages that it has received on this
group address. The response is also sent to the group address. The default is
for no group address to be configured, in which case all "Here I Am" messages
are responded to with a unicast reply.
ip
wccp
[vrf
vrf-name] {web-cache |
service-number}
redirect-list
access-list
This option
instructs the router to use an access list to control the traffic that is
redirected to the web caches of the service group specified by the service name
given. The
access-list
argument specifies either the number or the name of a standard or extended
access list. The access list itself specifies which traffic is permitted to be
redirected. The default is for no redirect list to be configured (all traffic
is redirected).
WCCP requires
that the following protocol and ports not be filtered by any access lists:
-
UDP (protocol
type 17) port 2048. This port is used for control signaling. Blocking this type
of traffic will prevent WCCP from establishing a connection between the router
and web caches.
-
Generic
routing encapsulation (GRE) (protocol type 47 encapsulated frames). Blocking
this type of traffic will prevent the web caches from ever seeing the packets
that are intercepted.
ip
wccp
[vrf
vrf-name] {web-cache |
service-number}
group-list
access-list
This option
instructs the router to use an access list to control the web caches that are
allowed to participate in the specified service group. The
access-list
argument specifies either the number of a standard or extended access list or
the name of any type of named access list. The access list itself specifies
which web caches are permitted to participate in the service group. The default
is for no group list to be configured, in which case all web caches may
participate in the service group.
Note |
The
ip
wccp
{web-cache |
service-number}
group-list command syntax resembles the
ip
wccp
{web-cache |
service-number}
group-listen command, but these are entirely
different commands. The
ip
wccp
group-listen command is an interface configuration
command used to configure an interface to listen for multicast notifications
from a cache cluster. Refer to the description of the
ip
wccp
group-listen command in the
Cisco IOS IP
Application Services Command Reference.
|
ip
wccp
[vrf
vrf-name]
web-cache |
service-number}
password
password
This option
instructs the router to use MD5 authentication on the messages received from
the service group specified by the service name given. Use this form of the
command to set the password on the router. You must also configure the same
password separately on each web cache. The password can be up to a maximum of
eight characters in length. Messages that do not authenticate when
authentication is enabled on the router are discarded. The default is for no
authentication password to be configured and for authentication to be disabled.
ip
wccp
service-number
service-list
service-access-list
mode
closed
In applications
where the interception and redirection of WCCP packets to external intermediate
devices for the purpose of applying feature processing are not available within
Cisco IOS software, packets for the application must be blocked when the
intermediary device is not available. This blocking is called a closed service.
By default, WCCP operates as an open service, wherein communication between
clients and servers proceeds normally in the absence of an intermediary device.
The
service-list
keyword can be used only for closed mode services. When a WCCP service is
configured as closed, WCCP discards packets that do not have a client
application registered to receive the traffic. Use the
service-list
keyword and
service-access-list argument to register an
application protocol type or port number.
When the
definition of a service in a service list conflicts with the definition
received via the WCCP protocol, a warning message similar to the following is
displayed:
Sep 28 14:06:35.923: %WCCP-5-SERVICEMISMATCH: Service 90 mismatched on WCCP client 10.1.1.13
When there is
service list definitions conflict, the configured definition takes precedence
over the external definition received via WCCP protocol messages.
Examples
The following
example shows how to configure a router to run WCCP reverse-proxy service,
using the multicast address of 239.0.0.0:
Router(config)# ip multicast-routing
Router(config)# ip wccp 99 group-address 239.0.0.0
Router(config)# interface ethernet 0
Router(config-if)# ip wccp 99 group-listen
The following
example shows how to configure a router to redirect web-related packets without
a destination of 10.168.196.51 to the web cache:
Router(config)# access-list 100 deny ip any host 10.168.196.51
Router(config)# access-list 100 permit ip any any
Router(config)# ip wccp web-cache redirect-list 100
Router(config)# interface ethernet 0
Router(config-if)# ip wccp web-cache redirect out
The following
example shows how to configure an access list to prevent traffic from network
10.0.0.0 leaving Fast Ethernet interface 0/0. Because the outbound access
control list (ACL) check is enabled, WCCP does not redirect that traffic. WCCP
checks packets against the ACL before they are redirected.
Router(config)# ip wccp web-cache
Router(config)# ip wccp check acl outbound
Router(config)# interface fastethernet0/0
Router(config-if)# ip access-group 10 out
Router(config-if)# ip wccp web-cache redirect out
Router(config-if)# access-list 10 deny 10.0.0.0 0.255.255.255
Router(config-if)# access-list 10 permit any
If the outbound
ACL check is disabled, HTTP packets from network 10.0.0.0 would be redirected
to a cache, and users with that network address could retrieve web pages when
the network administrator wanted to prevent this from happening.
The following
example shows how to configure a closed WCCP service:
Router(config)# ip wccp 99 service-list access1 mode closed
Note |
If multiple
parameters are required, all parameters under
ip
wccp
[vrf
vrf-name]
web-cache |
service-number}
must be configured as a single command.
If the command
is reissued with different parameters, the existing parameter will be removed
and the new parameter will be configured.
|
The following
example shows how to configure multiple parameters as a single command:
Router(config)# ip wccp 61 group-address 10.0.0.1 password 0 password mode closed redirect-list 121