Wccp introduction final2

1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.

WEB CACHE COMMUNICATION

PROTOCOL (WCCP) INTRODUCTION

Almas Raza

Product Support Specialist


TOPICS OF DISCUSSION

Why WCCP?WCCP BackgroundWCCP Protocol ProcessWCCP Redirection ProcessWCCP ConfigurationWCCP DebuggingReferences


WHY WCCP

Today’s networks require proxy services in order to secure inbound an outbound communications.

Communications need to be intercepted by the proxy services in order to apply a secure policy and utilize the caching capabilities.

Proxy services can be deployed in two modes: Transparent mode Explicit mode


WHY WCCP

In Transparent mode, Requests are transparently intercepted.

User’s browser does not require modification in terms of configuration.

In Explicit mode, a user’s browser requires modification via setting the hostname of the ProxySG or via Proxy Autoconfig Client (PAC) files.


WHY WCCP

Transparent mode can be deployed in two ways

Inline Virtually inline


WHY WCCP

When the ProxySG appliance is not in the physical path of clients and servers, it must rely on an external device—either a Layer 4 switch (Load Balancer) or a WCCP-capable router—to redirect packets to it for transparent proxy services. This type of deployment is known as a virtually in-path deployment.

Traffic can be redirected to Proxy viaPolicy base routing in layer 3 switches ORWCCP from Cisco layer3 switches and routers.


USING WCCP WITH THE PROXYSG

WCCP is the recommended virtually in-path deployment because it provides the following advantages:

Scalability and Load Balancing — Traffic can be automatically distributed to up to 32 ProxySG: appliances. If one ProxySG goes down, traffic is automatically redistributed across the other ProxySG appliances in the group.

Security — You can password-protect the WCCP service group so that only authorized appliances can join. Additionally, you can configure access control lists (ACLs) on the router to restrict access to specific ProxySG appliances only.

Failover — In the event that there are no ProxySG appliances available for traffic redirection, the router forwards the traffic to the original destination address.

Flexibility — You control exactly what traffic to redirect and how to redirect it. You can redirect all traffic entering or exiting a router interface; you can filter traffic using ACLs; or, you can define specific protocol and ports to redirect.

8Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 8Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.8

WCCP BACKGROUND


BACKGROUND


RESTRICTIONS FOR WCCP

General

The following limitations apply to WCCPv1 and WCCPv2:• WCCP works only with IPv4 networks.• Routers and cache engines communicate to each other via a control channel based on UDP port 2048

WCCPv1

The following limitation apply to WCCPv1• Only a single router services a cluster of systems• Supports HTTP (TCP port 80) traffic flows only• Provides generic routing encapsulation (GRE) to prevent packet modification

WCCPv2

Following enhancement was done to WCCPv2:• Allows for use across up to 32 routers (WCCP servers)• Supports up to 32 engines/accelerators (WCCP clients)• Supports any IP protocol including any TCP or UDP• Supports up to 256 service groups (0-255)• Adds MD5 shared secret security• Multicast addresses must be from 224.0.0.0 to 239.255.255.255.

http://en.wikipedia.org/wiki/User_Datagram_Protocol

http://en.wikipedia.org/wiki/HTTP

http://en.wikipedia.org/wiki/Transmission_Control_Protocol

http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation

http://en.wikipedia.org/wiki/MD5


BACKGROUND


CISCO ROUTER / SWITCH COMMANDS

Showing version of Cisco IOSrouter# show version

CompNet-RT7206-5#show versionCisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Wed 28-Apr-10 13:31 by prod_rel_team

ROM: System Bootstrap, Version 12.0(19990210:195103) [12.0XE 105], DEVELOPMENT SOFTWAREBOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(9)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

CompNet-RT7206-5 uptime is 1 hour, 20 minutesSystem returned to ROM by reload at 13:43:21 PST Tue Nov 1 2011...Cisco 7206VXR (NPE300) processor (revision B) with 229376K/65536K bytes of memory.Processor board ID 16071755R7000 CPU at 262MHz, Implementation 39, Rev 1.0, 256KB L2 Cache6 slot VXR midplane, Version 2.0


WCCP PLATFORM SUPPORT (KB FAQ305)


BACKGROUND


PRIMARY WCCP FUNCTIONS

Registration: ProxySG is a WCCP client

Registers WCCP services (0-255) with “Here I Am” if application is operational Registration announces WCCP client on service group, provides availability notification, requests interesting

traffic Transmits “Here I Am” every 10 seconds Lead WCCP client (lowest IP address) instructs routers on protocol/port, assignment, forwarding, and return

methods Router is a WCCP server

Accepts service group registration (0-255) Acknowledges “Here I Am” with “I See You” Waits 30 (3x10) seconds before declaring ProxySG failed Announce ProxySGs to other ProxySGs Router id is highest interface IP or highest loopback IP if one exists Redirects traffic to ProxySG

Assignment: Selects an ProxySG in the cluster Hash 256 buckets Mask 64 buckets represented by 6 bit mask of the source or destination IP/Port


WCCP CONTROL PLANE AND RE-DIRECTION

WCCP handles two different types of traffic

• Control traffic – – Via control traffic WCCP Protocol, negotiation the setup between router and

proxy for a Service Group. – Heartbeat is also exchange via control traffic every 10 sec.

• Redirection – – Data packet Redirection between Proxy and Router


WCCP SERVICE GROUPS


WCCP CONTROL PLANE MESSAGES

Control Plane messages exchange over UPD 2048Four different type of control messages

• Here I Am (HIA)• I See You (ISU)• Redirect Assign (RA)• Removal Query (RQ)

Traffic from Router to Proxy can be sent via L2 or GREProxy can send back traffic to Router via L2, GRE or routedRouter could distribute traffic to Proxy by Hash or Mask

base assignment


DIFFERENCE BETWEEN GRE AND L2

• GRE forwarding and return type

GRE is used when router and proxy are few hops away.GRE is also used in the mash router envirenment.Need more CPU cycle since every packet needs to be encapsulated.

• L2 forwarding and return typeRouter and proxy needs to be directly connected for L2 to work.Less CPU intensive.No encapsulation needed to send the traffic out.

© Blue Coat Systems, Inc. 2008. All Rights Reserved.20

Understanding L2 forwarding / GRE packet return (cont.)

L2 forwarding / GRE forwarding packets

Ethernet

IP

TCP

Inbound L2 Redirected

Packet

Ethernet

IP

GRE

IP

TCP

Outbound GRE Return Packet


WCCP SERVICE GROUPS

A service group unites one or more routers/switches with one or more caching devices (ProxySG appliances in this case) in a transparent redirection scheme governed by a common set of rules. The service group members agree on these rules initially by announcing their specific capabilities and configurations to each other in WCCP protocol packets as follows:

1. The ProxySG appliance sends out a “Here I Am” (WCCP2_HERE_I_AM) message to the routers in the group. These messages include a description of the service group that the ProxySG wants to join, including the protocol, ports to redirect, method to use to forward and return packets to each other, and load balancing instructions.

2. The routers respond with an “I See You” (WCCP2_I_SEE_YOU) message that includes a Receive ID as well as a list of WCCP capabilities—such as forwarding/return methods or load balancing schemes — that the router supports.


WCCP SERVICE GROUPS

3. The ProxySG appliance responds with another “Here I Am” message in which it reflects the Receive ID that was sent in the “I See You” message from the router. In addition, the ProxySG examines the capabilities advertised by the router and, if its configuration specifies a capability that has not been advertised, it will abandon its attempt to join the service group. If the capabilities it is configured to use are advertised, it will select the capabilities it wants to use and will send them back to the router in another “Here I Am” message.

4. The router inspects the capabilities that the ProxySG selected and, if the capabilities are supported, the router accepts the ProxySG as compatible and adds it to the service group. The router responds to all ProxySG appliances that it has accepted with “I See You” messages that include a listing of all ProxySG appliances in the service group (called the router view).

5. Each ProxySG in the group periodically sends out “Here I Am” messages to the routers in the group to maintain its service group membership. If a router doesn’t receive a “Here I Am” message from a ProxySG in the group within the designated time-out interval, it removes the ProxySG from the service group and sends out an “I See You” with an updated router view.

23Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 23

WCCP REDIRECTION PROCESS


WCCP REDIRECTION


SIMPLE PROXYSG WCCP EXCHANGE PROCESS

The process works as follows:1. The client sends a packet addressed for the OCS.2. The WCCP-enabled router redirects the packet to the ProxySG.3. The ProxySG determines what to do with it based on the transparent proxy services that have

been configured for the traffic type. If it cannot service the request locally (for example by returning a page from its local cache), it sends a request to the specified OCS on behalf of the client.

4. The OCS response is routed (or redirected depending on the configuration) back to the ProxySG.

5. The ProxySG then forwards the response back to the client.

Figure 1-1 A Simple ProxySG WCCP Exchange


REDIRECT IN OR OUT


WCCP REDIRECTION/RETURN PROCESS WITH REFLECT CLIENT IP DISABLED

Router ID: 1.2.3.4

ProxySGIP = 1.1.1.99

Reflect Client IP (Disabled)

WAN1Client PC

IP = 1.1.1.10OCS

IP = 2.2.2.10Intf: 0/0WCCP SG 10:

Intf: 2/0

2 3

4

5

6

7

Src IP 1.1.1.10Dst IP 2.2.2.10

Scr TCP 1964Dst TCP 80 Payload Src IP 2.2.2.10

Dst IP 1.1.1.99Scr TCP 80

Dst TCP 62763 Payload

Src IP 2.2.2.10Dst IP 1.1.1.99

Scr TCP 80Dst TCP 62763 Payload

Src IP 2.2.2.10Dst IP 1.1.1.10


Src IP 1.1.1.99Dst IP 2.2.2.10


GRESrc IP 1.2.3.4

Dst IP 1.1.1.99


Scr IP 1.1.1.10Dst IP 2.2.2.10

28Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 28Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.

WCCP CONFIGURATION


WCCP NETWORK DIAGRAM


ROUTER WCCP CONFIGURATION

Router#: show running

!

ip wccp 20

!

interface FastEthernet0/0

description WAN UPLINK

ip address 10.78.56.98 255.255.255.240

duplex full

!

interface FastEthernet2/0

description LAN - CLIENT NETWORK

ip address 10.78.56.209 255.255.255.248

ip wccp 20 redirect in

duplex full


PROXYSG WCCP CONFIGURATION


PROXYSG WCCP CONFIGURATION


WCCP DEBUGGING


ROUTER WCCP COMMANDS

CompNet-RT7206-5#sh ip wccp Global WCCP information: Router information: Router Identifier: 10.78.56.209 Protocol Version: 2.0

Service Identifier: 20 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected: 0 Process: 0 CEF: 0 Service mode: Open Service Access-list: -none- Total Packets Dropped Closed: 0 Redirect Access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group Access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0



CompNet-RT7206-5#show ip wccp 20 detail

WCCP Client information: WCCP Client ID: 10.78.56.164 Protocol Version: 2.0 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Hash Allotment: 256 (100.00%) Packets s/w Redirected: 0 Connect Time: 00:08:02 Bypassed Packets Process: 0 CEF: 0 Errors: 0



3560G-Switch-2#sh ip wccp 10 detail WCCP Client information: WCCP Client ID: 10.78.57.214 Protocol Version: 2.0 State: Usable Redirection: L2 Packet Return: GRE Packets Redirected: 0 Connect Time: 00:13:47 Assignment: MASK

Value SrcAddr DstAddr SrcPort DstPort CE-IP ----- ------- ------- ------- ------- ----- 0042: 0x00000000 0x0000002A 0x0000 0x0000 0x0A4E39D6 (10.78.57.214) 0043: 0x00000000 0x0000002B 0x0000 0x0000 0x0A4E39D6 (10.78.57.214)

........ 0062: 0x00000000 0x0000003E 0x0000 0x0000 0x0A4E39D6 (10.78.57.214) 0063: 0x00000000 0x0000003F 0x0000 0x0000 0x0A4E39D6 (10.78.57.214)

WCCP Client ID: 10.78.57.212 Protocol Version: 2.0 State: Usable Redirection: L2 Packet Return: GRE Packets Redirected: 0 Connect Time: 00:05:58 Assignment: MASK

Value SrcAddr DstAddr SrcPort DstPort CE-IP ----- ------- ------- ------- ------- ----- 0000: 0x00000000 0x00000000 0x0000 0x0000 0x0A4E39D4 (10.78.57.212) 0001: 0x00000000 0x00000001 0x0000 0x0000 0x0A4E39D4 (10.78.57.212) .........



WCCP Client ID: 10.78.57.213 Protocol Version: 2.0 State: Usable Redirection: L2 Packet Return: GRE Packets Redirected: 0 Connect Time: 00:03:09 Assignment: MASK

Mask SrcAddr DstAddr SrcPort DstPort ---- ------- ------- ------- ------- 0000: 0x00000000 0x0000003F 0x0000 0x0000

Value SrcAddr DstAddr SrcPort DstPort CE-IP ----- ------- ------- ------- ------- ----- 0021: 0x00000000 0x00000015 0x0000 0x0000 0x0A4E39D5 (10.78.57.213) 0022: 0x00000000 0x00000016 0x0000 0x0000 0x0A4E39D5 (10.78.57.213) 0023: 0x00000000 0x00000017 0x0000 0x0000 0x0A4E39D5 (10.78.57.213)

........ 0040: 0x00000000 0x00000028 0x0000 0x0000 0x0A4E39D5 (10.78.57.213) 0041: 0x00000000 0x00000029 0x0000 0x0000 0x0A4E39D5 (10.78.57.213)


PROXYSG WCCP


PROXYSG WCCP DEBUG / LOG COMMANDS

Router# debug ip wccp packetsRouter# term mon

WCCP packet info debugging is onCompNet-RT7206-5#*Nov 2 23:21:27.665: WCCP-PKT:D20: Sending I_See_You packet to 10.78.56.164 w/ rcv_id 00000026*Nov 2 23:21:37.665: WCCP-PKT:D20: Sending I_See_You packet to 10.78.56.164 w/ rcv_id 00000027

Router# show log

*Nov 2 15:15:27 PST: %WCCP-5-SERVICEFOUND: Service 20 acquired on WCCP client 10.78.56.164


PROXYSG WCCP STATISTICS

https://10.78.56.164:8082/WCCP/Statistics


PROXYSG PCAP


PROXYSG WCCP DEBUG

https://10.78.56.164:8082/WCCP/debug


REFERENCES



WCCP CLIENT LOSS

46Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only

THANK YOU FOR JOINING TODAY!

Please provide feedback on this webcast and suggestions for future webcasts to:

[email protected]

Webcast replay and slide deck found here:https://bto.bluecoat.com/training/customer-support-technical-webcasts(requires BTO login)

mailto:[email protected]

https://bto.bluecoat.com/training/customer-support-technical-webcasts

https://bto.bluecoat.com/training/customer-support-technical-webcasts

47Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only

BLUE COAT CUSTOMER FORUMS

New Blue Coat Customer Forums now availableCommunity where you can learn from and share your

valuable knowledge and experience with other Blue Coat customers

Research, post and reply to topics relevant to you at your own convenience

Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track

Access at forums.bluecoat.com and register for an account today!

https://forums.bluecoat.com/


Date post:	12-Apr-2017
Category:	Technology
Upload:	bui-thequan
View:	315 times
Download:	1 times

Wccp introduction final2

Technology