CH A P T E R 1

Configuring WCCP Version 2 Services

This chapter describes how to configure the Catalyst 4500 series switches to redirect traffic to content
engines (web caches) using the Web Cache Communication Protocol (WCCP) version 2

Note Throughout this chapter, WCCP refers to WCCP version 2. Version 1 is not supported.

This chapter consists of these sections:

• About WCCP, page 1-1
• Restrictions for WCCP, page 1-5
• Configuring WCCP, page 1-6
• Verifying and Monitoring WCCP Configuration Settings, page 1-9
• WCCP Configuration Examples, page 1-10

Note The tasks in this chapter assume that you have already configured content engines on your network. For
specific information on hardware and network planning associated with Cisco Content Engines and
WCCP, see the Product Literature and Documentation links available on the Cisco.com at these
locations:

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf018_ps1835_TSD_Produ
cts_Configuration_Guide_Chapter.html.

and

http://www.cisco.com/en/US/tech/tk122/tk717/tsd_technology_support_protocol_home.html

About WCCP
These sections describe WCCP:
• Overview, page 1-2
• Hardware Acceleration, page 1-2
• Understanding WCCP Configuration, page 1-3
• WCCP Features, page 1-4

Software Configuration Guide—Release 15(02)SG

OL-23818-01 1-1
 Chapter 1 Configuring WCCP Version 2 Services
About WCCP

Overview
WCCP is a Cisco-developed content-routing technology that enables you to integrate content engines
into your network infrastructure.
The Cisco IOS WCCP feature allows use of Cisco Content Engines (or other content engines running
WCCP) to localize web traffic patterns in the network, enabling content requests to be fulfilled locally.
Traffic localization reduces transmission costs and download time.
WCCP enables Cisco IOS routing platforms to transparently redirect content requests. The main benefit
of transparent redirection of HTTP/non-http requests is that users need not configure their browsers to
use a web proxy. Instead, they can use the target URL to request content, and have their requests
automatically redirected to a content engine. The word “transparent” is this case means that the end user
does not know that a requested file (such as a web page) came from the content engine instead of from
the originally specified server.
When a content engine receives a request, it attempts to service it from its own local content. If the
requested information is not present, the content engine issues its own request to the originally targeted
server to get the required information. When the content engine retrieves the requested information, it
forwards it to the requesting client and caches it to fulfill future requests, thus maximizing download
performance and substantially reducing transmission costs.
WCCP enables a series of content engines, called a content engine cluster, to provide content to a router
or multiple routers. Network administrators can easily scale their content engines to handle heavy traffic
loads using these clustering capabilities. Cisco clustering technology enables each content member to
work in parallel, resulting in linear scalability. Clustering content engines greatly improves the
scalability, redundancy, and availability of your caching solution. You can cluster up to 32 content
engines to scale to your desired capacity.

Hardware Acceleration
Hardware Acceleration is enabled by default on Catalyst 4500 series switches. Layer 2 rewrite
forwarding and Layer 2 return method are supported in hardware; GRE return method is supported in
software.
You must configure a directly connected Content Engine to negotiate use of the WCCP Layer 2
Redirection feature with load balancing based on the mask assignment table. The show ip wccp
web-cache detail command displays the redirection method for each cache.

Note You can configure Cisco Content Engine Release 2.2 or later to use the WCCP Layer 2
redirection feature with the mask assignment table.

Software Configuration Guide—Release 15(02)SG

1-2 OL-23818-01
 Chapter 1 Configuring WCCP Version 2 Services
About WCCP

Understanding WCCP Configuration

Multiple routers can use WCCP to service a cache cluster. Figure 1-1 illustrates a sample configuration
using multiple routers.

Figure 1-1 Cisco Content Engine Network Configuration Using WCCP

Internet

Service group

100BASE-T
Cache 1
Clients 100BASE-T

Clients 100BASE-T
Cache 2
Clients 100BASE-T

Clients 100BASE-T

Cache 3
Clients 100BASE-T

23810
Clients

The subset of content engines within a cluster and routers connected to the cluster that are running the
same service is known as a service group. Available services include TCP and User Datagram Protocol
(UDP) redirection.
WCCP requires that each content engine be aware of all the routers in the service group. To specify the
addresses of all the routers in a service group, you must choose one of the following methods:
• Unicast—A list of IP addresses for each of the routers in the group is configured on each content
engine. In this case the address of each router in the group must be explicitly specified for each
content engine during configuration.
• Multicast—A single multicast address is configured on each content engine. In the multicast address
method, the content engine sends a single-address notification that provides coverage for all routers
in the service group. For example, a content engine could indicate that packets should be sent to a
multicast address of 224.0.0.100, which would send a multicast packet to all routers in the service
group configured for group listening using WCCP (see the ip wccp group-listen interface
configuration command for details).
The multicast option is easier to configure because you need only specify a single IP address on each
content engine. This option also enables you to add and remove routers from a service group dynamically
without needing to reconfigure the content engines with a different list of addresses each time.
The following sequence of events describe how WCCP works:
1. Each WCCP client (content engine) is configured with a list of WCCP servers (routers).

Software Configuration Guide—Release 15(02)SG

OL-23818-01 1-3
 Chapter 1 Configuring WCCP Version 2 Services
About WCCP

2. Each content engine announces its presence with a "Here I Am" message and a list of routers with
which it has established communication. Similarly, the routers reply with their view (list) of content
engines in the service group through "I See You" messages.
3. Once the view is consistent across all content engines in the cluster, one content engine is designated
as the lead and sets the policy that the switches need to deploy in redirecting traffic.

WCCP Features
These sections describe WCCP features:
• HTTP and Non-HTTP Services Support
• Multiple Routers Support
• MD5 Security
• Web Content Packet Return

HTTP and Non-HTTP Services Support

WCCP enables redirection of HTTP traffic (TCP port 80 traffic), as well as non-HTTP traffic (TCP and
UDP). WCCP supports the redirection of packets intended for other ports, including those used for
proxy-web cache handling, File Transfer Protocol (FTP) caching, FTP proxy handling, web caching for
ports other than 80, and real audio, video, and telephony applications.
To accommodate the various types of services available, WCCP introduces the concept of multiple
service groups. Service information is specified in the WCCP configuration commands using dynamic
services identification numbers (such as “98”) or a predefined service keywords (such as “web-cache”).
This information is used to validate that service group members are all using or providing the same
service.

Note The Catalyst 4500 series switch supports up to eight service groups.

For information on supported WCCP version 2 services with ACNS version 5.2 software, refer to the
Release Notes for Cisco ACNS Software, Release 5.2.3.
The content engines in service group specify traffic to be redirected by protocol (TCP or UDP) and port
(source or destination). Each service group has a priority level assigned to it. Packets are matched against
service groups in priority order and redirected by the highest priority service group that matches traffic
characteristics.

Multiple Routers Support

WCCP enables you to attach multiple routers to a cluster of cache engines. The use of multiple routers
in a service group enables redundancy, interface aggregation, and distribution of the redirection load.

MD5 Security
WCCP provides optional authentication that enables you to control which routers and content engines
become part of the service group using passwords and the HMAC MD5 standard. Shared-secret MD5
one-time authentication (set using the ip wccp [password [0-7] password] global configuration
command) enables messages to be protected against interception, inspection, and replay.

Software Configuration Guide—Release 15(02)SG

1-4 OL-23818-01
 Chapter 1 Configuring WCCP Version 2 Services
Restrictions for WCCP

Web Content Packet Return

If a content engine is unable to provide a requested object it has cached due to error or overload, the
content engine returns the request to the router for onward transmission to the originally specified
destination server. WCCP verifies which requests have been returned from the content engine
unserviced. Using this information, the router can then forward the request to the originally targeted
server (rather than attempting to resend the request to the content cluster). This provides error handling
transparency to clients.
Typical reasons why a content engine would reject packets and initiate the packet return feature include
the following:
• Instances when the content engine is overloaded and has no room to service the packets.
• Instances when the content engine is filtering for certain conditions that make caching packets
counterproductive (such as, when IP authentication has been turned on).

Restrictions for WCCP

The following limitations apply to WCCP:
• WCCP works only with IPv4 networks.
• For routers servicing a multicast cluster, the time to live (TTL) value must be set at 15 or fewer.
• Because the WCCP protocol messages may now be IP multicast, members may receive messages
that are not relevant or (are) duplicates. Appropriate filtering need to be performed.
• A service group can comprise up to 32 content engines and 32 routers.
• All content engines in a cluster must be configured to communicate with all routers servicing the
cluster.
• Up to 8 active service groups are supported on a switch. Up to 8 service groups can be configured
simultaneously on the same client interface.
• The Layer 2 rewrite forwarding method is supported (in hardware), the GRE encapsulation
forwarding method is not supported.
• The GRE return method is supported in software. The Layer 2 return method is supported in
hardware and is recommended.
• Direct Layer 3 connectivity to content engines is required; Layer 3 connectivity of one or more hops
away is not supported.
• The following apply only to Supervisor Engine 6-E, Supervisor Engine 6L-E, Catalyst 4900M,
Catalyst 4948E, and Supervisor Engine 7-E:
– Redirect ACL is supported.
– Output redirection is supported in addition to input redirection.
– Input/output redirection configuration is not supported on content engine facing interfaces.
– When the TCAM space is exhausted on a supervisor engine, traffic is redirected in software. On
all other supervisor engines, traffic is not redirected; it is forwarded normally.
• WCCP version 2 standard allows for support of up to 256 distinct masks. However, a Catalyst 4500
series switch only supports mask assignment table with a single mask.
• Valid multicast addresses are from 224.0.0.0 to 239.255.255.255.

Software Configuration Guide—Release 15(02)SG

OL-23818-01 1-5
 Chapter 1 Configuring WCCP Version 2 Services
Configuring WCCP

Configuring WCCP
The following configuration tasks assume that you have already installed and configured the content
engines you want to include in your network. You must configure the content engines in the cluster
before configuring WCCP functionality on your routers.
IP must be configured on the router interface connected to the cache engines. Examples of router
configuration tasks follow this section. For complete descriptions of the command syntax, refer to the
Cisco IOS Configuration Fundamentals Command Reference, Cisco IOS Release 12.3.
These sections describe how to configure WCCP:
• Configuring a Service Group Using WCCP, page 1-6 (Required)
• Using Access Lists for a WCCP Service Group, page 1-8 (Optional)
• Setting a Password for a Router and Cache Engines, page 1-9 (Optional)

Configuring a Service Group Using WCCP

WCCP uses service groups based on logical redirection services. The standard service is the content
engine, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the content engines. This
service is referred to as a well-known service, because the characteristics of the web cache service are
known by both the router and content engines. A description of a well-known service is not required
beyond a service identification (the command line interface (CLI) provides a web-cache keyword in the
command syntax).
For information on supported WCCP services with ACNS version 5.2 software, refer to the
Release Notes for Cisco ACNS Software, Release 5.2.3.
In addition to the web cache service, there can be up to seven dynamic services running concurrently on
the switch.

Note More than one service can run on a switch at the same time, and routers and content engines can be part
of multiple service groups at the same time.

The dynamic services are defined by the content engines; the content engine instructs the router which
protocol or ports to intercept, and how to distribute the traffic. The router itself does not have information
on the characteristics of the dynamic service group’s traffic, because this information is provided by the
first content engine to join the group. In a dynamic service, up to eight ports can be specified within a
single protocol TCP or UDP).
Cisco Content Engines, for example, use dynamic service 99 to specify a reverse-proxy service.
However, other content engines may use this service number for some other service. The following
configuration information deals with enabling general services on Cisco routers. Refer to the content
engine documentation for information on configuring services on content engines.

Software Configuration Guide—Release 15(02)SG

1-6 OL-23818-01
 Chapter 1 Configuring WCCP Version 2 Services
Configuring WCCP

To enable a service on a Catalyst 4500 series switch, perform this task:

Command Purpose
Step 1 Switch(config)# ip wccp {web-cache | Specifies a dynamic service to enable on the switch,
service-number} [group-address groupaddress] specifies the IP multicast address used by the service
[redirect-list access-list] [group-list
access-list] [password password]
group (optional), redirect access-list to control the traffic
to be redirected (optional), group list to use for content
engine membership (optional), specifies whether to use
MD5 authentication (optional), and enables the WCCP
service.
Step 2 Switch(config-if)# [no] ip wccp check services If a service matches the packet and the service has a
all redirect access-list configured, then the IP packet will be
checked against the access-list. If the packet is rejected by
the access-list, the packet will not be passed down to
lower priority services unless the ip wccp check services
all command is configured. When the ip wccp check
services all command is configured, WCCP will continue
to attempt to match the packet against any remaining
lower priority services configured on the interface.
Step 3 Switch(config)# interface type number Specifies a client interface to configure and enters
interface configuration mode.
Step 4 Switch(config-if)# ip wccp Enables WCCP redirection for ingress or egress traffic on
{web-cache | service-number} redirect {in | out} the specified client interface.
Step 5 Switch(config)# interface type number Specifies the interface to be configured for egress
redirection exclusion
Step 6 Switch(config-if)# ip wccp redirect exclude in Specifies that packets received on this interface be
excluded from any egress redirection. This MUST be
configured on the content engine interface if L2-return
method is used by the content engine and egress
redirection is configured on the server interface.
Step 7 Switch(config)# interface type number (Only necessary to run the multicast feature) Specifies the
content engine interface to be configured for multicast
reception.
Step 8 Switch(config-if)# ip wccp {web-cache | (Only necessary to run the multicast feature) Enables the
service-number} group-listen reception of IP multicast packets (WCCP protocol
packets originating from the content engines) on the
interface specified in Step 4.

Software Configuration Guide—Release 15(02)SG

OL-23818-01 1-7
 Chapter 1 Configuring WCCP Version 2 Services
Configuring WCCP

Specifying a Web Cache Service

To configure a web-cache service and ingress redirection, perform this task:

Command Purpose
Step 1 Switch(config)# ip wccp web-cache Enables the web cache service on the switch.
Step 2 Switch(config)# interface type number Targets a client interface number for which the web cache
service runs, and enters interface configuration mode.
Step 3 Switch(config-if)# ip wccp web-cache redirect in Enables the check on packets to determine if they qualify
to be redirected to a content engine, using the client
interface specified in Step 2.

To configure a web-cache service and egress redirection, perform this task:

Command Purpose
Step 1 Switch(config)# ip wccp web-cache Enables the web cache service on the switch.
Step 2 Switch(config)# interface type number Targets a server interface number for the web cache
service, and enters interface configuration mode.
Step 3 Switch(config-if)# ip wccp web-cache redirect out Enables the check on packets to determine if they qualify
to be redirected to a content engine, using the client
interface specified in Step 2.
Step 4 Switch(config)# interface type number Specifies the content engine interface number, and enters
interface configuration mode.
Step 5 Switch(config-if)# ip wccp web-cache redirect in Specifies that packets received on this interface be
excluded from any egress redirection. This prevents
packets returned by content engine through L2-return
method or packets generated by the content engine from
being redirected back to the content engine.

Using Access Lists for a WCCP Service Group

A Catalyst 4500 series switch can use an access list to restrict the content engines that can join a service
group.
To restrict a content engine, perform this task:

Command Purpose
Step 1 Switch(config)# access-list access-list permit ip Creates an access list based on the unicast address of the
host host-address [destination-address | content engines.
destination-host | any]
Step 2 Switch(config)# ip wccp web-cache group-list Indicates to the switch which content engines are allowed
access-list or disallowed to form a service group.

Software Configuration Guide—Release 15(02)SG

1-8 OL-23818-01
 Chapter 1 Configuring WCCP Version 2 Services
Verifying and Monitoring WCCP Configuration Settings

Setting a Password for a Router and Cache Engines

MD5 password security requires that each content engine and Catalyst 4500 series switch that wants to
join a service group be configured with the service group password. The password can consist of up to
seven characters. Each content engine or Catalyst 4500 series switch in the service group authenticates
the security component in a received WCCP packet immediately after validating the WCCP message
header. Packets failing authentication are discarded.
To configure an MD5 password for use by the Catalyst 4500 series switch in WCCP communications,
perform this task:

Command Purpose
Switch(config)# ip wccp web-cache password password Sets an MD5 password on the Catalyst
4500 series switch.

Verifying and Monitoring WCCP Configuration Settings

To verify and monitor the configuration settings for WCCP, use the following commands in EXEC mode:

Command
Switch# show ip wccp [web-cache | service-number]
Switch# show ip wccp {web-cache | service-number} detail
Switch# show ip interface
Switch# show ip wccp {web-cache | service-number} view
Purpose
Displays global information related to WCCP, including
the protocol version currently running, the number of
content engines in the routers service group, which
content engine group is allowed to connect to the router,
and which access list is being used.
Queries the router for information on which content
engines of a specific service group the router has
detected. The information can be displayed for either
the web cache service or the specified dynamic service.
Displays status about whether any ip wccp redirection
commands are configured on a client interface. For
example, “Web Cache Redirect is enabled / disabled.”
Displays which devices in a particular service group
have been detected and which content engines are
having trouble becoming visible to all other switches to
which the current switch is connected.
The view keyword indicates a list of addresses of the
service group. The information can be displayed for
either the web cache service or the specified dynamic
service.
For further troubleshooting information, use the
show ip wccp {web-cache | service number} service
command.

Software Configuration Guide—Release 15(02)SG

OL-23818-01 1-9
 Chapter 1 Configuring WCCP Version 2 Services
WCCP Configuration Examples

WCCP Configuration Examples

This section provides the following configuration examples:
• Performing a General WCCP Configuration Example, page 1-10
• Running a Web Cache Service Example, page 1-10
• Running a Reverse Proxy Service Example, page 1-10
• Running TCP-Promiscuous Service Example, page 1-11
• Running Redirect Access-List Example, page 1-11
• Using Access Lists Example, page 1-11
• Setting a Password for a Switch and Content Engines Example, page 1-11
• Verifying WCCP Settings Example, page 1-12

Performing a General WCCP Configuration Example

The following example shows a general WCCP configuration session. VLAN 20 is for the client
interface. VLAN 50 is for the content engine interface.
Switch# configure terminal
Switch(config)# ip wccp web-cache group-address 224.1.1.100 password alaska1
Switch(config)# interface vlan 20
Switch(config-if)# ip wccp web-cache redirect in
Switch(config)# interface vlan 50
Switch(config-if)# ip wccp web cache group-listen

Running a Web Cache Service Example

The following example shows a web cache service configuration session with ingress redirection:
Switch# configure terminal
Switch(config)# ip wccp web-cache
Switch(config)# interface vlan 20
Switch(config-if)# ip wccp web-cache redirect in
Switch(config-if)# ^Z
Switch# copy running-config startup-config
Switch# show ip interface vlan 20 | include WCCP Redirect
WCCP Redirect inbound is enabled
WCCP Redirect exclude is disabled

Running a Reverse Proxy Service Example

The following example assumes you a configuring a service group using Cisco Content Engines, which
use dynamic service 99 to run a reverse proxy service. The following example illustrates how to
configure egress redirection, where VLAN 40 reflects the server interface and VLAN 50 reflects the
content engine interface:
Switch# configure terminal
Switch(config)# ip wccp 99
Switch(config)# interface vlan 40
Switch(config-if)# ip wccp 99 redirect in
Switch(config# interface vlan 50
Switch(config-if)# ip wccp redirect exclude in

Software Configuration Guide—Release 15(02)SG

1-10 OL-23818-01
 Chapter 1 Configuring WCCP Version 2 Services
WCCP Configuration Examples

Running TCP-Promiscuous Service Example

The following example shows how to configure TCP promiscuous service, where VLAN 40 represents
the server interface and VLAN 50 represents the content engine interface:
Switch# configure terminal
Switch(config)# ip wccp 61
Switch(config)# ip wccp 62
Switch(config)# interface vlan 30
Switch(config-if)# ip wccp 61 redirect in
Switch(config)# interface vlan 40
Switch(config-if)# ip wccp 62 redirect in
Switch(config)# interface vlan 50
Switch(config-if)# ip wccp redirect exclude in

Running Redirect Access-List Example

Redirect access-list allows you to control which traffic to be redirected. The following example shows
how to redirect traffic only from subnet 10.1.1.0:
Switch(config)# ip access-list extended 100
Switch(config-ext-nacl)# permit ip 10.1.1.0 255.255.255.0 any
Switch(config-ext-nacl)# exit
Switch(config)# ip wccp web-cache redirect-list 100
Switch(config)# interface vlan 40
Switch(config-if)# ip wccp web-cache redirect in
Switch(config)# interface vlan 50
Switch(config-if)# ip wccp redirect exclude in

Using Access Lists Example

To achieve better security, you can use a standard access list to notify the Catalyst 4500 series switch to
which IP addresses are valid addresses for a content engine attempting to register with the current switch.
The following example shows a standard access list configuration session where the access list number
is 10 for some sample hosts:
router(config)# access-list 10 permit host 11.1.1.1
router(config)# access-list 10 permit host 11.1.1.2
router(config)# access-list 10 permit host 11.1.1.3
router(config)# ip wccp web-cache group-list 10

Setting a Password for a Switch and Content Engines Example

The following example shows a WCCP password configuration session where the password is alaska1:
Switch# configure terminal
router(config)# ip wccp web-cache password alaska1

Software Configuration Guide—Release 15(02)SG

OL-23818-01 1-11
 Chapter 1 Configuring WCCP Version 2 Services
WCCP Configuration Examples

Verifying WCCP Settings Example

To verify your configuration changes, use the more system:running-config EXEC command. The
following example shows that the both the web cache service and dynamic service 99 are enabled on the
Catalyst 4500 series switch:

WCCP unicast mode

Switch# more system:running-config

Building configuration...
Current configuration:
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
enable secret 5 $1$nSVy$faliJsVQXVPW.KuCxZNTh1
enable password alabama1
!
ip subnet-zero
ip wccp web-cache
ip wccp 99
!
!
!
interface Vlan200
ip address 10.3.1.2 255.255.255.0
ip wccp web-cache redirect in

interface Vlan300
ip address 10.4.1.1 255.255.255.0
ip wccp redirect exclude in

interface Vlan400
ip address 10.5.1 255.255.255.0
ip wccp 99 redirect out

ip default-gateway 10.3.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.3.1.1
no ip http server
!
!

WCCP multicast mode

ip wccp web-cache group-address 224.1.1.1
ip wccp 60 group-address 224.1.1.1
ip wccp 90
ip wccp 91

interface Vlan70
ip address 70.1.1.1 255.255.255.0

Software Configuration Guide—Release 15(02)SG

1-12 OL-23818-01
Chapter 1 Configuring WCCP Version 2 Services
WCCP Configuration Examples

ip wccp web-cache group-listen

ip wccp 60 group-listen
ip wccp redirect exclude in

Software Configuration Guide—Release 15(02)SG

OL-23818-01 1-13
 Chapter 1 Configuring WCCP Version 2 Services
WCCP Configuration Examples

Software Configuration Guide—Release 15(02)SG

1-14 OL-23818-01