WCCP Configuration Example for Catalyst 3560 or 3750

Available Languages

Updated:July 18, 2014
Document ID:118006

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Question

Question

How do you configure a Web Cache Communication Protocol (WCCP) on a Cisco catalyst 3560 or 3750 switch?

Environment: Cisco Web Security Appliance (WSA) and Cisco Catalyst 3560 or 3750

WCCP is only supported on the Catalyst 3560/3750 running IP Services or Advanced IP Services feature sets, on IOS 12.2(25) and later. The IP Base feature set does not support WCCP. WCCP is supported only on the SDM templates that support PBR: access, routing, and dual IPv4/v6 routing.

In these examples, use the "routing" template.

Setting the SDM Template on the Catalyst 3560/3750:
Switch(config)#sdm prefer routing
Switch(config)#do wr mem
Switch(config)#reload

Note:  A reboot is required for the SDM template change to take effect.

Basic WCCP Configuration:
Switch(config)#ip wccp web-cache
Switch(config)#interface <client_vlan_int>
Switch(config-if)#ip wccp web-cache redirect in
!
! and don't forget to save config
!
Switch(config-if)#do wr mem


Using a slightly more advanced configuration, a WCCP redirect-list can be used to exclude certain destination networks from WCCP redirection.  In this example, exclude any traffic destined for RFC1918 addresses from redirection.

WCCP Configuration with Redirect-List:
Switch(config)#access-list 110 deny ip any 10.0.0.0 0.255.255.255
Switch(config)#access-list 110 deny ip any 172.16.0.0 0.15.255.255
Switch(config)#access-list 110 deny ip any 192.168.0.0 0.0.255.255
Switch(config)#access-list 110 permit ip any any
Switch(config)#ip wccp web-cache redirect-list 110
!
! With redirect list, traffic to internal destinations will not be
! redirected, and will bypass the Cisco WSA
!
Switch(config)#interface <client_vlan_int>
Switch(config-if)#ip wccp web-cache redirect in
!
! and don't forget to save config
!
Switch(config-if)#do wr mem


For networks with more stringent security requirements, a group-list can be used to restrict the IP addresses which are allowed to join the WCCP service group, and a WCCP password can be enabled.  In this example, use a redirect-list, a group-list (assuming we have WSAs at 192.168.50.2 and 192.168.50.3), and a WCCP password.

WCCP Configuration with Redirect-List, Group-List, and WCCP Password:

!
! we'll use access list 110 for the redirect-list
!
Switch(config)#access-list 110 deny ip any 10.0.0.0 0.255.255.255
Switch(config)#access-list 110 deny ip any 172.16.0.0 0.15.255.255
Switch(config)#access-list 110 deny ip any 192.168.0.0 0.0.255.255
Switch(config)#access-list 110 permit ip any any
!
! we'll use access list 20 for the group-list
!
Switch(config)#access-list 20 permit 192.168.50.2
Switch(config)#access-list 20 permit 192.168.50.3
!
! enable the wccp service id 0 (web-cache) with password 12345
!
Switch(config)#ip wccp web-cache redirect-list 110 group-list 20 password 12345
!
! With redirect list, traffic to internal destinations will not be
! redirected, and will bypass the Cisco WSA
!
Switch(config)#interface <client_vlan_int>
Switch(config-if)#ip wccp web-cache redirect in
!
! and don't forget to save config
!
Switch(config-if)#do wr mem



Unsupported WCCP Features
  • Packet redirection on an outbound interface that is configured by using the ip wccp redirect out interface configuration command. This command is not supported.
  • The GRE forwarding method for packet redirection is not supported.
  • The hash assignment method for load balancing is not supported.
  • There is no SNMP support for WCCP.


Note: When using dynamic IDs, the configuration is identical, except enter the service ID number in the place of the web-cache keyword.

Note: For dynamic service IDs, Cisco recommends using IDs 90 - 97 to ensure compatibility with most devices.

More information can be found in the Catalyst Switch Software Configuration Guides:

3560: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swwccp.html
3750: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swwccp.html

Revision History

Revision Publish Date Comments
1.0
18-Jul-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Jason Alert and Siddharth Rajpathak
    Cisco TAC Engineers.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products