wccp configuration for SSL Orchestrator
Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real-time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms. Cisco IOS Release 12.1 and later releases allow using either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the protocol.
Well that's a mouthful; to say basically that WCCP is a Cisco developed protocol designed to load balance traffic among proxy web cache servers.
The beauty of it is it’s really easy to set up on a router (and Cisco Firepower) and can intercept outbound traffic and redirect it to the proxies. The proxies do not need to be in the network path. It’s basically a form of policy based routing. And if the proxy servers are down, the router will just continue to forward the traffic down the default route.
This makes it relatively easy for SSL Orchestrator to receive traffic.
But I can say there’s not exactly the greatest documentation from either organization. But it's really pretty simple. The fun fact is, once your device is registered with the WCCP group on the router, it just works. As in, it just starts sending any traffic that matches the ACL off to the router.
Now as for HA. WCCP was designed to handle the HA. Right? I have a pool of web caches and I’m distributing the traffic among them.
But if I set up the BIG-IP using its standard Active/Standby HA and configuration sync, there’s some additional thought that comes in to play.
With a configuration where both devices in the BIG-IP HA pair and each designates its local self-ip as the local tunnel address. There can be a delay while the newly active device registers with the WCCP group on the router. It’s a short blip. But a blip nonetheless.
But what about using the floating IP address? Isn't that used to provide a movable HA address?
Yes. Yes, it is on a normal network segment. Similar to VRRP.
01070734:3: Configuration error: In wccp /Common/wccpsg service tunnel local address (192.168.8.222) cannot be a floating self IP
So you’re denied from configuring the floating self-ip from being the target.
The reason is, these are treated as tunnel interfaces and in the case of using the GRE configuration for WCCP, it is a tunnel!
So, peering is done between each device individually in the HA group. That means, though, that only the active device will register. What that means for failover then is that the active device registers and the standby does not. When a failover event happens, the newly active device registers and the inactive device drops out.
modify net wccp wccpsg { services add {90{ hash-fields {src-ip} port-type dest ports add { 443 } redirection-method l2 return-method l2 routers add { 192.168.8.128 } tunnel-local-address 192.168.8.105 tunnel-remote-addresses add { 192.168.8.128 } } } }
The most important thing is that the service group number matches. In this case, I used 90
ip wccp 90 redirect-list wccp-redirect
!
interface GigabitEthernet1
ip address dhcp
no ip redirects
ip wccp 90 redirect in
negotiation auto
!
interface GigabitEthernet2
ip address dhcp
negotiation auto
!
interface GigabitEthernet3
ip address 192.168.1.209 255.255.255.0
no ip redirects
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended wccp-redirect
10 permit tcp any any eq www
20 permit tcp any any eq 443
30 deny ip any any
!
ip access-list extended 110
10 permit ip 192.168.1.0 0.0.0.255 any
20 deny ip any any
ip access-list extended 120
10 permit ip any any
ip access-list extended 130
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip any 192.168.0.0 0.0.255.255
40 permit ip any any
!
end
Verifying on the Cisco router:
router#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 192.168.153.128
Service Identifier: 90
Protocol Version: 2.00
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 34390
Process: 0
CEF: 0
Platform: 34390
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: wccp-redirect
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
Platform: 0
Validating which client is registered
router#sh ip wccp 90 clients
WCCP Client information:
WCCP Client ID: 192.168.8.105
Protocol Version: 2.00
State: Usable
Redirection: L2
Packet Return: L2
Assignment: HASH
Connect Time: 03:23:47
Redirected Packets:
Process: 0
CEF: 0
Platform: 35918
GRE Bypassed Packets:
Process: 0
CEF: 0
Hash Allotment: 256 of 256 (100.00%)
Initiating the failover on the BIG-IP
root@(bip1)(cfg-sync In Sync)(Active)(/Common)(tmos)# run sys failover standby
router#sh ip wccp 90 clients
WCCP Client information:
WCCP Client ID: 192.168.8.59
Protocol Version: 2.00
State: Usable
Redirection: L2
Packet Return: L2
Assignment: HASH
Connect Time: 00:03:26
Redirected Packets:
Process: 0
CEF: 0
Platform: 6522
GRE Bypassed Packets:
Process: 0
CEF: 0
Hash Allotment: 256 of 256 (100.00%)
Activity on the newly active device
tail -f /var/log/wccpd.log
<13> Mar 27 11:56:27 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:388 : <<< Got: I See You
<13> Mar 27 11:56:29 bip1.local notice wccpd-1[17bb:f59af340] WccpApp.cpp:208 : Failover status active 0
<13> Mar 27 12:22:37 bip1.local notice wccpd-1[17bb:f59af340] WccpApp.cpp:208 : Failover status active 1
<13> Mar 27 12:22:37 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:503 : <<< Got: Removal Query !
<13> Mar 27 12:22:37 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:212 : >>> Sending Here I Am ::: Service 90 Protocol 6 ::: SecurityInfo: Opt: 0x0
<13> Mar 27 12:22:37 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:388 : <<< Got: I See You
<13> Mar 27 12:22:38 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:212 : >>> Sending Here I Am ::: Service 90 Protocol 6 ::: SecurityInfo: Opt: 0x0
<13> Mar 27 12:22:38 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:388 : <<< Got: I See You
<13> Mar 27 12:22:39 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:212 : >>> Sending Here I Am ::: Service 90 Protocol 6 ::: SecurityInfo: Opt: 0x0
Activity on the newly standby device
tail -f /var/log/wccpd.log
<13> Mar 27 11:56:07 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:388 : <<< Got: I See You
<13> Mar 27 11:56:17 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:212 : >>> Sending Here I Am ::: Service 90 Protocol 6 ::: SecurityInfo: Opt: 0x0
<13> Mar 27 11:56:17 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:388 : <<< Got: I See You
<13> Mar 27 11:56:27 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:212 : >>> Sending Here I Am ::: Service 90 Protocol 6 ::: SecurityInfo: Opt: 0x0
<13> Mar 27 11:56:27 bip1.local notice wccpd-1[17bb:f59af340] ServiceGroup.cpp:388 : <<< Got: I See You
<13> Mar 27 11:56:29 bip1.local notice wccpd-1[17bb:f59af340] WccpApp.cpp:208 : Failover status active 0