I'm frequently asked to recommend or validate a WCCP design for customers. This tech note will summarize the most current capabilities and recommendations for using WCCPv2 with Cisco Wide Area Application Services (WAAS).
WCCPv2 is the preferred off-path interception mechanism for WAAS. WCCP with WAAS is currently supported on a variety of routing platforms, including the Integrated Services Router (ISR models 1800, 2800, and 3800), 3700 series Access Routers, Cisco 7200 series routers (with NPE-400, NPE-G1, NPE-G2 only),7600 routers, and ASR 1000 series routers. WCCP is also supported on a variety of switching products, including the Catalyst 3560/3750, Catalyst 4500/4948, and Catalyst 6500.
WCCP Platform Support
The following platforms are recommended for use with Cisco WAAS and the WCCP tcp-promiscuous services:
- Cisco Integrated Services Routers (1800, 2800, 3800)
- Cisco 3700, 7200 (NPE-400, NPE-G1, and NPE-G2 only), 7600, and ASR 1000 Series Routers
- Cisco Catalyst 3560 and 3750 Series Switches
- Cisco Catalyst 4500 and 4948 Series Switches
- Cisco Catalyst 6500 Series Switches
The following table lists the key capabilities of each platform:
| Platform | OS Version | Forwarding | Return | Assignment | Direction | Redirect List |
|---|---|---|---|---|---|---|
| IOS (Software-based) | < 12.4(20)T | GRE | GRE | Hash | In or Out | Yes |
| IOS (Software-based) | > 12.4(20)T | GRE or L2 | GRE or L2 | Hash or Mask | In or Out | Yes |
| ASR 1000 Series | 2.1 XE | GRE or L2 | GRE or L2 | Mask | In | Yes |
| Cisco 7600 Series | 12.2(18)SXD1 | GRE or L2 | GRE | Hash or Mask | In or Out | Yes 1 |
| Catalyst 3560/3750 | 12.37(SE) | L2 | GRE or L2 | Mask | In | Yes 2 |
| Catalyst 4500/4948 | 12.2(31)SG | L2 | L2 | Mask | In | No |
| Catalyst 6500 (Sup2) | 12.1(13)E | GRE or L2 | GRE | Hash or Mask | In or Out | Yes 1 |
| Catalyst 6500 (Sup32/Sup720) | 12.2(18)SXD1 | GRE or L2 | GRE or L2 | Hash or Mask | In or Out | Yes 1 |
1 The following options are supported in the redirect list: source & destination IP addresses (host or subnet), individual source and destination port numbers ("eq" operator only), DSCP, TOS and precedence operators ("dscp", "precedence" and "tos" keywords), IP options ("options" keyword), and logging.
2 Only 'permit' entries are supported.
The following platforms support WCCP, but their implementation is not compatible with WAAS:
- Catalyst 6500, Sup1a
- Cisco PIX/ASA Firewalls
- Catalyst 3550 Series Switch
Configuration Recommendations
The following best practices should be followed for implementing WCCP on a software-based platform:
- GRE Forwarding (Default)
- Hash Assignment (Default)
- Inbound or Outbound Interception
- "ip wccp redirect exclude in" on WCCP client interface (outbound interception only)
- WAAS Egress Method: IP Forwarding, Negotiated Return, Generic GRE Return
The following best practices should be followed for implementing WCCP on a hardware-based platform:
- L2 Forwarding
- Mask Assignment
- Inbound Interception
- No "ip wccp redirect exclude in"
- WAAS Egress Method: IP Forwarding, Generic GRE (Cat6k PFC-based systems only)
This combination of configuration options will ensure WCCP interception is handled completely in hardware on hardware-based platforms. There is no impact on switch CPU utilization or forwarding performance in these cases.
Warning
Use of alternate configurations, such as hash assignment, the 'ip wccp redirect exclude in' command, the negotiated return egress method, can lead to elevated levels of CPU utilization and a reduction in overall performance.
Note
The Catalyst 6500/7500 do not support WCCP+NAT on the same interface for the same flows. Prior to PFC3B hardware, the Catalyst 6500/7600 platforms do not support WCCP+NAT in hardware when configured on the same interface. You can check the PFC mode with the command show platform hardware pfc mode. With PFC3B or later hardware, the following command is required for hardware processing of WCCP+NAT on the same interface: mls ip nat netflow-frag-l4-zero.
Build your tech library with our book giveaways.
Hacking Exposed, Sixth Edition
By Stuart McClure, Joel Scambray, George Kurtz; Published by McGraw-Hill/Osborne
The original Hacking Exposed authors rejoin forces on this tenth anniversary edition to offer completely up-to-date coverage of today's most devastating hacks and how to prevent them. Using their proven methodology, the authors reveal how to locate and patch system vulnerabilities. The book includes new coverage of ISO images, wireless and RFID attacks, Web 2.0 vulnerabilities, anonymous hacking tools, Ubuntu, Windows Server 2008, mobile devices, and more. Enter now!
About Catalyst 4500 Supervisor support
Hi, thank you very much for your post. I have some doubts about the requeriments in order to make cisco waas and catalyst 4500 work with wccpv2, the information on cisco's web is not very clear, for example the tool Cisco Feature Navigator outputs that this platform doesnt support wccp L2 forwarding, and the waas configuration guides doesnt even mention the cat4500 as supported platform (in use with wccpv2). In the other hand, the data sheet of the Supervisor Engine V for 4500 does mention that it supports L2 forwarding. I really would like to confirm the information you have posted it and is it has some additional requeriments, it really would make my day.Thanks in advance!!!!