Web Cache Services Using WCCP

This chapter describes how to configure web caching services using WCCP, and includes the following sections:

Information About WCCP

Web Cache Communication Protocol (WCCP) is a content routing protcol that allows utilization of Cisco Cache Engines (or other caches running WCCP) to localize web traffic patterns in the network, enabling content requests to be fulfilled locally. The purpose of web caching is to reduce latency and network traffic. Previously-accessed web pages are stored in a cache buffer, so if users need the page again, they can retrieve it from the cache instead of the web server.

WCCP specifies interactions between the ASA and external web caches. The feature transparently redirects selected types of traffic to a group of web cache engines to optimize resource usage and lower response times. The ASA only supports WCCP Version 2.

Using an ASA as an intermediary eliminates the need for a separate router to do the WCCP redirection, because the ASA redirects requests to cache engines. When the ASA determines that a packet needs redirection, it skips TCP state tracking, TCP sequence number randomization, and NAT on these traffic flows.

Guidelines and Limitations

The following WCCPv2 features are supported for the ASA:

  • Redirection of multiple TCP and UDP port-destined traffic.
  • Authentication for cache engines in a service group.
  • Multiple cache engines in a service group.
  • GRE encapsulation.

The following WCCPv2 features are not supported for the ASA:

  • Multiple routers in a service group.
  • Multicast WCCP.
  • The Layer 2 redirect method.
  • WCCP source address spoofing.
  • WAAS devices.

ASA Implementation of WCCP

In the ASA implementation of WCCP, the protocol interacts with other configurable features according to the following:

  • AAA for network access will not work in combination with WCCP.
  • An inbound access rule always takes higher priority over WCCP. For example, if an ACL does not permit a client to communicate with a server, then traffic is not redirected to a cache engine.
  • TCP intercept, authorization, URL filtering, inspect engines, and IPS features are not applied to a redirected flow of traffic.
  • When a cache engine cannot service a request and a packet is returned, or when a cache miss happens on a cache engine and it requests data from a web server, then the contents of the traffic flow is subject to all the other configured features of the ASA.
  • If you have two WCCP services and they use two different redirection ACLs that overlap and match the same packets (with a deny or a permit action), the packets behave according to the first service-group found and installed rules. The packets are not passed thorugh all service-groups.

Failover Guidelines

Supports Active/Active and Active/Standby failover. WCCP redirect tables are not replicated to standby units. After a failover, packets are not redirected until the tables are rebuilt. Sessions redirected before failover are probably reset by the web server.

Firewall Mode Guidelines

Supported in routed and transparent firewall modes.

Context Mode Guidelines

Supported in single mode and multiple context mode.

IPv6 Guidelines

Does not support IPv6 traffic for redirection.

Additional Guidelines

The ASA selects the highest IP address configured on any interface as the WCCP router ID. This address is used to establish a GRE tunnel with the cache engine.

WCCP does not support ACLs that include a user, user group, or a fully qualified domain name object.

Licensing Requirements for WCCP

 

Model
License Requirement

ASAv

Standard or Premium License.

All other models

Base License.

Enabling WCCP Redirection

Note The ASA selects the highest IP address configured on any interface as the WCCP router ID. This address is used to establish a GRE tunnel with the cache engine.

WCCP redirection is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client, without going through the ASA.

The following configuration tasks assume you have already installed and configured the cache engines that you want to include in your network.

To configure WCCP redirection, perform the following steps:

 

Command
Purpose

Step 1
wccp {web-cache | service_number } [redirect-list access_list ] [group-list access_list ] [ password password ]
 

hostname (config)# wccp web-cache

Enables a WCCP service group and identifies the service to be redirected. (Optional) Also defines which cache engines can participate in the service group, and what traffic should be redirected to the cache engine.

The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines, but you can identify a service number (if desired) between 0 and 254. For example, to transparently redirect native FTP traffic to a cache engine, use WCCP service 60. You can enter this command multiple times for each service group that you want to enable.

The redirect-list access_list argument controls traffic that is redirected to this service group.

The group-list access_list argument determines which web cache IP addresses are allowed to participate in the service group.

The password password argument specifies MD5 authentication for messages that are received from the service group. Messages that are not accepted by the authentication are discarded.

Step 2
wccp interface interface_name { web-cache | service_number} redirect in
 

hostname (config)# wccp interface inside web-cache redirect in

Identifies an interface and enables WCCP redirection on the interface.

The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines, but you can identify a service number (if desired) between 0 and 254. For example, to transparently redirect native FTP traffic to a cache engine, use WCCP service 60. You can enter this command multiple times for each service group that you want to enable.

Examples

For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside interface to a web cache, enter the following commands:

hostname (config)# wccp web-cache
hostname (config)# wccp interface inside web-cache redirect in
 

WCCP Monitoring Commands

To monitor WCCP, enter one of the following commands:

 

Command
Purpose

show running-config wccp

Shows the current WCCP configuration.

show running-config wccp interface

Shows the current WCCP interfaces status.

Feature History for WCCP

Table 18-1 lists the release history for this feature.

 

Table 18-1 Feature History for WCCP
Feature Name
Releases
Feature Information

WCCP

7.2(1)

WCCP specifies interactions between the ASA and external web caches.

We introduced the following commands: wccp and wccp interface