Questions

Help needed with WCCP. Cisco 6503 not redirecting packets

Tags:
+
0 Votes
Locked

Help needed with WCCP. Cisco 6503 not redirecting packets

luv2fish92
Hello,

I need some configuration assistance with WCCP. I have a Cisco 6503 that I have configured to use WCCP v2 service 1 for http. I have two caching engines in use configured for Layer 2 forwarding method and MASK assignment method. I was told by the vendor to use this setting and that the router would report GRE. They are connected to a switch via a separate routed port on the 6503. The WCCP service on the 6503 sees both caching engines. I have "ip wccp 1 redirect in" configured on the interface connected to the web clients. I believe that this will enable redirection of incoming http requests from end users to the caching engines. However it's not working and I need some assistance. I've included sanitized wccp details. Thanks

ROUTER_6503#sho ip wccp 1 view
WCCP Routers Informed of:
192.168.1.252

WCCP Clients Visible:
192.168.2.92
192.168.2.93

WCCP Clients NOT Visible:
-none-

ROUTER_6503#sho ip wccp 1 detail
WCCP Client information:
WCCP Client ID: 192.168.2.92
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: None
Assigned Hash Info: None

WCCP Client ID: 192.168.2.93
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: None
Assigned Hash Info: None

ROUTER_6503#sho ip wccp 1
Global WCCP information:
Router information:
Router Identifier: 192.168.1.252
Protocol Version: 2.0

Service Identifier: 1
Number of Service Group Clients: 2
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: 120
Total Packets Denied Redirect: 0
Total Packets Unassigned: 9338
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
  • +
    1 Votes
    robo_dev

    I have never set this up, but I believe it's similar to a VPN tunnel in that traffic needs to go in two directions :)

    Overall, need to make sure there is an ACL and the Tunnel is passing traffic both in AND out.

    This is all very IOS version dependent.

    show tunnel groups wccp

    http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf018_ps1835_TSD_Products_Configuration_Guide_Chapter.html

    https://supportforums.cisco.com/docs/DOC-15782

    +
    0 Votes
    luv2fish92

    Thanks for your help. This is my first time configuring WCCP. I'll check the links out to help me understand WCCP better. I do have an ACL configured for WCCP.

    I was able to figure out what was going on. It was my configuration on the Cisco interconnect switch. I introduced a Netgear switch instead of using my Cisco swtich to connect the caching engines to the 6503. It worked right away. I had VLANs set up on my Cisco interconnect switch that were not part of the default VLAN. I needed to add IP addresses to the other VLANS where my caching engines and clients resided. So I added IPs and reintroduced the Cisco switch. I did not think this was necessary but it was. So its working now. Any idea as to why the VLAN requires an IP address to work? I don't recall needing an IP for a VLAN. I just wanted to isolate the physical ports. Without an IP, nodes connected to ports in the VLAN can still communicate. I was also able to browse to the Internet. However, the 6503 would not forward packets to the Caching engines even though they were registered. Strange. Thanks again.

    +
    0 Votes
    robo_dev

    I could be wrong but ....with Cisco you cannot do policy-based-routing and a private VLAN on the same interface and if inter-VLAN routing is not setup just right, the traffic may not be taking the route you think it is.....that's just a guess.

    +
    1 Votes
    robo_dev

    if the Cisco switch is a Layer2 or layer3 switch. If it's layer 2, then the VLAN IP is only needed for an external router to handle broadcast traffic for the VLAN, if it's layer3, then the IP of the VLAN becomes the gateway for the devices on the VLAN.

    +
    0 Votes
    faisal7c

    Are you planing to redirect your traffic to Proxy? is it inbound or outbound?

    Here some Examples you can try.
    Router>enable
    Router#configure terminal
    Router(config)#ip wccp version 2
    Router(config)#ip wccp 90
    Router(config)#copy running-config startup-config

    Router(config)#access-list 3 permit 10.1.1.5
    0.0.0.255
    Router(config)#ip wccp 90 group-list 3
    Router(config)#copy running-config startup-config

    If Inboud traffic redirection

    Router(config)#interface gigabitEthernet2/2
    Router(config-if)#ip wccp 90 redirect in
    Router(config-if)#copy running-config startup-config

    BR,

    Faisal Cholayil

    +
    0 Votes
    luv2fish92

    Thanks robo_dev. What you say makes sense. If a switch port is configured as a routed port using the "no switchport" command (layer 3 mode)it no longer functions as a switch port (layer 2 mode)and can't be part of a VLAN. So you are correct there. The switch I am using is a Cisco Catalyst 3560 24TS-S which is a layer 3 switch. It just has a basic config with VLANS set up to separate the switch ports. Nothing more. No routing protocols enabled. The Cisco 6503 is performing the routing functions for my setup.

    To answer Faisal7c's question, I am redirecting traffic inbound as described in my initial post.

    Thanks you both for your assistance.

  • +
    1 Votes
    robo_dev

    I have never set this up, but I believe it's similar to a VPN tunnel in that traffic needs to go in two directions :)

    Overall, need to make sure there is an ACL and the Tunnel is passing traffic both in AND out.

    This is all very IOS version dependent.

    show tunnel groups wccp

    http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf018_ps1835_TSD_Products_Configuration_Guide_Chapter.html

    https://supportforums.cisco.com/docs/DOC-15782

    +
    0 Votes
    luv2fish92

    Thanks for your help. This is my first time configuring WCCP. I'll check the links out to help me understand WCCP better. I do have an ACL configured for WCCP.

    I was able to figure out what was going on. It was my configuration on the Cisco interconnect switch. I introduced a Netgear switch instead of using my Cisco swtich to connect the caching engines to the 6503. It worked right away. I had VLANs set up on my Cisco interconnect switch that were not part of the default VLAN. I needed to add IP addresses to the other VLANS where my caching engines and clients resided. So I added IPs and reintroduced the Cisco switch. I did not think this was necessary but it was. So its working now. Any idea as to why the VLAN requires an IP address to work? I don't recall needing an IP for a VLAN. I just wanted to isolate the physical ports. Without an IP, nodes connected to ports in the VLAN can still communicate. I was also able to browse to the Internet. However, the 6503 would not forward packets to the Caching engines even though they were registered. Strange. Thanks again.

    +
    0 Votes
    robo_dev

    I could be wrong but ....with Cisco you cannot do policy-based-routing and a private VLAN on the same interface and if inter-VLAN routing is not setup just right, the traffic may not be taking the route you think it is.....that's just a guess.

    +
    1 Votes
    robo_dev

    if the Cisco switch is a Layer2 or layer3 switch. If it's layer 2, then the VLAN IP is only needed for an external router to handle broadcast traffic for the VLAN, if it's layer3, then the IP of the VLAN becomes the gateway for the devices on the VLAN.

    +
    0 Votes
    faisal7c

    Are you planing to redirect your traffic to Proxy? is it inbound or outbound?

    Here some Examples you can try.
    Router>enable
    Router#configure terminal
    Router(config)#ip wccp version 2
    Router(config)#ip wccp 90
    Router(config)#copy running-config startup-config

    Router(config)#access-list 3 permit 10.1.1.5
    0.0.0.255
    Router(config)#ip wccp 90 group-list 3
    Router(config)#copy running-config startup-config

    If Inboud traffic redirection

    Router(config)#interface gigabitEthernet2/2
    Router(config-if)#ip wccp 90 redirect in
    Router(config-if)#copy running-config startup-config

    BR,

    Faisal Cholayil

    +
    0 Votes
    luv2fish92

    Thanks robo_dev. What you say makes sense. If a switch port is configured as a routed port using the "no switchport" command (layer 3 mode)it no longer functions as a switch port (layer 2 mode)and can't be part of a VLAN. So you are correct there. The switch I am using is a Cisco Catalyst 3560 24TS-S which is a layer 3 switch. It just has a basic config with VLANS set up to separate the switch ports. Nothing more. No routing protocols enabled. The Cisco 6503 is performing the routing functions for my setup.

    To answer Faisal7c's question, I am redirecting traffic inbound as described in my initial post.

    Thanks you both for your assistance.