To enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group,
use the ip
wccp command in global configuration mode. To disable the service group, use the no form of this command.
ip
wccp
[
vrf
vrf-name
]
{
web-cache
| service-number
}
[
service-list
service-access-list
]
[
mode
{
open
| closed
}
]
[
group-address
multicast-address
]
[
redirect-list
access-list
]
[
group-list
access-list
]
[
password
[
0
| 7
]
password
]
no
ip
wccp
[
vrf
vrf-name
]
{
web-cache
| service-number
}
[
service-list
service-access-list
]
[
mode
{
open
| closed
}
]
[
group-address
multicast-address
]
[
redirect-list
access-list
]
[
group-list
access-list
]
[
password
[
0
| 7
]
password
]
Syntax Description
vrf
vrf-name
|
(Optional) Specifies a virtual routing and forwarding instance (VRF) to associate with a service group.
|
web-cache
|
Specifies the web-cache service (WCCP Version 1 and Version 2).
Note
|
Web-cache counts as one of the services. The maximum number of services, including those assigned with the service-number argument, is 256.
|
|
service-number
|
Dynamic service identifier, which means the service definition is dictated by the cache. The dynamic service number can be
from 0 to 254. The maximum number of services is 256, which includes the web-cache service specified with the web-cache keyword.
Note
|
If Cisco cache engines are used in the cache cluster, the reverse proxy service is indicated by a value of 99.
|
|
service-list
service-access-list
|
(Optional) Identifies a named extended IP access list that defines the packets that will match the service.
|
mode open
|
(Optional) Identifies the service as open. This is the default service mode.
|
mode closed
|
(Optional) Identifies the service as closed.
|
group-address
multicast-address
|
(Optional) Specifies the multicast IP address that communicates with the WCCP service group. The multicast address is used
by the device to determine which web cache should receive redirected messages.
|
redirect-list
access-list
|
(Optional) Specifies the access list that controls traffic redirected to this service group. The access-list argument should consist of a string of no more than 64 characters (name or number) in length that specifies the access list.
|
group-list
access-list
|
(Optional) Specifies the access list that determines which web caches are allowed to participate in the service group. The
access-list argument specifies either the number or the name of a standard or extended access list.
|
password [0 | 7] password
|
(Optional) Specifies the message digest algorithm 5 (MD5) authentication for messages received from the service group. Messages
that are not accepted by the authentication are discarded. The encryption type can be 0 or 7, with 0 specifying not yet encrypted
and 7 for proprietary. The password argument can be up to eight characters in length.
|
Command Default
WCCP services are not enabled on the device.
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
|
This command was introduced.
|
Cisco IOS XE Bengaluru 17.6.1
|
The vrf keyword and vrf-name argument pair were added.
|
Usage Guidelines
WCCP transparent caching bypasses Network Address Translation (NAT) when Cisco Express Forwarding switching is enabled. To
work around this situation, configure WCCP transparent caching in the outgoing direction, enable Cisco Express Forwarding
switching on the content engine interface, and specify the ip
wccp
web-cache
redirect
out command. Configure WCCP in the incoming direction on the inside interface by specifying the ip
wccp
redirect
exclude
in command on the device interface facing the cache. This configuration prevents the redirection of any packets arriving on
that interface.
You can also include a redirect list when configuring a service group. The specified redirect list will deny packets with
a NAT (source) IP address and prevent redirection.
This command instructs a device to enable or disable support for the specified service number or the web-cache service name.
A service number can be from 0 to 254. Once the service number or name is enabled, the device can participate in the establishment
of a service group.
Note
|
All WCCP parameters must be included in a single IP WCCP command. For example: ip wccp 61 redirect-list 10 password password.
|
The vrf
vrf-name keyword and argument pair is optional. It allows you to specify a VRF to associate with a service group. You can then specify
a web-cache service name or service number.
The same service (web-cache or service number) can be configured in different VRF tables. Each service will operate independently.
When the no
ip
wccp command is entered, the device terminates participation in the service group, deallocates space if none of the interfaces
still has the service configured, and terminates the WCCP task if no other services are configured.
The keywords following the web-cache keyword and the service-number argument are optional and may be specified in any order, but only may be specified once. The following sections outline the
specific usage of each of the optional forms of this command.
ip
wccp [vrf
vrf-name] {web-cache | service-number} group-address
multicast-address
A WCCP group address can be configured to set up a multicast address that cooperating devices and web caches can use to exchange
WCCP protocol messages. If such an address is used, IP multicast routing must be enabled so that the messages that use the
configured group (multicast) addresses are received correctly.
This option instructs the device to use the specified multicast IP address to coalesce the "I See You" responses for the
"Here I Am" messages that it has received on this group address. The response is also sent to the group address. The default
is for no group address to be configured, in which case all "Here I Am" messages are responded to with a unicast reply.
ip
wccp [vrf
vrf-name] {web-cache | service-number} redirect-list
access-list
This option instructs the device to use an access list to control the traffic that is redirected to the web caches of the
service group specified by the service name given. The access-list argument specifies either the number or the name of a standard or extended access list. The access list itself specifies
which traffic is permitted to be redirected. The default is for no redirect list to be configured (all traffic is redirected).
WCCP requires that the following protocol and ports not be filtered by any access lists:
-
UDP (protocol type 17) port 2048. This port is used for control signaling. Blocking this type of traffic prevents WCCP from
establishing a connection between the device and web caches.
-
Generic routing encapsulation (GRE) (protocol type 47 encapsulated frames). Blocking this type of traffic prevents the web
caches from ever seeing the packets that are intercepted.
ip
wccp [vrf
vrf-name] {web-cache | service-number} group-list
access-list
This option instructs the device to use an access list to control the web caches that are allowed to participate in the specified
service group. The access-list argument specifies either the number of a standard or extended access list or the name of any type of named access list.
The access list itself specifies which web caches are permitted to participate in the service group. The default is for no
group list to be configured, in which case all web caches may participate in the service group.
Note
|
The
ip
wccp {web-cache | service-number} group-list command syntax resembles the
ip
wccp {web-cache | service-number} group-listen command, but these are entirely different commands. The ip
wccp
group-listen command is an interface configuration command used to configure an interface to listen for multicast notifications from a
cache cluster.
|
ip
wccp [vrf
vrf-name] web-cache | service-number} password
password
This option instructs the device to use MD5 authentication on the messages received from the service group specified by the
service name given. Use this form of the command to set the password on the device. You must also configure the same password
separately on each web cache. The password can be up to a maximum of eight characters in length. Messages that do not authenticate
when authentication is enabled on the device are discarded. The default is for no authentication password to be configured
and for authentication to be disabled.
ip
wccp
service-number
service-list
service-access-list
mode
closed
In applications where the interception and redirection of WCCP packets to external intermediate devices for the purpose of
applying feature processing are not available within Cisco IOS software, packets for the application must be blocked when
the intermediary device is not available. This blocking is called a closed service. By default, WCCP operates as an open service,
wherein communication between clients and servers proceeds normally in the absence of an intermediary device. The service-list keyword can be used only for closed mode services. When a WCCP service is configured as closed, WCCP discards packets that
do not have a client application registered to receive the traffic. Use the service-list keyword and service-access-list argument to register an application protocol type or port number.
When the definition of a service in a service list conflicts with the definition received via the WCCP protocol, a warning
message similar to the following is displayed:
Sep 28 14:06:35.923: %WCCP-5-SERVICEMISMATCH: Service 90 mismatched on WCCP client 10.1.1.13
When there is service list definitions conflict, the configured definition takes precedence over the external definition
received via WCCP protocol messages.
Examples
The following example shows how to configure a device to run WCCP reverse-proxy service, using the multicast address of 239.0.0.0:
Device> enable
Device# configure terminal
Device(config)# ip multicast-routing
Device(config)# ip wccp 99 group-address 239.0.0.0
Device(config)# interface ethernet 0
Device(config-if)# ip wccp 99 group-listen
The following example shows how to configure a device to redirect web-related packets without a destination of 10.168.196.51
to the web cache:
Device> enable
Device# configure terminal
Device(config)# access-list 100 deny ip any host 10.168.196.51
Device(config)# access-list 100 permit ip any any
Device(config)# ip wccp web-cache redirect-list 100
Device(config)# interface ethernet 0
Device(config-if)# ip wccp web-cache redirect out
The following example shows how to configure an access list to prevent traffic from network 10.0.0.0 leaving Fast Ethernet
interface 0/0. Because the outbound access control list (ACL) check is enabled, WCCP does not redirect that traffic. WCCP
checks packets against the ACL before they are redirected.
Device> enable
Device# configure terminal
Device(config)# ip wccp web-cache
Device(config)# ip wccp check acl outbound
Device(config)# interface fastethernet0/0
Device(config-if)# ip access-group 10 out
Device(config-if)# ip wccp web-cache redirect out
Device(config-if)# access-list 10 deny 10.0.0.0 0.255.255.255
Device(config-if)# access-list 10 permit any
If the outbound ACL check is disabled, HTTP packets from network 10.0.0.0 would be redirected to a cache, and users with
that network address could retrieve web pages when the network administrator wanted to prevent this from happening.
The following example shows how to configure a closed WCCP service:
Device> enable
Device# configure terminal
Device(config)# ip wccp 99 service-list access1 mode closed
Note
|
-
If multiple parameters are required, all parameters under ip
wccp [vrf
vrf-name] web-cache | service-number} must be configured as a single command.
-
If the command is reissued with different parameters, the existing parameter will be removed and the new parameter will be
configured.
|
The following example shows how to configure multiple parameters as a single command:
Device> enable
Device# configure terminal
Device(config)# ip wccp 61 group-address 10.0.0.1 password 0 password mode closed redirect-list 121