- Index
- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring the Cisco IOS In-Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Supervisor Engine Redundancy Using RPR and SSO
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring NetWork Assista nt
- Configuring VLANs
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring SmartPort Macros
- Configuring Auto SmartPort Macros
- Configuring Spanning Tree
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Enhanced Spanning Tree Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering
- Configuring MLD Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring CDP
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Policy-Based Routing
- Configuring VRF
- Configuring Quality of Service
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring 802.1X Port-Based Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-based Authentication
- Configuring Port Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring Dynamic ARP Inspection
- Configuring Network Security with ACL
- Support for IPv6
- Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN
- Configuring System Message Logging
- Configuring OBFL
- Configuring SNMP
- Configuring NetFlow-lite
- Configuring NetFlow Switching
- Configuring CFM and OAM
- Configuring Y1731
- Configuring Call Home
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP
- ROM Monitor
- Configuring MIB Support
- Acronyms
- Performing a General WCCP Configuration Example
- Running a Web Cache Service Example
- Running a Reverse Proxy Service Example
- Running TCP-Promiscuous Service Example
- Running Redirect Access-List Example
- Using Access Lists Example
- Setting a Password for a Switch and Content Engines Example
- Verifying WCCP Settings Example
Configuring WCCP Version 2 Services
This chapter describes how to configure the Catalyst 4500 series switches to redirect traffic to content engines (web caches) using the Web Cache Communication Protocol (WCCP) version 2
Note Throughout this chapter, WCCP refers to WCCP version 2. Version 1 is not supported.
This chapter consists of these sections:
- About WCCP
- Restrictions for WCCP
- Configuring WCCP
- Verifying and Monitoring WCCP Configuration Settings
- WCCP Configuration Examples
Note The tasks in this chapter assume that you have already configured content engines on your network. For specific information on hardware and network planning associated with Cisco Content Engines and WCCP, see the Product Literature and Documentation links available on the Cisco.com at these locations:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf018_ps1835_TSD_Products_Configuration_Guide_Chapter.html.
and
http://www.cisco.com/en/US/tech/tk122/tk717/tsd_technology_support_protocol_home.html
About WCCP
Overview
WCCP is a Cisco-developed content-routing technology that enables you to integrate content engines into your network infrastructure.
The Cisco IOS WCCP feature allows use of Cisco Content Engines (or other content engines running WCCP) to localize web traffic patterns in the network, enabling content requests to be fulfilled locally. Traffic localization reduces transmission costs and download time.
WCCP enables Cisco IOS routing platforms to transparently redirect content requests. The main benefit of transparent redirection of HTTP/non-http requests is that users need not configure their browsers to use a web proxy. Instead, they can use the target URL to request content, and have their requests automatically redirected to a content engine. The word “transparent” is this case means that the end user does not know that a requested file (such as a web page) came from the content engine instead of from the originally specified server.
When a content engine receives a request, it attempts to service it from its own local content. If the requested information is not present, the content engine issues its own request to the originally targeted server to get the required information. When the content engine retrieves the requested information, it forwards it to the requesting client and caches it to fulfill future requests, thus maximizing download performance and substantially reducing transmission costs.
WCCP enables a series of content engines, called a content engine cluster, to provide content to a router or multiple routers. Network administrators can easily scale their content engines to handle heavy traffic loads using these clustering capabilities. Cisco clustering technology enables each content member to work in parallel, resulting in linear scalability. Clustering content engines greatly improves the scalability, redundancy, and availability of your caching solution. You can cluster up to 32 content engines to scale to your desired capacity.
Hardware Acceleration
Hardware Acceleration is enabled by default on Catalyst 4500 series switches. Layer 2 rewrite forwarding and Layer 2 return method are supported in hardware; GRE return method is supported in software.
You must configure a directly connected Content Engine to negotiate use of the WCCP Layer 2 Redirection feature with load balancing based on the mask assignment table. The show ip wccp web-cache detail command displays the redirection method for each cache.
Note You can configure Cisco Content Engine Release 2.2 or later to use the WCCP Layer 2 redirection feature with the mask assignment table.
Understanding WCCP Configuration
Multiple routers can use WCCP to service a cache cluster. Figure 1-1 illustrates a sample configuration using multiple routers.
Figure 1-1 Cisco Content Engine Network Configuration Using WCCP
The subset of content engines within a cluster and routers connected to the cluster that are running the same service is known as a service group. Available services include TCP and User Datagram Protocol (UDP) redirection.
WCCP requires that each content engine be aware of all the routers in the service group. To specify the addresses of all the routers in a service group, you must choose one of the following methods:
- Unicast—A list of IP addresses for each of the routers in the group is configured on each content engine. In this case the address of each router in the group must be explicitly specified for each content engine during configuration.
- Multicast—A single multicast address is configured on each content engine. In the multicast address method, the content engine sends a single-address notification that provides coverage for all routers in the service group. For example, a content engine could indicate that packets should be sent to a multicast address of 224.0.0.100, which would send a multicast packet to all routers in the service group configured for group listening using WCCP (see the ip wccp group-listen interface configuration command for details).
The multicast option is easier to configure because you need only specify a single IP address on each content engine. This option also enables you to add and remove routers from a service group dynamically without needing to reconfigure the content engines with a different list of addresses each time.
The following sequence of events describe how WCCP works:
1. Each WCCP client (content engine) is configured with a list of WCCP servers (routers).
2. Each content engine announces its presence with a "Here I Am" message and a list of routers with which it has established communication. Similarly, the routers reply with their view (list) of content engines in the service group through "I See You" messages.
3. Once the view is consistent across all content engines in the cluster, one content engine is designated as the lead and sets the policy that the switches need to deploy in redirecting traffic.
WCCP Features
HTTP and Non-HTTP Services Support
WCCP enables redirection of HTTP traffic (TCP port 80 traffic), as well as non-HTTP traffic (TCP and UDP). WCCP supports the redirection of packets intended for other ports, including those used for proxy-web cache handling, File Transfer Protocol (FTP) caching, FTP proxy handling, web caching for ports other than 80, and real audio, video, and telephony applications.
To accommodate the various types of services available, WCCP introduces the concept of multiple service groups. Service information is specified in the WCCP configuration commands using dynamic services identification numbers (such as “98”) or a predefined service keywords (such as “web-cache”). This information is used to validate that service group members are all using or providing the same service.
Note The Catalyst 4500 series switch supports up to eight service groups.
For information on supported WCCP version 2 services with ACNS version 5.2 software, refer to the
Release Notes for Cisco ACNS Software, Release 5.2.3.
The content engines in service group specify traffic to be redirected by protocol (TCP or UDP) and port (source or destination). Each service group has a priority level assigned to it. Packets are matched against service groups in priority order and redirected by the highest priority service group that matches traffic characteristics.
Multiple Routers Support
WCCP enables you to attach multiple routers to a cluster of cache engines. The use of multiple routers in a service group enables redundancy, interface aggregation, and distribution of the redirection load.
MD5 Security
WCCP provides optional authentication that enables you to control which routers and content engines become part of the service group using passwords and the HMAC MD5 standard. Shared-secret MD5 one-time authentication (set using the ip wccp [ password [ 0-7 ] password ] global configuration command) enables messages to be protected against interception, inspection, and replay.
Web Content Packet Return
If a content engine is unable to provide a requested object it has cached due to error or overload, the content engine returns the request to the router for onward transmission to the originally specified destination server. WCCP verifies which requests have been returned from the content engine unserviced. Using this information, the router can then forward the request to the originally targeted server (rather than attempting to resend the request to the content cluster). This provides error handling transparency to clients.
Typical reasons why a content engine would reject packets and initiate the packet return feature include the following:
Restrictions for WCCP
The following limitations apply to WCCP:
- WCCP works only with IPv4 networks.
- For routers servicing a multicast cluster, the time to live (TTL) value must be set at 15 or fewer.
- Because the WCCP protocol messages may now be IP multicast, members may receive messages that are not relevant or (are) duplicates. Appropriate filtering need to be performed.
- A service group can comprise up to 32 content engines and 32 routers.
- All content engines in a cluster must be configured to communicate with all routers servicing the cluster.
- Up to 8 active service groups are supported on a switch. Up to 8 service groups can be configured simultaneously on the same client interface.
- The Layer 2 rewrite forwarding method is supported (in hardware), the GRE encapsulation forwarding method is not supported.
- The GRE return method is supported in software. The Layer 2 return method is supported in hardware and is recommended.
- Direct Layer 3 connectivity to content engines is required; Layer 3 connectivity of one or more hops away is not supported.
- The following apply only to Supervisor Engine 6-E, Supervisor Engine 6L-E, Catalyst 4900M, Catalyst 4948E, and Supervisor Engine 7-E:
– Output redirection is supported in addition to input redirection.
– Input/output redirection configuration is not supported on content engine facing interfaces.
– When the TCAM space is exhausted on a supervisor engine, traffic is redirected in software. On all other supervisor engines, traffic is not redirected; it is forwarded normally.
Configuring WCCP
The following configuration tasks assume that you have already installed and configured the content engines you want to include in your network. You must configure the content engines in the cluster before configuring WCCP functionality on your routers.
IP must be configured on the router interface connected to the cache engines. Examples of router configuration tasks follow this section. For complete descriptions of the command syntax, refer to the
Cisco IOS Configuration Fundamentals Command Reference, Cisco IOS Release 12.3.
These sections describe how to configure WCCP:
- Configuring a Service Group Using WCCP (Required)
- Using Access Lists for a WCCP Service Group (Optional)
- Setting a Password for a Router and Cache Engines (Optional)
Configuring a Service Group Using WCCP
WCCP uses service groups based on logical redirection services. The standard service is the content engine, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the content engines. This service is referred to as a well-known service, because the characteristics of the web cache service are known by both the router and content engines. A description of a well-known service is not required beyond a service identification (the command line interface (CLI) provides a web-cache keyword in the command syntax).
For information on supported WCCP services with ACNS version 5.2 software, refer to the
Release Notes for Cisco ACNS Software, Release 5.2.3.
In addition to the web cache service, there can be up to seven dynamic services running concurrently on the switch.
Note More than one service can run on a switch at the same time, and routers and content engines can be part of multiple service groups at the same time.
The dynamic services are defined by the content engines; the content engine instructs the router which protocol or ports to intercept, and how to distribute the traffic. The router itself does not have information on the characteristics of the dynamic service group’s traffic, because this information is provided by the first content engine to join the group. In a dynamic service, up to eight ports can be specified within a single protocol TCP or UDP).
Cisco Content Engines, for example, use dynamic service 99 to specify a reverse-proxy service. However, other content engines may use this service number for some other service. The following configuration information deals with enabling general services on Cisco routers. Refer to the content engine documentation for information on configuring services on content engines.
To enable a service on a Catalyst 4500 series switch, perform this task:
Specifying a Web Cache Service
To configure a web-cache service and ingress redirection, perform this task:
To configure a web-cache service and egress redirection, perform this task:
Using Access Lists for a WCCP Service Group
A Catalyst 4500 series switch can use an access list to restrict the content engines that can join a service group.
To restrict a content engine, perform this task:
Setting a Password for a Router and Cache Engines
MD5 password security requires that each content engine and Catalyst 4500 series switch that wants to join a service group be configured with the service group password. The password can consist of up to seven characters. Each content engine or Catalyst 4500 series switch in the service group authenticates the security component in a received WCCP packet immediately after validating the WCCP message header. Packets failing authentication are discarded.
To configure an MD5 password for use by the Catalyst 4500 series switch in WCCP communications, perform this task:
|
|
---|---|
Verifying and Monitoring WCCP Configuration Settings
To verify and monitor the configuration settings for WCCP, use the following commands in EXEC mode:
WCCP Configuration Examples
This section provides the following configuration examples:
- Performing a General WCCP Configuration Example
- Running a Web Cache Service Example
- Running a Reverse Proxy Service Example
- Running TCP-Promiscuous Service Example
- Running Redirect Access-List Example
- Using Access Lists Example
- Setting a Password for a Switch and Content Engines Example
- Verifying WCCP Settings Example
Performing a General WCCP Configuration Example
The following example shows a general WCCP configuration session. VLAN 20 is for the client interface. VLAN 50 is for the content engine interface.
Running a Web Cache Service Example
The following example shows a web cache service configuration session with ingress redirection:
Running a Reverse Proxy Service Example
The following example assumes you a configuring a service group using Cisco Content Engines, which use dynamic service 99 to run a reverse proxy service. The following example illustrates how to configure egress redirection, where VLAN 40 reflects the server interface and VLAN 50 reflects the content engine interface:
Running TCP-Promiscuous Service Example
The following example shows how to configure TCP promiscuous service, where VLAN 40 represents the server interface and VLAN 50 represents the content engine interface:
Running Redirect Access-List Example
Redirect access-list allows you to control which traffic to be redirected. The following example shows how to redirect traffic only from subnet 10.1.1.0:
Using Access Lists Example
To achieve better security, you can use a standard access list to notify the Catalyst 4500 series switch to which IP addresses are valid addresses for a content engine attempting to register with the current switch. The following example shows a standard access list configuration session where the access list number is 10 for some sample hosts:
Setting a Password for a Switch and Content Engines Example
The following example shows a WCCP password configuration session where the password is alaska1:
Verifying WCCP Settings Example
To verify your configuration changes, use the more system:running-config EXEC command. The following example shows that the both the web cache service and dynamic service 99 are enabled on the Catalyst 4500 series switch: