Configure WCCP on your Cisco IOS router

By David Davis CCIE April 12, 2007, 12:35 PM PST

What is the Web cache communications protocol (WCCP), and how can it help you? David Davis introduces you to WCCP, tells you about its advantages, and explains how to configure it on a Cisco router.

You can use the Web cache communications protocol (WCCP) to redirect traffic (usually Web page requests) to another device in real time. The most common use for WCCP is redirecting Web traffic to a server that provides Web caching, filtering, or other services.

You can enable WCCP on your router, but you should only use WCCP if you have an external machine performing Web caching, logging, reporting, or filtering. Developed by Cisco, WCCP has two versions: WCCPv1 and WCCPv2.

How WCCP works

Here's an example of how WCCP works:

A Web browser makes a request, which goes to a router.
The router intercepts the request.
The router redirects the request to a new location inside a generic routing encapsulation (GRE) frame to prevent any modifications to the original packet.
The new device -- typically a Web appliance of some type -- can choose to masquerade as the real server or send it somewhere else. Assuming it accepts the packet, the new device can provide a response.

The benefit to using WCCP is that we assume the appliance provides services that the router does not -- for example, Web content filtering, caching, logging, security, or authentication. I've seen WCCP used with Squid proxy servers, Blue Coat Web caching and content filtering appliances, and Cisco content caching engines.

The benefit to transparently routing traffic to a Web appliance is that you don't have to make any changes to your Web browsers (and you don't have to configure a proxy server). In addition, Web caching appliances offer these benefits:

They lower response times for Web requests.
They optimize bandwidth utilization of the Internet circuit.
They log Web requests and report on them.
They filter requested content.

Not surprisingly, WCCPv2 offers a number of features that WCCPv1 does not. WCCPv2 supports protocols other than HTTP, multiple routers, MD5 security, and load distribution.

With WCCP, you can use a "cache cluster" for load balancing, scaling, and fault tolerance. You can also use Hot Standby Router Protocol (HSRP) with your routers to provide redundancy for your WCCP routers.

How to configure WCCP

How do you configure WCCP? The router is the easiest part of any WCCP configuration. Here's a sample configuration:

Router(config)# ip wccp version 2
Router(config)# ip wccp web-cache password mypassword
Router(config)# interface Fa0/0
Router(config-if)# ip wccp web-cache redirect out
Router(config-if)# ^Z

This tells the router that it should accept WCCP registration requests that use mypassword as the password. It also tells the WCCP cache engine which routers are running WCCP and registers the cache with the router.

How do you check your router's WCCP status? Here's an example:

Router# show ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: 2
        Number of Cache Engines:             0
        Number of routers:                   0
        Total Packets Redirected:            0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
Router#

WCCP isn't something everyone needs to configure, but it's still important to understand the underlying concepts. And you should know how to configure it just in case. For more information on configuring WCCP, see Cisco's Configuring Web Cache Services Using WCCP documentation.

Does your organization use WCCP? Do you think WCCP could simplify the configuration of Web appliances? Share your thoughts in this article's discussion.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

7 comments

Newest | Oldest

mmayerling

I am trying to enable WCCP in a PIX firewall. This forces me to change the home-router to the PIX inside IP (10.2.0.1). Previusly, the home-router router was 10.2.0.6 which is the default gateway of the BlueCoat. If I change the BlueCoat Default Gateway, I can't connect to it. When I switch to wccp in the Blue Coat, my clients don't have Internet, even though I see packets redirected in the PIX.

ry01bps

I work for a K-12 school district. Each Building needs a different IPA due to building specific subscriptions. Apparently with the blue coat behind our firewall the traffic all gets NATed to the same xternal address. Our consulting firm wants to put the Blue Coat device outside our firewall so the NATing happends prior to the device. I don't like hanging this device outside our firewall not to mention the switch I have to hang it out there on. Any advice?

jason.drury

I recently learned of another use for WCCP. If you have WAN accelerators (Riverbed, Silverpeak, etc.), but you do not want to put them inline for fear of introducing another point of failure, you can put them out of path and use WCCP to make them virtual in-line devices. Then if the accelerator fails, WCCP will automatically bypass it.

bgilbert

There is a Riverbed-sponsored online user forum at www.wdsforum.org where users are discussing a variety of topics involving WAN optimization and application acceleration. There is also a good thread on WCCP configuration. Bob

soxman

We purchased a configuration of Cisco caching servers to work with our routers running wccp in a transparent mode--to avoid making proxy changes for our clients. The idea was to lower the bandwidth on our network backbone in support of internal video streaming. However, we've gotten stuck --and gotten pretty poor support from Cisco--on how to get the Cisco caching servers to preposition(push down ahead of time) the streaming media files that can be played by the caching servers vs. clients going all the way to the Media Server (IIS/Windows Media) for the streams. The setup seems correct but I get nothing but errors trying to get the ACNS/Caching servers to pull the content down. Anybody got what should be a simple trick for doing that? Also, wondering how client logging is handled in these cases when the clients never really get to the web/media server, so how does one get consolidated logs of user activity using a distributed caching solution running the WMT services?

JDW1340

Check into setting up a Content Delivery Network can can be configured to push content to proxies and then redirect the requesting user to the proxy closest to him for the content.

cdoyle

Great article Dave; as usual it's very helpful and succinct. As you've described, WCCP is one of the initial parts of the larger solution around getting users safely and reliably out to the Internet. The next part of the solution path being the caching servers/appliances if you use them; you mention some of the options available. In that area we were looking at the new Cisco ASA suite with the Anti-X modules to replace our MS ISA & Finjan server combos. After some research we reluctantly decided not to go this route and will proceed to upgrade our ISA servers instead. The reason being that the ISA servers provide transparent user authentication and this allows us to create detailed web usage logs by user as well as providing us the capability to deny certain users access to the Internet if needed. The Cisco PIX and, from what we understand, the new ASA boxes just don't do this as smoothly and may require additional infrastructure such as an ACS server. All this to say, if we could have that transparent authentication capability in the new ASA boxes, and combine them with WCCP as you've described here, we'd have a Cisco solution through the whole path and would then be able to remove a number of high maintenance Wintel platforms which would be great. Any plans to write a further article and expand on this topic? Craig Doyle.

Conversation powered by LiveFyre

Add your Comment