AAAcccccceeellleeerrraaatttiiiooonnn SSSyyysssttteeemmmsss LLLLLLCCC

Cloud Based Internet Acceleration

CCCiiissscccooo WWWCCCCCCPPP SSSeeetttuuuppp &&&

CCCooonnnfffiiiggguuurrraaatttiiiooonnn GGGuuuiiidddeee

January, 2016

January 12, 2016 Page 3

Table of Contents

1 Introduction ........................................................................................................................................ 1

2 About Cisco WCCP Protocol ........................................................................................................... 1

3 Requirements ..................................................................................................................................... 2

4 Important concepts ........................................................................................................................... 3

5 Router configuration ......................................................................................................................... 3

6 Acceleration Systems SPOC configuration ................................................................................. 5

7 Troubleshooting ................................................................................................................................ 8

8 Debugging commands on the router console ........................................................................... 11

Appendix A: Static client routing ........................................................................................................... 13

Appendix B: Router Configuration Example ....................................................................................... 14

January 12, 2016 Page 1

Acceleration Systems LLC Cloud Based Internet Acceleration

1 INTRODUCTION

This document assumes that you have already completed a successful proof of concept of the Acceleration Systems solution using the Acceleration Systems RBA Client or static routing to test the application acceleration capabilities of Acceleration Systems. For further information on setting static routes see Appendix A of this document.

The main scenario for using Cisco WCCP with Acceleration Systems software is where you have a branch site/office with a local or peered SPOC to which you want to connect local clients for application acceleration/optimization without having to install the Acceleration Systems client.

The Cisco WCCP protocol can be used to redirect network/application traffic from client devices without the need to install Acceleration Systems client software or create static routes. WCCP therefore simplifies the client deployment/configuration and also provides a fully robust solution with automated fail through if the local SPOC is unavailable for some reason, allowing traffic to pass directly to the application server.

2 ABOUT CISCO WCCP PROTOCOL

Cisco’s Web Cache Communication Protocol (WCCP) is a content-routing protocol which allows transparent redirection of traffic to local cache engines. This is a scalable solution with built-in fault tolerance and service assurance mechanisms. The Acceleration Systems SPOC supports version 2 of the protocol to facilitate clientless deployment.

In a client-based deployment, the Acceleration Systems Client software intercepts traffic destined for application servers being optimized and redirects that traffic to a local SPOC which then optimizes communication over the WAN.

In a WCCP deployment, no Acceleration Systems client software is required; packets are inspected by the router and any traffic which is destined for application servers being optimized is transparently redirected to one of the cache engines (SPOCs) operating WCCP (see below for information on how this is achieved).

January 12, 2016 Page 2

3 REQUIREMENTS

To deploy Acceleration Systems in a WCCP configuration the customer must have a Cisco router (running Cisco IOS 12.1 or higher), perimeter firewall or L3 switch1 that is compatible with WCCPv2 and which can support GRE forwarding.

Before implementing WCCPv2 redirection, customers are strongly advised to verify their Acceleration Systems configuration using static client routing – see Appendix A.

This document discusses troubleshooting WCCP with reference to the following topology:

Router A Router B

Client (WIN x)10.1.1.5

SPOC10.1.1.101

EM172.16.62.55

SPOC172.16.62.54

WAN

Application Server172.16.62.100

Fa0/1 Fa0/1Fa0/0 Fa0/0

Router ANote on router interfaces: The router identifier is 209.124.16.1Fa0/1: 10.1.1.1 (to LAN) (this is determined by the highest IPFa0/0: 209.124.16.1 (to WAN) assigned to the interface.)

1 Cisco L2 Switches won’t support GRE

January 12, 2016 Page 3

4 IMPORTANT CONCEPTS

Router Identifier IP address vs WCCP IP address

The router identifier is determined by the highest IP address assigned to an interface on the router. The WCCP IP address is the IP address of the interface on which WCCP is configured.

*When configuring WCCP in the SPOC GUI, it is the WCCP IP address which should be entered into the ‘WCCP Router’ address textbox.

Heartbeat

When WCCP is enabled on the SPOC (via Configuration -> Redirection Method) the SPOC will begin sending regular heartbeat messages to the router. These heartbeat messages tell the router that the SPOC is available to accept redirected traffic for a particular service group.

If the router misses three successive heartbeats from the SPOC (eg. because the SPOC becomes unavailable) the router will begin forwarding traffic directly over the WAN until the SPOC becomes available again.

WCCP service group number

Acceleration Systems SPOCs operate on WCCP service group 51 by default. The ‘redirect-list’ access list associated with each service group number determines whether traffic should be redirected to WCCP Clients (eg. SPOCs) operating on that service group.

5 ROUTER CONFIGURATION

The router must be appropriately configured to operate WCCP redirection.

Global settings Description

ip wccp 51 redirect-list <redirectlist> group-list <grouplist>

Apply the rules contained in the access list <redirectlist> to determine which traffic should be redirected. A <grouplist> access list (optional) specifies which WCCP Clients (SPOCs) are allowed to participate in service group 51.

Interface settings

ip wccp 51 redirect in

Setup WCCP redirection for inbound packets on this interface to cache engine(s) operating on service 51. (Generally <interface> should be the router interface to the LAN where the clients that are going to be optimized reside)

January 12, 2016 Page 4

ip route-cache same-interface Enable fast-switching for packets being redirected out of the same interface on which they arrived. This enhances performance where the SPOC and Clients are connected to the router via. the same interface. (Not required if the Clients and SPOC connect to the router on different interfaces).

Access lists

The key access list is the ‘redirect-list’; this is the set of rules that the router will use to determine whether traffic should be redirected to the SPOC or not. If you’re SPOC (eg. 10.1.1.101) sits on the same interface as the clients being optimised then you must include a deny rule in your redirect-list that stops the router from bouncing traffic from the SPOC back at itself. eg. access-list <redirect-list> deny ip host 10.1.1.101 any This rule tells the router not to redirect any IP traffic sent from the SPOC (to any destination). Some other examples of common redirect-list rules you may wish to implement: access-list <redirect-list> deny tcp host 10.1.1.17 host 172.16.62.100 This rule tells the router not to redirect any tcp traffic from the client machine 10.1.1.17 to the application server 172.16.62.100. access-list <redirect-list> permit tcp 10.1.1.0 0.0.0.255 host 172.16.62.100 This rule tells the router to redirect any tcp traffic from clients on the subnet 10.1.1.0 destined for the application server 172.16.62.100. (NB: Cisco access lists use inverse masks, also note that in a Cisco access list ‘host 172.16.62.100’ is the same as ‘172.16.62.100/0.0.0.0’). The ‘group-list’ access list is optional; for security reasons you may choose to specify which WCCP Clients (eg. SPOCs) are permitted to be used for WCCP redirection on a particular service group. access-list <group-list> permit 10.1.1.101 access-list <group-list> deny any This ‘group-list’ would allow the SPOC 10.1.1.101 to be used for WCCP redirection, but any other WCCP Client sending a heartbeat to the router would be ignored. (NB: Generally there is no need to set-up a ‘group-list’, however if you choose to use a group-list you must ensure that all SPOC’s you wish to use with WCCP are permitted in the access list).

For a sample router configuration, see Appendix 2.

January 12, 2016 Page 5

6 ACCELERATION SYSTEMS SPOC CONFIGURATION

The SPOC as explained earlier, has little configuration but a number of checks can be implemented to ensure that everything has been setup correctly:

1. In the left hand menu, navigate to “Configuration” and then “Redirection Method”. Check the WCCP2 checkbox

a. Note that only WCCP version 2 is supported. Please ensure that this is supported on your router as only certain Cisco routers/ IOS’ support this.

2. The following screen will now be presented to the user:

3. Enter the WCCP2 Router address

January 12, 2016 Page 6

a. This address is the IP address of the router interface to which your SPOC is connected. In our example, the IP address would be 10.1.1.1. If you do not know what this is:

i. Check which physical interface on the router your SPOC is connected to, eg. Fast

Ethernet 0/1 in our example topology.

ii. Log onto your Cisco router and run the following command (must be in the enabled

screen):

show running-config

(shortcut sh run)

This will show the currently active configuration on your router.

iii. Check the IP address of the interface (eg. Fast Ethernet 0/1) your SPOC is connected

to.

b. Click on “Save” to save the configuration.

c. If this address is correct, after a few seconds a heartbeat should be established to prove communications on service group 51 between the router and the SPOC. The following screenshot is an example of this:

January 12, 2016 Page 7

If the address is incorrect, the heartbeat status will be flagged in red as “Inactive” (in which case, see the ‘Troubleshooting’ section below).

January 12, 2016 Page 8

7 TROUBLESHOOTING

Is the SPOC receiving a heartbeat from the router?

If No:

Check that the IP address of the router is set to the IP address of the interface to which the

SPOC is connected (not necessarily the ‘router identifier’ IP address which is determined by

the highest IP address assigned to an interface)

Check that WCCP is configured correctly on the router:

Check that WCCP is switched on for the appropriate service group (51)

Check whether a WCCP group-list is in place for service 51 (if so, ensure the IP address

of the SPOC is permitted in the group-list)

Is there a firewall between the SPOC and the Router? If so, is it blocking the heartbeat

messages/GRE tunnel over which the router and SPOC communicate?

Is the SPOC connected to the same router interface as the clients being optimized?

If yes:

Ensure there is a ‘redirect-list’ access list set-up in the router configuration such that traffic

from the SPOC (eg. IP Forwarded packets) are excluded from redirection (ie. won’t simply

bounce back to the SPOC in a routing loop). The redirect-list should in this case contain the

following line for each SPOC (there may only be one):

access-list <redirect-list> deny ip <IP address of SPOC> any

This will prevent traffic from the SPOC being bounced back by WCCP redirection

You are strongly advised to add the following line to your router configuration for this

interface:

ip route-cache same-interface

This will enable fast switching of packets being redirected by WCCP; it is not mandatory

but will enhance router performance. . 2

Is transparency set to ‘on’ for the application servers being optimized?

If Yes:

2 For more information, see: https://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdipsp.html

January 12, 2016 Page 9

Ensure there is a WCCP redirect setup on the inbound interface (from the WAN) such that

traffic on a return journey back to the client from application servers being optimized by

Acceleration Systems is redirected back through the SPOC (rather than being sent directly to

the client).

(If transparency is set to off then no WCCP redirect is required on the inbound interface from the WAN since any packets returning from optimized application servers will be encapsulated by the server-side SPOC and sent to the IP address of the client-side SPOC – not the client directly).

Is the GRE tunnel up?

To check this:

Log on to the SPOC console and issue the following command: iptunnel show.

The output should list two GRE tunnels (gre0 and gre1);

eg. sit0: ipv6/ip remote any local any ttl 64 nopmtudisc

gre0: gre/ip remote any local any ttl inherit nopmtudisc

gre1: gre/ip remote 172.16.32.22 local 10.1.1.100 dev eth0 t..

Note in the example: the ‘remote’ IP in gre1 (eg. 172.16.32.22) is the router identifier IP address, the ‘local’ IP address is that of the SPOC to which traffic is being redirected.

If the GRE tunnel is not up; ensure that the router (WCCP server) and the SPOC (WCCP client) are mutually reachable, then disable WCCP in the SPOC GUI before rebooting the SPOC and finally re-enable WCCP redirection in the SPOC GUI.

Check that the GRE tunnel is up using the iptunnel show command on the SPOC console.

Is redirected traffic reaching the local SPOC?

To check this:

Log on to the SPOC console and issue the following command:

tcpdump –w va.pcap –i gre1

Tcpdump will begin listen for data packets arriving via. the GRE tunnel and save captured data to the file va.pcap.

From your client machine, try to access an application server being optimized such that the

traffic is redirected by WCCP to your local SPOC.

Return to the SPOC console and press Ctrl + C to finish capturing data

Transfer a copy of the file va.pcap to a Windows machine and open it using Wireshark.

January 12, 2016 Page 10

Wireshark will display details of the captured packets; check whether packets from your

client machine destined for the application server being optimized have been captured.

January 12, 2016 Page 11

8 DEBUGGING COMMANDS ON THE ROUTER CONSOLE

show ip wccp

Global WCCP information

Router information:

Router Identifier: 172.16.32.22 The ‘router identifer’ is the highest IP address assigned to an interface on the router. This is the IP address which will be used for the purposes of setting up a GRE tunnel between the WCCP Client (SPOC) and the WCCP Server (router).

Protocol Version: 2.0 Indicates which version of WCCP in use – ensure this is set to version 2.03

Service Identifier: 51

Indicates that WCCP is active on service group 51 – service group 51 is the default service group on which the Acceleration Systems SPOC communicated with the router4.

Number of Service Group Clients: 1 Indicates that there is one active SPOC (WCCP Client). If this value is 0 then the router is not receiving a heartbeat from the SPOC:

- Check that the correct IP address has been entered into the ‘WCCP Router’ textbox on the SPOC GUI – this should correspond to the IP address of the router interface on which WCCP has been setup (not necessarily the same as the router identifier).

- If you have changed the WCCP service group which the SPOC uses to communicate with the router then ensure the router is setup to run WCCP on the same service group.

Number of Service Group Routers: 1 Indicates that there is a single router (WCCP Server) performing redirection for the service group.

Total Packets s/w Redirected: 11612 Total number of packets redirected by WCCP

Process: 56

Fast: 0

3 If this is set to WCCP v1, you must change this by entering the ip wccp version 2 command at the router console 4 We recommend you use the default service group (51) however if you wish to change this, you can do so by editing the wccp2_service_id field in the /replify/proxy/rprx.app configuration file on the Acceleration Systems SPOC.

January 12, 2016 Page 12

CEF: 11556 Switching pathway statistics (process switching / fast switching / Cisco Express Forwarding ).5

Redirect access-list: WCCP-REDIRECT This is the name of the access list being used to filter packets for redirection. NB: If no ‘redirect-list’ is specified then ALL packets will be redirected via the SPOC(s) running WCCP; ensure a redirect access list has been setup!

Total Packets Denied Redirect: 456077

This is the total number of packets which have not been redirected because they didn’t match any rules in the redirect-list access list.

Total Packets Unassigned: 0 This represents the number of packets which matched a redirection rule but which could not be assigned to a cache engine (eg. because a SPOC had just rebooted and was momentarily unavailable)

Group access-list: -none-

Indicated whether a group-list access list is in use; a group-list may be used to tell the router which SPOCs are allowed to join the service group. (This is entirely optional, however if you do implement a group-list access-list, you must ensure the SPOCs you wish to be involved in WCCP redirection are permitted by this access-list).

5 For more information on the different switching pathways, see: http://ciscogeek.wordpress.com/2008/10/14/ip-switching-fast-switching-process-switching-cef-switching/

January 12, 2016 Page 13

APPENDIX A: STATIC CLIENT ROUTING

Before implementing WCCPv2 redirection, we strongly recommend that customers verify that Acceleration Systems is configured correctly. This involves simply adding a static routing rule to a test client machine to ensure that optimization is working. Performing this test will allow the customer to proceed to implement WCCPv2 redirection with confidence that the underlying Acceleration Systems system is configured correctly.

This example is based on the following topology:

Router A Router B

Client (WIN x)10.1.1.5

SPOC (1)10.1.1.101

EM172.16.62.55

SPOC (2)172.16.62.54

WAN

Application Server172.16.62.100

Fa0/1 Fa0/1Fa0/0 Fa0/0

Notes:

WCCP is not enabled at this point (either in the SPOC or on the Router)

The Test Client machine does not have Acceleration Systems Client software installed

The EM is setup to license SPOC 1 and SPOC 2

SPOC 1 is peered to SPOC 2 (exporting of application servers is switched on)

SPOC 2 is configured to optimize the Application Server

On the Test Client machine, open up a command prompt and issue the following command:

route add <application server> MASK 255.255.255.255 <local SPOC>

eg. route add 172.16.62.100 MASK 255.255.255.255 10.1.1.101

This will create a static route which will route all traffic destined for the SharePoint application server (172.16.62.100) via the local SPOC (10.1.1.101).

To test that this is working correctly; try accessing the application server from the Test Client machine. If you view the live traffic report on SPOC 2 you ought to see that your connection is being optimised by Acceleration Systems.

Finally, remove the static routing rule from the Test Client machine by either rebooting the machine or issuing the route delete <application server> command.

January 12, 2016 Page 14

APPENDIX B: ROUTER CONFIGURATION EXAMPLE

Router A Router B

Client (WIN x)10.1.1.5

SPOC (1)10.1.1.101

EM172.16.62.55

SPOC (2)172.16.62.54

WAN

Application Server172.16.62.100

Fa0/1 Fa0/1Fa0/0 Fa0/0

Router ANote on router interfaces: The router identifier is 209.124.16.1Fa0/1: 10.1.1.1 (to LAN) (this is determined by the highest IPFa0/0: 209.124.16.1 (to WAN) assigned to the interface.)

Configuration of Router A

hostname routerA ! ip wccp 51 redirect-list 101 ! ip cef ! interface FastEthernet0/0

description WAN link ip address 209.124.16.1 255.255.224.0

! interface FastEthernet0/1 description LAN containing clients & SPOC

ip address 10.1.1.1 255.255.255.0 ip wccp redirect in

ip route-cache same-interface ! access-list 101 deny ip host 10.1.1.101 any access-list 101 permit tcp any host 172.16.62.100