WCCP Reference Guide.8

Blue Coat Systems
Reference Guide
WCCP Reference Guide
For SGOS 6.5.x and later
Contact Information
Americas:
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
Rest of the World:
Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland
http://www.bluecoat.com/contact/customer-support
http://www.bluecoat.com
For concerns or feedback about the documentation:
[email protected]
2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER,
CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9,
DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS,
WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW
EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9,
and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks
of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not
be complete, and the absence of a trademark from this list does not mean it is not a trademark of
Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned
in this document owned by third parties are the property of their respective owners. This
document is for informational purposes only.
BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES,
AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT
TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND
REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN
OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS,
REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE
RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT
MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR
IMPORT AFTER DELIVERY TO YOU.
Americas:
Blue Coat Systems, Inc.
420 N. Mary Ave.
Sunnyvale, CA 94085
Rest of the World:

Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland
Document Number: 231-02966

Document Revision: WCCP Reference GuideSGOS 6.5/2014
ii
Table of Contents
WCCP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Using WCCP with the ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
WCCP Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Service Group Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Service Group Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Service Group Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
What Gets Redirected? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
How Do the Router and ProxySG Exchange Traffic? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
GRE Forwarding and Return . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
L2 Forwarding and Return . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Router Affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Which ProxySG Receives the Redirected Traffic? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Load Balancing Weights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Automatic Redistribution of Loads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Hash Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Mask Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Configuring WCCP on the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Enabling WCCP and Defining the Service Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Defining the Router Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Defining the Unicast Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Defining a Multicast Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Filtering Traffic for Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Filtering Which Web Caches Can Join the Service Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Securing the Service Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Applying Service Group Redirection to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Configuring Inbound Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Configuring Outbound Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Configuring WCCP on the ProxySG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Enabling WCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Enabling WCCP From the Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Enabling WCCP From the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Creating the Service Group Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Defining the Service Group and Applying it to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Defining the Protocol and Ports to Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Defining the Forwarding and Return Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Enabling Router Affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Defining the Home Router Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Defining the Assignment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
iii
Table of Contents
Securing the Service Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Verifying the WCCP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Verifying the WCCP Configuration from the Management Console . . . . . . . . . . . . . . . . . . . . . . 35
Verifying the WCCP Configuration from the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Modifying the WCCP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Disabling WCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Disabling WCCP From the Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Disabling WCCP From the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
WCCP Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Basic WCCP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Web-Cache Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
ADN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
L2 Forwarding and GRE Return Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Router Affinity Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Secure Service Group Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Redirect Specific Traffic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Multiple Service Group Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Load Balancing Using Hash Assignment Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Hotspot Detection Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Load Balancing Using Unequal Loads Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Load Balancing Using Mask Assignment Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Single ProxySG Multiple Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Multicast Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Client IP Reflection Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
LAN/WAN Traffic Segregation Using VLANs Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Monitoring and Troubleshooting WCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Service Group States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Viewing ProxySG Service Group Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Viewing Service Group Statistics from the Management Console . . . . . . . . . . . . . . . . . . . . . . . . 72
Viewing Service Group Statistics from the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Viewing Router Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Why Dont My Configuration Changes Take Effect?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Tested Platform Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
iv
Table of Contents
WCCP Command Quick Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Router WCCP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
ProxySG WCCP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Installing the WCCP Configuration on the ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Installing the Configuration from the Management Console Text Editor . . . . . . . . . . . . . . . . . . . .89
Installing the Configuration from a Local File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Installing the Configuration from a Remote URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Installing the Configuration from the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Table of Contents
vi
List of Figures
Figure 1-1
A Simple ProxySG WCCP Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Figure 1-2
Multiple Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Figure 1-3
Service Group Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Figure 1-4
Determining What Traffic to Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Figure 1-5
GRE Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Figure 1-6
L2 Forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Figure 1-7
Load Balancing Weights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Figure 1-8
Automatic Redistribution of Loads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Figure 1-9
Hash Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Figure 1-10 Mask Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Figure 4-1
Basic WCCP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40
Figure 4-2
Web-Cache Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41
Figure 4-3
Virtually In-Path ADN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-42
Figure 4-4
L2 Forwarding and Return Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-45
Figure 4-5
Router Affinity Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Figure 4-6
Secure Service Group Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48
Figure 4-7
Redirection of Specific Protocol and Ports Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-49
Figure 4-8
Multiple Service Groups Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-50
Figure 4-9
Load Balancing Using Hash Assignment Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-52
Figure 4-10 Load Balancing Using an Alternate Hash Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-54

Figure 4-11 Load Balancing Using Unequal Weights Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-56
Figure 4-12 Service Group with Multiple Routers and a Single ProxySG Example . . . . . . . . . . . . . . . . . . . . . . . 4-61
Figure 4-13 Client IP Reflection Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-65
Figure 4-14 WCCP VLAN Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-67
vii
List of Figures
viii
WCCP Concepts
The Web Cache Communication Protocol (WCCP) is a Cisco-developed protocol that allows certain Cisco
routers and switches to transparently redirect traffic to a cache engine such as a ProxySG appliance. This
chapter describes the WCCP concepts that you will need to understand in order to deploy WCCP on your
ProxySG appliances.
This chapter includes the following topics:
Using WCCP with the ProxySG on page 2
WCCP Service Groups on page 3
What Gets Redirected? on page 6
How Do the Router and ProxySG Exchange Traffic? on page 7
Which ProxySG Receives the Redirected Traffic? on page 10
Getting Started on page 12

Note
Blue Coat recommends use of WCCP version 2. WCCP is available

on select Cisco routers and switches only. Additionally, not every
WCCP-capable router supports the same versions and feature sets.
Before you begin configuring WCCP, check the documentation
that came with your router/switch to ensure that it supports
WCCP version 2 and that the WCCP features you plan to use are
supported on the specific platforms and IOS versions you are
running.
Using WCCP with the ProxySG
WCCP Concepts
Using WCCP with the ProxySG

When the ProxySG appliance is not in the physical path of clients and servers, it must rely on an external
deviceeither a Layer 4 (L4) switch or a WCCP-capable routerto redirect packets to it for transparent
proxy services. This type of deployment is known as a virtually in-path deployment. WCCP is the
recommended virtually in-path deployment because it provides the following advantages:
Scalability and Load Balancing Traffic can be automatically distributed to up to 32 ProxySG

appliances. If one ProxySG goes down, traffic is automatically redistributed across the other ProxySG
appliances in the group.
Security You can password-protect the WCCP service group so that only authorized appliances can
join. Additionally, you can configure access control lists (ACLs) on the router to restrict access to specific
ProxySG appliances only.
Failover In the event that there are no ProxySG appliances available for traffic redirection, the router
forwards the traffic to the original destination address.
Flexibility You control exactly what traffic to redirect and how to redirect it. You can redirect all
traffic entering or exiting a router interface; you can filter traffic using ACLs; or, you can define specific
protocol and ports to redirect.
In transparent proxy deployments, the client does not know that it is interacting with a ProxySG rather than
the origin content server (OCS). Therefore, the packet from the client is addressed to the OCS. The router
inspects the traffic on WCCP-enabled interfaceseither inbound or outbound depending on the
configurationand determines whether to redirect it based on the rules that have been agreed upon by the
router and the ProxySG appliance(s).
The process works as follows:
1. The client sends a packet addressed for the OCS.
2. The WCCP-enabled router redirects the packet to the ProxySG.
3. The ProxySG determines what to do with it based on the transparent proxy services that have been
configured for the traffic type. If it cannot service the request locally (for example by returning a page
from its local cache), it sends a request to the specified OCS on behalf of the client.
4. The OCS response is routed (or redirected depending on the configuration) back to the ProxySG.
5. The ProxySG then forwards the response back to the client.
Figure 1-1 illustrates this process:
Figure 1-1
A Simple ProxySG WCCP Exchange
WCCP Concepts
WCCP Service Groups
WCCP Service Groups

A service group unites one or more routers/switches with one or more caching devices (ProxySG
appliances in this case) in a transparent redirection scheme governed by a common set of rules. The service
group members agree on these rules initially by announcing their specific capabilities and configurations
to each other in WCCP protocol packets as follows:
1. The ProxySG appliance sends out a Here I Am (WCCP2_HERE_I_AM) message to the routers in the
group. These messages include a description of the service group that the ProxySG wants to join,
including the protocol, ports to redirect, method to use to forward and return packets to each other, and
load balancing instructions.
2. The routers respond with an I See You (WCCP2_I_SEE_YOU) message that includes a Receive ID as
well as a list of WCCP capabilitiessuch as forwarding/return methods or load balancing schemes
that the router supports.
3. The ProxySG appliance responds with another Here I Am message in which it reflects the Receive ID
that was sent in the I See You message from the router. In addition, the ProxySG examines the
capabilities advertised by the router and, if its configuration specifies a capability that has not been
advertised, it will abandon its attempt to join the service group. If the capabilities it is configured to use
are advertised, it will select the capabilities it wants to use and will send them back to the router in
another Here I Am message.
4. The router inspects the capabilities that the ProxySG selected and, if the capabilities are supported, the
router accepts the ProxySG as compatible and adds it to the service group. The router responds to all
ProxySG appliances that it has accepted with I See You messages that include a listing of all ProxySG
appliances in the service group (called the router view).
5.
Each ProxySG in the group periodically sends out Here I Am messages to the routers in the group to
maintain its service group membership. If a router doesnt receive a Here I Am message from a
ProxySG in the group within the designated time-out interval, it removes the ProxySG from the service
group and sends out an I See You with an updated router view.
Note that the router and the switch can participate in multiple service groups as illustrated in Figure 1-2.
Figure 1-2
Multiple Service Groups
WCCP Service Groups
WCCP Concepts
Service Group Types

The service group configuration defines what type of traffic the routers in the group should redirect and
how to handle the redirected traffic. There are two types of service groups:
Well-known service groups have a fixed set of traffic types and other characteristics that are known by
the routers and the ProxySG appliances in the service group. Currently there is only one well-known
service, web-cache, which redirects all TCP traffic with a destination port of 80.
Dynamic service groups have characteristics that must be negotiated between the ProxySG and the
routers. As soon as WCCP is enabled on the routers and the ProxySG appliances with the same service
group identifier, the ProxySG appliances will begin advertising themselves and the WCCP services that
have been configured for the group. If the router supports the capabilities that the ProxySG appliance
advertises, the dynamic service group forms. The router maintains a list of all ProxySG appliances that
are a part of the service group.
Service Group Addressing

In order to establish and maintain a service group, the ProxySG appliances and routers must be able to
communicate. The devices can communicate using unicast addresses or using a multicast group address.
All devices in the group must be configured to use the same service group addressing. Each address type
is described in Table 1-1.
Table 1-1
WCCP Service Group Addressing
Service Group
Addressing
Description
Unicast
With unicast addressing, each ProxySG must be configured with the IP

addresses of all routers in the service group. The ProxySG will then send
unicast Here I Am messages to each router in order to establish and
maintain membership in the group. With unicast addressing, you will need
to reconfigure each ProxySG whenever you add or remove a router from the
group. In addition, as the number of devices in the group increases, so will
the amount of WCCP traffic because each ProxySG will need to send
individual messages to each router in the group rather than sending out a
single, multicast message.
Multicast
With multicast addressing, the routers and ProxySG appliances in the service
group communicate using a single IP address in the range of 224.0.0.0 to
239.255.255.255. To configure this, each ProxySG and each router in the group
must be configured with the multicast IP address. Note that if the WCCP
routers and/or ProxySG appliances are more than one hop apart, IP
multicast routing must also be enabled on the intervening routers.
WCCP Concepts
WCCP Service Groups
Service Group Access Control

By default, when you configure a WCCP service group on one or more routers and one or more ProxySG
appliances and enable WCCP on the devices, the devices will automatically begin communicating and
trying to form a service group. There are two ways to restrict which ProxySG appliances can join a service
group:
You can define an ACL on the router that permits or denies specific ProxySG appliances and then
associate the ACL with the service group. For more information, see "Filtering Which Web Caches Can
Join the Service Group" on page 18.
You can define an MD5 password on the ProxySG appliances and the routers that are authorized to join
the service group so that a ProxySG appliance must authenticate before it is allowed to join the group.
For instructions on how to set the password on the router, see "Securing the Service Group" on page 18.
For instructions on how to set the password on the ProxySG, see "Securing the Service Group" on page 35.
Figure 1-3
Service Group Access Control
What Gets Redirected?
WCCP Concepts
What Gets Redirected?

When you configure the router and the ProxySG in a service group, you define the characteristics of the
traffic that gets redirected. Without any configuration, all traffic gets redirected. However, you can use the
following to configure the service group to redirect a specific set of traffic:
Router Redirect Lists On the router, you can set up ACLs that filter the packets to be redirected. For
example, if you didnt want to redirect traffic from a specific host, you could create an ACL that denies
traffic from the host and permits traffic from all other hosts and then associate the ACL with a redirect
list in the routers service group configuration. For instructions, see "Filtering Traffic for Redirection" on
page 17.
ProxySG WCCP Settings On the ProxySG, you can define specific port numbers and the protocol to
redirect. When the router receives a packet on an interface that is configured for redirection, it examines
the packet header to determine whether the port numbers and protocol match those defined for the
service groups that have been applied to the interface. If the traffic matches the service group
characteristics, the router redirects it to the ProxySG. Otherwise, it performs a normal routing table
lookup and forwards the packet to its destination. For instructions, see "Defining the Protocol and Ports
to Redirect" on page 25.
Figure 1-4
Determining What Traffic to Redirect
WCCP Concepts
How Do the Router and ProxySG Exchange Traffic?

Because WCCP is used in transparent proxy deployments, the packets that the router intercepts use the
destination address of the OCS rather than that of the ProxySG. Therefore, the router must transmit the
packet to the ProxySG, yet still maintain the original characteristics of the packet so that the ProxySG will
know what to do with it. When you configure the ProxySG, you specify a forwarding method that defines how
the router will forward packets to the ProxySG and a return method that defines how the ProxySG will return
packets back to the router. By default, the return method specifies how the ProxySG will return packets that
it bypasses. However, with router affinity enabled, the ProxySG will also return packets for intercepted
traffic back to the router using the specified return method.
The ProxySG supports two forwarding and return methods as described in the following sections:
GRE Forwarding and Return on page 7
L2 Forwarding and Return on page 8
Router Affinity on page 9

Note
Not all routers/switches support all forwarding and return

methods. See "Tested Platform Configurations" on page 78 for a list
of the Cisco platforms that Blue Coat has tested with the ProxySG
WCCP feature. Additionally, on some routers, separate methods
are supported for forwarding and return. In SGOS version 5.4,
GRE/GRE, L2/L2, and L2/GRE forward/return are supported.
GRE Forwarding and Return

With Generic Routing Encapsulation (GRE) forwarding, the router encapsulates the redirected packet in an
additional IP header that shows the router address as the source IP address and the IP address of the
ProxySG as the destination IP address. When the ProxySG receives the packet, it strips the outside header
and then determines how to process the request, either forwarding the request on to the OCS or servicing
it locally. Similarly, with GRE return, the ProxySG encapsulates the packet in an additional IP header that
shows the ProxySG address as the source IP address and the IP address of the router as the destination IP
address. When the router receives the packet, it strips the outside header and then forwards the packet.
Note that if you choose GRE forwarding you must also use GRE return.
Note
The ProxySG and the router use a reduced maximum transmission

unit (MTU) for the GRE packet.
For instructions on configuring GRE forwarding and return, see "Defining the Forwarding and Return
Method" on page 27.
Figure 1-5
WCCP Concepts
GRE Forwarding
L2 Forwarding and Return

With Layer 2 (L2) forwarding the router rewrites the destination MAC address of the intercepted packet to
the MAC address of the ProxySG to which it is redirecting the packet. Similarly, with L2 return, the ProxySG
rewrites the destination MAC address of the bypassed packet to the MAC address of the router to which it
is returning the packet. L2 forwarding is faster than GRE forwarding because the forwarding is done at the
hardware level and doesnt require encapsulating and decapsulating the packet at Layer 3. However, to use
L2 forwarding, the ProxySG and the routers in the service group must all be on the same L2 broadcast
domain (that is, there cannot be more than one hop between them). In addition, L2 forwarding is only
supported on hardware-based switching platforms, such as the Catalyst series.
To determine whether L2 forwarding and return is supported on your hardware platform, refer to your
router documentation. Also see "Tested Platform Configurations" on page 78 for a list of the Cisco platforms
on which Blue Coat has tested L2 forwarding with the ProxySG. If you configure a forwarding or return
method that is not supported by your WCCP-enabled routers/switches, the service group will fail to form.
Note also that some routers/switches that support L2 forwarding do not support L2 return. In this case, you
can use L2 forwarding and GRE return.
For instructions on setting up L2 forwarding and return, see "Defining the Forwarding and Return Method" on
page 27.
Figure 1-6
L2 Forwarding
WCCP Concepts
Router Affinity
By default, the ProxySG uses the configured return method to return bypassed traffic to the router that
redirected it and uses regular routing table lookups to determine the next hop for intercepted traffic. With
router affinity, the ProxySG also uses the configured return method to return intercepted client- and/or
server-bound traffic to the WCCP router that redirected it, bypassing the routing table lookup. This is a
useful feature if you have routing policies that may prevent your client- and/or server-bound traffic from
reaching its destination and simplifies the ProxySG configuration process by eliminating the need to
replicate these policies on the ProxySG. It is also useful in configurations where you have multiple home
routers or where your WCCP router is multiple hops away from the ProxySG because it ensures that the
traffic is always returned to the same WCCP router that redirected it. Keep in mind, however, that enabling
this feature unnecessarily when using GRE return does add additional CPU overhead on the router due to
the need to decapsulate the GRE packets. In addition, the ProxySG and the router use a reduced maximum
transmission unit (MTU) for GRE packets, which reduces the amount of data that can be transferred per
packet.
Which ProxySG Receives the Redirected Traffic?
WCCP Concepts

For every service group, you must configure the way the router determines the ProxySG to which to redirect
a given packet. To do this you set an assignment type on the ProxySG. When the service group is formed, the
ProxySG with the lowest IP address automatically becomes the designated cache (and if there is only one
ProxySG in the service group, it is automatically the designated cache). The designated cache is responsible
for communicating the assignment settings to the router, that is which ProxySG should be assigned a
particular packet.
The ProxySG supports two assignment types as described in the following sections:
Hash Assignment on page 11
Mask Assignment on page 11
Load Balancing Weights

Whichever assignment type you choose, each ProxySG in the service group is assigned roughly an even
percentage of the load by default. However, you can override this behaviorfor example if you have
ProxySG appliances in the same service group that have different load capacitiesby assigning a weight
value to each ProxySG in the group. ProxySG appliances with higher weight values receive a higher
proportion of the redirected traffic than ProxySG appliances with lower weight values. For example,
suppose you have assigned the following weight values: ProxySG1=100, ProxySG2=100, and ProxySG3=50
respectively. The total weight value is 250, and so ProxySG1 and ProxySG2 will each receive 2/5 of the
traffic (100/250) and ProxySG3 will receive 1/5 of the traffic (50/250).
Figure 1-7
Load Balancing Weights
Automatic Redistribution of Loads

If a ProxySG in the group becomes unavailable, the load will automatically be redistributed across the
remaining ProxySG appliances.
Figure 1-8
10
Automatic Redistribution of Loads
WCCP Concepts
Hash Assignment
With hash assignmentthe default assignment methodthe designated cache assigns each ProxySG in the
service group a portion of a 256-bucket hash table and communicates the assignment to the routers in the
group. When the router receives a packet for redirection, it runs the hashing algorithm against one or more
of the fields in the packet header to determine the hash value. It then compares the value to the hash
assignment table to see which ProxySG is assigned to the corresponding bucket and then forwards the
packet to that appliance. When you configure the service group on the ProxySG appliances, you specify
which field(s)destination IP address, destination port, source IP address, and/or source portshould be
used to calculate the hash value.
Because all of the packets are hashed using the same fields and algorithm, it is possible that one of the
ProxySG appliances in the group can become overloaded. For example, if you have a large proportion of
traffic that gets sent to the same server and you are using the destination IP address to run the hashing
function, it is possible that the bulk of the traffic will be redirected to the same ProxySG. Therefore, you can
configure an alternate field or group of fields to use to run the hashing algorithm. The router will then use
this alternate hashing algorithm if the number of GRE packets or MAC addresses (depending on the
forwarding method youre using) redirected to a given ProxySG exceeds a certain number.
By default, each ProxySG in the service group is assigned roughly an even percentage of the 256-bucket
hash table. However, you can override this behavior by configuring a hash-weight value to adjust the
proportion of the hash table that gets assigned to the ProxySG.
For instructions on configuring hash assignment, see "Configuring Hash Assignment" on page 31.
Figure 1-9
Hash Assignment
Mask Assignment
With mask assignment, each router in the service group has a table of masks and values that it uses to
distribute traffic across the ProxySG appliances in the service group. When the router receives a packet, it
performs a bitwise AND operation between the mask value and the field of the packet header that is
designated in the ProxySG mask assignment configuration. It then compares the result against its list of
values for each mask; each value is assigned to a specific ProxySG in the service group.
For instructions on configuring mask assignment, see "Configuring Mask Assignment" on page 33.
Figure 1-10
Mask Assignment
11
Getting Started
WCCP Concepts
Getting Started
To configure WCCP on your routers and ProxySG appliances, you must complete the following steps:
1. Plan your service group:
2.
3.
Decide which routers and which ProxySG appliances will work together in the redirection
scheme. Make sure that the routers that you plan to use to redirect traffic support WCCP
Version 2.
Decide what traffic you want to redirect. Do you want to redirect all traffic, or just a specific
protocol or ports? Do you want to exclude certain hosts or traffic from redirection?
Decide what forwarding and return methods you plan to use. Make sure that all of the routers in
the service group support the methods you choose.
Decide how the router will assign a specific redirected packet to a ProxySG. Make sure the
router(s) in the service group support the assignment method you plan to use. If there is more
than one ProxySG in the service group, decide whether you want to distribute traffic equally, or if
you want to assign varying weights.
Configure the routers. At a minimum, you must do the following:
Create the service group and enable WCCP on the router. See "Enabling WCCP and Defining the
Service Group" on page 14.
Apply the service group to the router interface where the traffic you want to redirect is entering or
exiting. See "Applying Service Group Redirection to an Interface" on page 19.
If youre using multicast addressing, define the group address. See "Defining a Multicast Address"
on page 16.
Configure the ProxySG appliances:
Enable WCCP. See "Enabling WCCP" on page 22.
Define the service groups. When you create the service group settings on the ProxySG, you define
the particulars of the redirection scheme, such as the address of the routers that will be
intercepting traffic, the type of traffic to redirect, and the forwarding and return methods that the
routers and the ProxySG appliances will use to exchange packets. See "Creating the Service Group
Configuration" on page 23.
4.
Verify that the service group forms and that redirection begins. See "Verifying the WCCP Configuration"
on page 36.
12
Configuring WCCP on the Router
This chapter describes how to configure WCCP on the router. It includes the following sections:
Enabling WCCP and Defining the Service Group on page 14
Defining the Router Address on page 15
Filtering Traffic for Redirection on page 17
Filtering Which Web Caches Can Join the Service Group on page 18
Securing the Service Group on page 18
Applying Service Group Redirection to an Interface on page 19
13
Enabling WCCP and Defining the Service Group
Enabling WCCP and Defining the Service Group

Use the following procedure to enable WCCP on the router and define the service group.
ROUTER CONFIGURATIONENABLE WCCP AND DEFINE THE SERVICE GROUP
Step 1. Ensure that the router is running
Router>enable
WCCP Version 2 (this is the default). Router#configure terminal
Router(config)#ip wccp version 2
Step 2 Enable WCCP and specify the
service group ID or keyword.
Router(config)#ip wccp 90
Step 3 Save the configuration.
Router(config)#exit
Router#copy running-config startup-config
14
Defining the Router Address

With WCCP Version 2, routers and ProxySG appliances in a service group can either communicate directly
using unicast addresses, or they can communicate to all members of the service group simultaneously using
a multicast group address. Whether you use unicast or multicast addressing, you must ensure that the
address you configure on the ProxySG appliances matches what is configured on the router.
On the ProxySG, you will need to configure the router address (either the unicast or multicast address) as
a home-router in the service group. For instructions on configuring the home-router on the ProxySG, see
"Defining Unicast Router Addresses" on page 29.
The following sections describe how to define the address on the router.
Defining the Unicast Address on page 15
Defining a Multicast Address on page 16
Defining the Unicast Address

In most cases, the router will already have one or more IP addresses assigned to it. You do not need to do
any further configuration.
If the router does not yet have an IP address, use the following procedure to configure one on the
interface(s) that will be redirecting traffic and the interface that is connected to the ProxySG.
ROUTER CONFIGURATIONDEFINE A UNICAST ADDRESS
Step 1. Go to the router interface.
Router>enable
Router#configure terminal
Router(config)#interface gigabitEthernet2/1
Step 2 Set the IP address and subnet mask

for the interface.
Router(config-if)#ip address 10.1.0.1

255.255.255.0
Step 3 Enable the interface.
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Note
For best results, attach the ProxySG to a router interface that is not
used for redirection.
15
Defining a Multicast Address

There are a couple of reasons why it is advantageous to use multicast in your service groups:
It reduces the amount of WCCP protocol traffic that is running on your network.
You can add and remove ProxySG appliances and/or routers to the service group at any time without
having to reconfigure the other group members.
Note
If you are having trouble getting your WCCP configuration to

work, consider using unicast addressing rather than multicast
addressing.
Use the following procedure to define a multicast address for a service group on the router.
ROUTER CONFIGURATIONDEFINE A MULTICAST ADDRESS
Step 1. Go to global configuration mode.
Router>enable
Step 2 Enable multicast routing.
Router(config)#ip multicast-routing
Note
If there are any intervening routers

between this router and the ProxySG
appliances, you will also need to
enable multicast routing on those
routers.
Step 3 Define the multicast address for the Router(config)#ip wccp 90 group-address
service group. The multicast address 224.1.1.103
must be in the range 224.0.0.0 to
239.255.255.255.
Step 4 Go to the interface that is connected Router(config)#interface gigabitEthernet2/1
to the ProxySG.
Step 5 Enable the WCCP multicast group
address on the interface.
Router(config-if)#ip wccp 90 group-listen
Step 6 (optional) On Catalyst 6500 series

Router(config-if)#ip pim sparse-mode
switches and Cisco 7600 series
routers, you must also enable
Protocol Independent Multicast
(PIM) on the interface in order for
multicast addressing to work
properly on the service group. Refer
to your router documentation for
more information on PIM.
Router(config)#exit
16
Filtering Traffic for Redirection
Filtering Traffic for Redirection

You can use an access control list (ACL) to control what traffic gets redirected using WCCP. To do this, you
must define the ACL that filters the traffic and then associate the ACL with the router WCCP
redirect-list command. For example, you might have specific hosts on your network that you do not
want proxied. In this case, you could create an ACL that denies that particular host and allows all other
hosts. You can then apply the ACL to the WCCP service group.
Note
Router ACL support varies from platform to platform. Some

routers do not support deny rules in ACLs; other routers do not
support ACLs at all. Refer to your router/switch documentation to
determine whether ACLs are supported on your specific platform.
Note that there are two types of traffic you must not filter using a redirect list. If you do, WCCP will not
work:
UDP The router and the ProxySG communicate over UDP and blocking UDP traffic will prevent the
service group from forming.
GRE If you block the Generic Routing Encapsulation (GRE) protocol and you are using GRE
forwarding, the ProxySG will not see the redirected packets.
Use the following procedure to configure filtering of traffic to be redirected using an ACL. Note that you
must define the ACL before you associate it with a WCCP redirect list.
ROUTER CONFIGURATIONFILTER TRAFFIC FOR REDIRECTION
Router>enable
Step 2 Create the ACL to permit or deny

specific traffic.
For example, if you want to redirect all traffic except traffic

from host 10.1.0.43 you would enter the following
commands:
Router(config)#access-list 103 deny ip any host
10.1.0.43
Router(config)#access-list 103 permit ip any any
Note
For detailed instructions on how to

create an ACL, refer to your router
documentation.
Step 3 Associate the ACL with a WCCP

redirect list.
Router(config)#ip wccp 90 redirect-list 103
Router(config)#exit
17
Filtering Which Web Caches Can Join the Service Group
Filtering Which Web Caches Can Join the Service Group

You can use router ACLs to define which ProxySG appliances are allowed to join a particular service group.
The easiest way to do this is to define a standard ACL that permits access for the specific ProxySG
appliances you want to allow in the group (the implicit deny rule in the ACL will deny access to all other
hosts automatically).
Use the following procedure to restrict service group access to a specific set of caches based on an ACL.
ROUTER CONFIGURATIONFILTER WEB CACHE SERVICE GROUP MEMBERSHIP
Router>enable
Step 2 Create the ACL to permit or deny

specific ProxySG appliances.
Router(config)#access-list 3 permit 10.1.1.5

0.0.0.255
Note
For detailed instructions on how to

create an ACL, refer to your router
documentation.
Step 3 Associate the ACL with the service

group group-list.
Router(config)#ip wccp 90 group-list 3
Router(config)#exit
Securing the Service Group

For added security, you can configure MD5 authentication between the ProxySG appliances and the routers
in the group. When authentication is enabled, a ProxySG will not be allowed to join the service group unless
it knows the password. To configure authentication, you must define the same password on all routers and
all ProxySG appliances in the service group.
The following procedure describes how to set the password on the router. For instructions on how to set the
password on the ProxySG appliances in the service group, see "Securing the Service Group" on page 35.
ROUTER CONFIGURATIONENABLE MD5 AUTHENTICATION
Router>enable
Step 2 Define a password (up to 8 characters)

for the service group. This command
must also include the encryption type,
which can be 0 (indicating that
password is not yet encrypted) or 7
(indicating that the password is
encrypted using a Cisco-proprietary
encryption algorithm).
Router(config)#ip wccp 90 password 0 $abc123
Router(config)#exit
18
Applying Service Group Redirection to an Interface

After you define a service group, you must apply the service group configuration to an interface before the
router can begin intercepting traffic. The router can intercept traffic as it enters the router (inbound) or as it
leaves the router (outbound). In most cases you will want to intercept the traffic as it enters the router, which
speeds up the redirection process because it happens before the routing table lookup. However, the decision
about where to apply the redirection really depends on your network topology and the specific capabilities
of the routers/switches on which youre running WCCP.
The following sections describe how to apply service group redirection to an interface:
Configuring Inbound Redirection on page 19
Configuring Outbound Redirection on page 19
Configuring Inbound Redirection

Use the following procedure to enable inbound redirection on an interface.
ROUTER CONFIGURATIONCONFIGURE INBOUND REDIRECTION
Step 1. Go to interface configuration mode
on the interface where you want to
enable inbound redirection.
Router>enable
Step 2 Enable redirection for the service

group.
Router(config-if)#ip wccp 90 redirect in
Router(config)#exit
Configuring Outbound Redirection

Use the following procedure to enable outbound redirection on an interface.
ROUTER CONFIGURATIONCONFIGURE OUTBOUND REDIRECTION
Step 1. Go to interface configuration mode
on the interface where you want to
enable outbound redirection.
Router>enable
Step 2 Enable redirection for the service

group.
Router(config-if)#ip wccp 90 redirect out
19
ROUTER CONFIGURATIONCONFIGURE OUTBOUND REDIRECTION (CONTINUED)

Step 3 If you are using outbound
redirection in a client IP reflection
configuration, you must also
Router(config-if)#ip wccp redirect exclude in
exclude the interface where the
router connects to the ProxySG from
redirection. This protects ProxySG
traffic from redirection.
20
Router(config)#exit
Configuring WCCP on the ProxySG
This chapter provides procedures for configuring WCCP on the ProxySG. If you are not yet familiar with
the WCCP features, see Chapter 1, WCCP Concepts.
You must configure the required WCCP settings on the cooperating routers before you configure the
ProxySG. If you have not yet configured your WCCP routers/switches, see Chapter 2, Configuring WCCP
on the Router for instructions.
This chapter includes the following topics:
Enabling WCCP on page 22
Creating the Service Group Configuration on page 23
Verifying the WCCP Configuration on page 36
Modifying the WCCP Configuration on page 38
Disabling WCCP on page 39
21
Enabling WCCP
Enabling WCCP
You can enable WCCP from the Management Console or from the CLI as described in the following
sections:
Enabling WCCP From the Management Console on page 22
Enabling WCCP From the CLI on page 22
Enabling WCCP From the Management Console

Use the following procedure to enable WCCP from the Management Console. You must enable WCCP
before you can create your service group settings from the Management Console.
PROXYSG CONFIGURATIONENABLE WCCP FROM THE MANAGEMENT CONSOLE
Step 1 Start the Management Console.
In a browser, go to the following URL:
Refer to the release notes for the recommended https:<ProxySG_IP_Address>:8082

JRE version for your software.
Step 2 Go to the WCCP tab in the Management
Console.
From within the Management Console, select

Configuration > Network > WCCP.
Step 3 Enable WCCP.
a.
Note
Select Enable WCCP. As soon you enable

WCCP, the WCCP Configuration fields
become active.
b. Create your service groups as described in
"Creating the Service Group Configuration" on
When you enable WCCP, the ProxySG will start
page 23.
negotiating any service groups that you have
c. When you are done creating your service
previously configured. The status for each
groups click Apply to save your
service group will show in the State field. For a
configuration and enable WCCP.
description of the status fields, see "Service
Group States" on page 70.
Enabling WCCP From the CLI

Use the following procedure to enable WCCP from the CLI.
PROXYSG CONFIGURATIONENABLE WCCP FROM THE CLI
Step 1 Log in to the ProxySG CLI and enter configure
terminal mode.
login as: admin

[email protected]'s password:
Blue Coat SG200>en
Enable Password:
Blue Coat SG200#conf t
Blue Coat SG200#(config)
Step 2 Enable WCCP.
Blue Coat SG200#(config)wccp enable
22
Creating the Service Group Configuration

The service group configuration defines what type of traffic the routers in the group should redirect and
how to handle the redirected traffic. The following sections describe how to create the service group, define
its characteristics, and apply the configuration to a ProxySG interface:
Defining the Service Group and Applying it to an Interface on page 23
Defining the Protocol and Ports to Redirect on page 25
Defining the Forwarding and Return Method on page 27
Enabling Router Affinity on page 28
Defining the Home Router Addresses on page 29
Defining the Assignment Method on page 31
Securing the Service Group on page 35
Defining the Service Group and Applying it to an Interface

The following procedure describes how to define a service group and apply it to a ProxySG interface.
PROXYSG CONFIGURATIONDEFINE THE SERVICE GROUP AND APPLY IT TO AN INTERFACE
Console.
Select Configuration > Network > WCCP.
Step 2 Make sure WCCP is enabled.
Click Enable WCCP.
Step 3 (Optional) Set the WCCP version. If your WCCP Select the WCCP Version.
router or switch supports it, you should use
Note
If you select version 1, you can only use
version 2 (the default).
the web-cache service group and the
only settings you can configure are the
interface to which to apply the service
group and the IP address of a single
home router.
Step 4 Create the service group.
Note
a.
Click New. The New Service dialog box is

displayed.
b. Enter the Service Group identifier (0-255).
If you selected WCCP version 1.0, the service

group is automatically set to web-cache.
Step 5 (Optional) Specify the queuing priority in the

Enter a Priority. If you do not enter a value, the
range of 0 through 255 (inclusive) for the service priority is 0.
group. If there are multiple service groups
applied to the same router interface in the same
direction, the priority defines the order in which
the router evaluates them.
23
PROXYSG CONFIGURATIONDEFINE THE SERVICE GROUP AND APPLY IT TO AN INTERFACE

Step 6 Apply the service group to a ProxySG interface.
As a best practice, apply the service group to the
first LAN interface on the appliance, for
example 1:1 on the 300 platform; 2:1 on the 600
and 900 platforms; or 0:3 on the 9000. For load
balancing you can also apply the service to
multiple interfaces on the same appliance.
Step 7 Finish defining the service group settings.
24
Select an Interface from the drop-down list.

The drop-down shows all interfaces available
on the ProxySG, including virtual (VLAN)
interfaces. Virtual interfaces are depicted as
adapter:interface.vlan id, for example, 0:1.3.
a.
To finish creating the service group,

complete the following tasks:
Defining the Protocol and Ports to
Redirect on page 25
Defining the Forwarding and Return
Method on page 27
Enabling Router Affinity on page 28
Defining the Home Router Addresses
on page 29
Defining the Assignment Method on
page 31
(Optional) Securing the Service Group
on page 35
b. When you finish configuring the service
group, click OK.
c. If you want to create additional service
groups, repeat this procedure.
d. When you are done configuring all service
groups on this ProxySG, click Apply.
Defining the Protocol and Ports to Redirect

The service group configuration on the ProxySG defines what protocol and ports to redirect. If you are using
a well-known service group such as web-cache, the protocol and ports are already known to the ProxySG
and the routers so you do not need to define them. However, if you are using a dynamic service group, you
must define the protocol and ports as part of the service group configuration. By default, the dynamic
service group redirects all ports and protocols without any additional configuration. However, if you want
to redirect specific ports only, youll need to enable port-based redirection and specify the ports (up to 8)
that the service group should redirect.
Note
You can only specify 8 ports to redirect within a single service

group. If you want to redirect more than 8 ports, you must create
multiple service groups. If you specify duplicate ports within the
port list, the ProxySG will automatically remove the duplicate
entries when parsing the command.
The following procedure describes how to restrict service group redirection to a specific protocol and set of
ports.
PROXYSG CONFIGURATIONDEFINE THE PROTOCOL AND PORTS TO REDIRECT
Console.
Step 2 Select or create the service group for which to

define the traffic to redirect.
To define a new service group, see "Defining
Step 3 Specify the port field (source port, destination

port, or all ports) on which to base redirection.
By default, the service group redirects on all
ports and you do not need any additional
configuration. However, if you want to redirect
specific ports, you must define whether to use
the source port or destination port to determine
whether a packet should be redirected.
Tip
As a best practice, create separate service

groups to redirect inbound and outbound
traffic.
Step 4 Select the protocol to redirect.
the Service Group and Applying it to an

Interface" on page 23.
To configure an existing service group,
select the service group entry and click Edit.
If you plan to redirect all ports (recommended),

make sure the Redirect on field is set to All (the
default). If you plan to redirect specific ports,
select one of the following from the Redirect on
drop-down list:
If the service group will be used to redirect
outbound traffic, select Destination.
If the service group will be used to redirect
inbound traffic, select Source.
Select TCP (the default) or UDP from the

Protocol drop-down list.
25
PROXYSG CONFIGURATIONDEFINE THE PROTOCOL AND PORTS TO REDIRECT (CONTINUED)

Step 5 (optional) Specify specific ports to redirect.
Before you can do this, you must specify
whether to base redirection on the source or
destination port (see Step 3).
Specify up to eight ports as follows:
If you want to redirect one or more

predefined ports (HTTP, HTTPS, CIFS, or
RTSP) select the corresponding
checkbox(es).
If you want to redirect a port that does not

have a corresponding checkbox, enter the
port number(s) in the Other field. Port
numbers should be separated by a comma (,).
Step 6 Finish creating the WCCP configuration.
Finish configuring the service group as

described in the following sections and then
click OK.
To save the WCCP settings, click Apply.
26
Defining the Forwarding and Return Method

On the ProxySG, the forwarding method specifies the method the router uses to forward redirected packets
to the ProxySG; the return method specifies the method that the ProxySG uses to return packets that it
chooses to bypass. Because not all routers support all forwarding and return methods, you must determine
what methods are supported on your specific routing/switching platform and IOS version before
configuring the forwarding and return methods.
The ProxySG supports the following forwarding and return methods:
Generic Routing Encapsulation (GRE) the packet to be forwarded or returned is encapsulated in an
additional IP header that shows the router address and ProxySG address as the as the source IP address
and destination IP address (which one is the source address and which is the destination address
depends on whether the packet is being forwarded or returned). This is the default forwarding method
and if you plan to use this method you do not need to do any further configuration. Keep in mind,
however, that not all routers support GRE forwarding. Typically, GRE forwarding is supported on
software-based switching platforms such as the Cisco 800, 1800, 2800, 3800, 7200, and 7500. You can use
GRE return with GRE forwarding or L2 forwarding, depending on what your router supports.
Layer 2 (L2) the router or ProxySG rewrites the destination MAC address of the packet to the MAC
address of the device (the ProxySG or router) to which it is forwarding or returning the packet. This
method is faster than GRE forwarding, because the switching is done at the hardware level and doesnt
require encapsulating and decapsulating the packet at Layer 3. In order to use L2 forwarding, the
ProxySG and the routers in the service group must all be on the same L2 broadcast domain (that is, there
cannot be more than one hop between them). Typically L2 forwarding is supported on hardware-based
switching platforms such as the Cisco Catalyst 3550, 3650, 3750, 4500, 6500, and 7600. You can only use
L2 return with L2 forwarding. Additionally, L2 return is not supported on all platforms that support L2
forwarding.
The following procedure shows how to set the forwarding and return method in the ProxySG service group
configuration.
PROXYSG CONFIGURATIONDEFINE THE FORWARDING AND RETURN METHOD
Console.

define the forwarding and return method.

Step 3 Define the forwarding method for the router to Select GRE (the default) or L2 from the
use to forward packets to the ProxySG.
Forwarding Type field.
27
PROXYSG CONFIGURATIONDEFINE THE FORWARDING AND RETURN METHOD (CONTINUED)

Step 4 Define the return method for the ProxySG to use Select GRE (the default) or L2 from the Returning
to return bypassed packets to the router. Note Type field.
that you can only select a return type if you
selected L2 as the forwarding method.

click OK.
Enabling Router Affinity

By default, the ProxySG uses the configured return method (GRE or L2) to return bypassed traffic to the
router that redirected it and uses regular routing table lookups to determine the next hop for intercepted
traffic. With router affinity, the ProxySG also uses the configured return method to return intercepted clientand/or server-bound traffic to the WCCP router that redirected it, bypassing the routing table lookup. This
is a useful feature if you have routing policies that may prevent your client- and/or server-bound traffic
from reaching its destination and simplifies the ProxySG configuration process by eliminating the need to
replicate these policies on the ProxySG. It is also useful in configurations where you have multiple home
routers or where your WCCP router is multiple hops away from the ProxySG because it ensures that the
traffic is always returned to the same WCCP router that redirected it. Keep in mind, however, that enabling
this feature unnecessarily when using GRE return does add additional CPU overhead on the router due to
the need to decapsulate the GRE packets. In addition, the ProxySG and the router use a reduced maximum
transmission unit (MTU) for GRE packets, which reduces the amount of data that can be transferred per
packet.
To ensure that the intercepted client- and/or server-bound traffic is always returned to the WCCP router
that redirected it, you can enable router affinity. With router affinity enabled, the ProxySG uses the
negotiated return method (GRE or L2) to return intercepted traffic to the WCCP router. You can configure
router affinity using one of the following options:
ClientCauses the ProxySG to return intercepted client-side traffic to the ProxySG using the negotiated
return method.
ServerCauses the ProxySG to return intercepted server-side traffic to the ProxySG using the
negotiated return method.
BothCauses the ProxySG to return intercepted client- and server-side traffic to the ProxySG using the
negotiated return method.
NoneDisables router affinity.
The following procedure shows how to set the forwarding and return method in the ProxySG service group
configuration.
28
PROXYSG CONFIGURATIONENABLE ROUTER AFFINITY

Console.
Step 2 Select or create the service group.
Step 3 Enable router affinity.

Select one of the following values from the

Router affinity drop-down list. You can choose to
enable router affinity for client- (Client) or
server- side (Server) traffic only or you can
choose Both to have all client- and server-side
traffic returned to the WCCP router that
redirected it.
To disable router affinity, select <None>.

click OK.

To establish and maintain the service group, the ProxySG appliances and routers in the service group must
be able to communicate with each other. In order to establish this communication, you must define
address(es) that the ProxySG should use to contact the router(s) in the group. WCCP allows you to use
unicast or multicast addresses for communication between routers and caches. The following sections
provide procedures for each type of addressing:
Defining Unicast Router Addresses on page 29
Defining a Multicast Group Address on page 30
Defining Unicast Router Addresses

If you are using unicast addresses within the service group, you must identify the IP address of each router
up to a maximum of 32 in the service group. The IP address that you define for each router must be
reachable from the ProxySG; as a best practice, use the IP address of the interface over which the router
sends redirected traffic to the ProxySG.
Use the following procedure to define the routers in the service group.
29
PROXYSG CONFIGURATIONDEFINE UNICAST ROUTER ADDRESSES

Console.

define the home router.

Step 3 Define the router address(es).
For each router in the service group, do the

following:
a. Select Individual Home Router Addresses
and click Add. The New Home Router dialog
box is displayed.
b. Enter the Home Router Address and then
click OK. The router address is displayed in
the Home Router table.

click OK.

Defining a Multicast Group Address
With multicast addressing, the ProxySG appliances and the routers in the service group use a single
multicast addressin the range of 224.0.0.0 to 239.255.255.255to communicate with all other group
members simultaneously. In this case, you only configure a single multicast home router setting in the
ProxySG configuration. You will also need to configure each router in the group to use this address as
described in "Defining a Multicast Address" on page 16. Use the following procedure to define the multicast
address for the service group:
PROXYSG CONFIGURATIONDEFINE A MULTICAST SERVICE GROUP ADDRESS
Console.

define the home router.

Step 3 Define the multicast group address (224.0.0.0 to a. Select Multicast Home Router.
239.255.255.255).
b. Enter the Group Address.
30
PROXYSG CONFIGURATIONDEFINE A MULTICAST SERVICE GROUP ADDRESS (CONTINUED)

Step 4 (optional) Define the multicast time to live
(TTL) value if you want to use a value other
than the default (1).
Enter the Multicast TTL.

click OK.
Defining the Assignment Method

The assignment method instructs the router how to distribute redirected traffic. There are two supported
assignment methods: hash assignment (the default) and mask assignment. Keep in mind that not all routing
platforms and software versions support both assignment methods; refer to your router/switch
documentation to determine which assignment methods are supported on your specific platform and IOS
version. Also see "Tested Platform Configurations" on page 78 to see the router platforms on which Blue Coat
has successfully tested each assignment method. You can use different assignment methods for different
service groups configured on the same ProxySG.
The following sections describe how to configure each of the assignment methods:
Configuring Hash Assignment on page 31
Configuring Mask Assignment on page 33
Configuring Hash Assignment

With hash assignment, the router runs a value in the header of the packet it is redirecting through a hashing
function. The resulting value maps to one of 256 buckets in the hash table, each of which is assigned to a
ProxySG in the service group. Hash assignment can be CPU intensive, but it is the only option if you are
using a software-based router.
Because the hashing function is based on a packet header field, it is possible that a disproportionate amount
of traffic will be redirected to the same ProxySG. For example if the hashing function is based on destination
IP address and many users are sending requests to the same destination, a disproportionate number of
packets will get redirected to the same ProxySG. To prevent a given ProxySG from being inundated, you
can configure an alternate hashing field for the router to use if the number of GRE packets or MAC
addresses (depending on the forwarding method youre using) redirected to a given ProxySG exceeds a
certain number.
hash table. However, you can override this behavior by configuring a weight value to adjust the proportion
of the hash table that gets assigned to the ProxySG.
Use the following commands to configure hash assignment in the service group:
31
PROXYSG CONFIGURATIONCONFIGURE HASH ASSIGNMENT

Console.

define the assignment method.

Step 3 (optional) Enable the hash assignment method

if its not already enabled.
For Assignment Type, select Hash.
Step 4 Specify which field(s) in the packet header to

use to run the hashing function.
Select one or more of the following from the

Primary Hash field:
Source IP (the default)
Source Port
Destination IP
Destination Port
Step 5 (Optional) Specify an alternate packet header

Select one or more of the following from the
field(s) to use to run the hashing function. This Alternate Hash field:
setting will be used if a ProxySG in the service Source IP
group gets overloaded.
Source Port
Destination IP
Destination Port
Step 6 (optional) Define what proportion of the hash

table you want assigned to the specified
interface on the ProxySG.
Enter a Weight value in the range of 0 (the

default) to 255.
Keep in mind that if you have assigned weight

values to any of the ProxySG appliances in the
service group, you will have to configure it on
all of the others or that appliance will not
receive any of the redirected traffic (because the
default value is 0).
click OK.
32
Configuring Mask Assignment

values for each mask; each value is assigned to a specific bucket, which corresponds to a ProxySG in the
service group.
By default, each ProxySG in the service group is assigned roughly an even percentage of the mask values.
However, you can override this behavior by configuring a weight value to adjust the proportion of the mask
values that gets assigned to the ProxySG.
The following procedure shows how to configure mask assignment.
PROXYSG CONFIGURATIONCONFIGURE MASK ASSIGNMENT
Console.


Step 3 (optional) Enable the mask assignment method For Assignment Type, select Mask.
if its not already enabled.
Step 4 Specify which field in the packet header to use

to run the mask function.
Step 5 (optional) Specify the Mask assignment value

(introduced in SGOS 6.5.3). If you have multiple
WCCP redirection points and/or multiple
ProxySG appliances participating in WCCP
assignment, the Mask assignment value allows
you to make use of an advanced load sharing
feature of WCCP.
See the following Cisco documentation to
determine the appropriate mask assignment
value for your deployment:
Select a Mask scheme:
Source IP (the default)

Source Port
Destination IP
Destination Port
Consult your Router documentation to
determine the appropriate Mask

assignment value.
Enter the appropriate value in hex or
decimal into the Mask Value field.
http://www.cisco.com/en/US/prod/collateral/
switches/ps5718/ps708/white_paper_c11-629
052.html
33
PROXYSG CONFIGURATIONCONFIGURE MASK ASSIGNMENT (CONTINUED)

Step 6 (optional) Define what proportion of the mask Enter a Weight value in the range of 0 (the
values to assign to the specified interface on the default) to 255.
ProxySG.
Keep in mind that if you have assigned weight
values to any of the ProxySG appliances in the
service group, you will have to configure it on
all of the others or that appliance will not
receive any of the redirected traffic (because the
default value is 0).

click OK.
34
Securing the Service Group

For added security, you can configure MD5 authentication to control access to the service group. When
authentication is enabled, a ProxySG will not be allowed to join the service group unless it knows the
password. To configure authentication, you must define the same password on all routers and all ProxySG
appliances in the service group.
The following procedure describes how to set up a password on the ProxySG. For instructions on how to
set up a password on the router, see "Securing the Service Group" on page 18.
PROXYSG CONFIGURATIONSECURE THE SERVICE GROUP
Console.


Step 3 Define the password.
Click Set Password. The Set WCCP

Password for Service Group dialog box
displays.
b. Select Set Password and then enter the
password in the Enter Password and
Confirm Password fields.
c. Click OK to save the password and close the
dialog box.
To save the service group settings, click OK.

a.
35
Verifying the WCCP Configuration

After you enable WCCP, the routers and ProxySG appliances in the service groups you have defined begin
negotiating the capabilities you have configured. As long as the configurations you have defined are correct
and all of the routers and ProxySG appliances in the group support the capabilities that have been
configured, the service group will form and the router will begin redirecting traffic to the ProxySG
appliances in the service group. You can verify that the service groups you have configured on a given
ProxySG are established and functioning either from the Management Console or from the CLI as described
in the following sections:
Verifying the WCCP Configuration from the Management Console on page 36
Verifying the WCCP Configuration from the CLI on page 37
Verifying the WCCP Configuration from the Management Console

Use the following procedure to verify that your WCCP service groups are working properly.
PROXYSG CONFIGURATIONVIEW WCCP STATUS FROM THE MANAGEMENT CONSOLE
Console.
Select Configuration > Network > WCCP. The

service groups that you have configured are
displayed in the WCCP Configuration section of
the screen.
Step 2 Verify that the ProxySG has successfully joined a. Click Refresh State to update the status of
the service groups you have defined and that
each service group.
packets are being redirected.
b. Make sure the State for each service group
changes to Ready. You may need to click
Refresh State several times while the
ProxySG and the router negotiate the
service group and the assignment type. For
a description of each state, see "Service
Group States" on page 70.
Step 3 View detailed WCCP statistics.
36
Select Statistics > Network > WCCP. For more

information, see "Viewing ProxySG Service Group
Statistics" on page 71.
Verifying the WCCP Configuration from the CLI

PROXYSG CONFIGURATIONVIEW WCCP STATUS FROM THE CLI
Step 1 Log in to the ProxySG CLI and
enter enabled mode.
login as: admin

Blue Coat SG200>en
Enable Password:
Blue Coat SG200#
Step 2 Display the service group status.
Blue Coat SG200#show wccp status

;WCCP Status
;Version 1.3
Number of GRE redirected packets: 13
Number of Layer 2 redirected packets: 10
In this example, both service

groups in which the ProxySG is
configured to participate have
formed successfully and the routers
have started redirecting traffic.
For a description of the status
fields, see "Viewing ProxySG Service
Group Statistics" on page 71.
Service group: 10
State: Ready
Number of Here_I_Am sent: 358
Number of I_See_You received: 358
Number of Redirect_Assign sent: 1
Router IP: 5.6.7.2
Cache IP: 1.2.3.1
Service group: 11
State: Ready
Router IP: 1.2.3.4
Cache IP: 1.2.3.1
37
Modifying the WCCP Configuration
Modifying the WCCP Configuration

To change the WCCP configuration after you initially create itfor example if you want to add a new router
to the group or add an additional service groupyou can edit the settings as described in the following
procedure.
PROXYSG CONFIGURATIONMODIFY WCCP SETTINGS
Console.
Step 2 Display the settings for the service group you

want to modify.
Select the service group you want to modify and

click Edit. The Edit Service dialog box is
displayed.
Note
If you originally defined your WCCP

configuration in a local or remote text
file, you can edit the original file and
then reinstall it. See Appendix A, WCCP
Command Quick Reference for
instructions.
Step 3 Modify the service group settings as desired.
Modify the service group settings as

described in the following sections:
Defining the Protocol and Ports to
Redirect on page 25
Defining the Forwarding and Return
Method on page 27
on page 29
Defining the Assignment Method on
page 31
(Optional) Securing the Service Group
on page 35
b. When you are done modifying the service
group, click OK to close the dialog box.
Step 4 Save the WCCP settings.
When you are done modifying all service

groups, click Apply to save your changes.
38
a.
Disabling WCCP
Disabling WCCP
If you no longer want the ProxySG to participate in any of the service groups for which it is configured, you
can disable WCCP. Disabling WCCP does not remove the WCCP configuration settings, but rather it places
them out of service until you reenable WCCP. There are a couple of ways to disable WCCP as described in
the following sections:
Disabling WCCP From the Management Console on page 39
Disabling WCCP From the CLI on page 39
Disabling WCCP From the Management Console

Use the following procedure to disable WCCP from the Management Console.
PROXYSG CONFIGURATIONDISABLE WCCP FROM THE MANAGEMENT CONSOLE
Console.
Step 2 Disable WCCP.

Note
Uncheck Enable WCCP and then click Apply. As

soon
as WCCP is disabled, all of the service
Disabling WCCP does not remove the WCCP
groups
that you previously configured will
configuration settings you have defined. If you
display
N/A as the State.
reenable WCCP, the ProxySG will attempt to
rejoin the service groups that you previously
defined.
Disabling WCCP From the CLI

Use the following procedure to disable WCCP from the CLI.
PROXYSG CONFIGURATIONDISABLE WCCP FROM THE CLI
terminal mode.
login as: admin

Blue Coat SG200>en
Enable Password:
Step 2 Disable WCCP.
Blue Coat SG200#(config)wccp disable
39
Disabling WCCP
40
WCCP Configuration Examples
This chapter shows some common WCCP configurations, including the following:
Basic WCCP Configuration on page 40
Web-Cache Configuration on page 41
ADN Configuration on page 42
L2 Forwarding and GRE Return Configuration on page 45
Router Affinity Configuration on page 46
Secure Service Group Configuration on page 48
Redirect Specific Traffic Configuration on page 49
Multiple Service Group Configuration on page 50
Load Balancing Using Hash Assignment Configuration on page 52
Hotspot Detection Configuration on page 54
Load Balancing Using Unequal Loads Configuration on page 56
Load Balancing Using Mask Assignment Configuration on page 59
Single ProxySG Multiple Router Configuration on page 61
Multicast Configuration on page 63
Client IP Reflection Configuration on page 65
LAN/WAN Traffic Segregation Using VLANs Configuration on page 67
39
Basic WCCP Configuration
Basic WCCP Configuration

The following example shows a simple WCCP configuration in which one router is configured to redirect
all traffic to one ProxySG. Because the service group redirects all traffic by default, you do not need to define
specific ports and/or protocols to redirect.
Figure 4-1
Basic WCCP Configuration Example
CONFIGURATION EXAMPLEBASIC WCCP CONFIGURATION

Router A
Router>enable
Router(config)#interface fastethernet 0/1
ProxySG 1
From the Management Console, configure the

ProxySG WCCP settings as follows:
40
Or install the WCCP settings

from a text file:
wccp enable
wccp version 2
service-group 90
interface 0:1
protocol 6
priority 1
home-router 1.2.3.1
end
Web-Cache Configuration
Web-Cache Configuration
The following example shows how to configure the web-cache service on a single router and ProxySG. The
web-cache service group is used to redirect HTTP traffic on destination port 80 only. Because this is a
well-known service group, you do not need to configure any characteristics about itsuch as port number
or directionbecause the router and the ProxySG already know them. Note that this configuration is
supported in WCCP Version 1 and Version 2. In this example, the router and the ProxySG are both
configured to use WCCP Version 1.
Figure 4-2
Web-Cache Configuration Example
CONFIGURATION EXAMPLEWEB-CACHE CONFIGURATION

Router A
Router>enable
Router(config)#ip wccp web-cache
Router(config-if)#ip wccp web-cache redirect in
ProxySG 1
From the Management Console,

configure WCCP as follows:
Or install the WCCP settings from a

text file:
wccp enable
wccp version 1
service-group web-cache
interface 0:1
home-router 1.2.3.1
end
41
ADN Configuration
ADN Configuration
The following example shows how to configure WCCP in an ADN deployment. As a best practice in a
virtually in-path ADN deployment, you should configure separate service groups for LAN and WAN
traffic. To simplify this process use the Blue Coat Sky Management Console, which enables you to create a
WCCP pair. A WCCP pair is a pair of service groups that defaults to the appropriate settings to enable
redirection of LAN and WAN traffic.
Figure 4-3
Virtually In-Path ADN Deployment
CONFIGURATION EXAMPLEADN DEPLOYMENT

Router_core
42

Router(config)#interface gigabitethernet0/0
Router(config-if)#description WAN side
Router(config-if)#description LAN side
ADN Configuration
CONFIGURATION EXAMPLEADN DEPLOYMENT (CONTINUED)

ProxySG_core
From Blue Coat Sky on the Concentrator Peer (ProxySG_core), configure the
WCCP pair as follows:
Router_branch

Router(config)#interface gigibitethernet0/5
Router(config)#interface gigibitethernet0/6
43
ADN Configuration
CONFIGURATION EXAMPLEADN DEPLOYMENT (CONTINUED)

ProxySG_branch
44
From Blue Coat Sky on the Branch Peer (ProxySG_branch), configure the WCCP
pair as follows:
L2 Forwarding and GRE Return Configuration
L2 Forwarding and GRE Return Configuration

By default, the router and the ProxySG forward and return packets using GRE/GRE forwarding/return.
Because GRE/GRE is the default, no configuration is required to use these methods. If you want to use
L2/L2 or L2/GRE forwarding/return, you will have to explicitly configure the settings. Keep in mind that
not all routers support all forwarding and return methods.
When using L2 forwarding, the ProxySG and the router must be on the same broadcast domain (that is, they
cannot be more than one router hop apart) as shown in Figure 4-4. The following shows an L2/GRE
configuration.
Figure 4-4
L2 Forwarding and Return Example
CONFIGURATION EXAMPLEL2 FORWARDING AND GRE RETURN

Router A
Router>enable
ProxySG 1
Configure WCCP from the Management Console:

from a text file:
wccp enable
wccp version 2
service-group 90
interface 0:1
protocol 6
priority 1
forwarding-type L2
returning-type gre
home-router 1.2.3.4
end
45
Router Affinity Configuration

By default, the ProxySG uses regular routing table lookups to determine the next hop for intercepted
traffic. However, in some cases you may have routing policies that prevent your client- and/or
server-bound traffic from reaching its destination (for example, if your WCCP router is multiple hops away
from the ProxySG). With router affinity, the ProxySG returns intercepted client- and/or server-side traffic
that it intercepts to the router using the negotiated return method, ensuring that the traffic is always
returned to the same WCCP router that redirected it.
For example, Figure 4-5 shows a network where router R1 only has routes to the C1 and S1 subnets and
router R2 only has routes to the C2 and S2 subnets. Because the ProxySGs default router is configured as
R2, if you enable WCCP on R1s client- and server- facing interfaces, packets from the ProxySG destined for
C1 and S1 will be dropped by R2 because it does not have routing information for those subnets. Therefore,
to ensure that redirected traffic from C1 and S1 is routed properly (without configuring additional routes
on R2, which would change the existing routing policies), you can enable router affinity on the ProxySG.
Notice that because there is no client traffic coming from S1 in this example (and therefore incoming SYN
packets will only be coming from C1), you only need to enable router affinity (for client- and server-side
traffic) traffic on service group 90 and not on service group 92.
Figure 4-5
Router Affinity Example
CONFIGURATION EXAMPLEROUTER AFFINITY

R1
46
Router>enable
Router(config)#interface fastethernet
Router(config-if)#ip wccp 90 redirect
0/1
in
0/2
in
CONFIGURATION EXAMPLEROUTER AFFINITY (CONTINUED)

ProxySG 1
Configure WCCP from the Management Console and Or install the WCCP settings from a
enable router affinity on service group 90:
text file:
wccp enable
wccp version 2
service-group 90
interface 0:1
protocol 6
priority 1
forwarding-type gre
assignment-type hash
service-flags source-ip-hash
router-affinity both
home-router 1.2.3.4
end
service-group 92
interface 0:1
protocol 6
priority 1
forwarding-type gre
service-flags destination-ip-hash
home-router 1.2.3.4
end
47
Secure Service Group Configuration
Secure Service Group Configuration

The following example shows how you can restrict access to a service group so that only authorized
ProxySG appliances can join. This example shows two methods for restricting access:
On the router, an ACL permits access to the ProxySG at 1.2.3.5 only; all other hosts are denied. This ACL
is then associated with the group-list for the service group.
On the router and the ProxySG, a password secures the service group. When a ProxySG attempts to join
the service group, the router will only allow it to join if it can authenticate using the configured
password.
Figure 4-6
Secure Service Group Example
CONFIGURATION EXAMPLESECURE SERVICE GROUP

Router A
Router>enable
Router(config)#access-list 3 permit 1.2.3.5 0.0.0.255
Router(config)#ip wccp 90 password 0 $abc123
ProxySG 1
Configure WCCP from the Management Console: Or install the WCCP settings from
a text file:
wccp enable
wccp version 2
service-group 90
interface 0:1
protocol 6
priority 1
home-router 1.2.3.1
password $abc123
end
48
Redirect Specific Traffic Configuration
Redirect Specific Traffic Configuration

You can configure the router and/or the ProxySG so that only a subset of traffic is redirected. This example
shows two methods for defining what traffic to redirect:
On the router, an ACL excludes traffic from host 1.2.3.6 . This ACL is then associated with the
redirect-list for the service group to let the router know not to redirect traffic that matches the ACL.
On the ProxySG, the service group definition specifies individual ports to redirect; the router forwards
traffic on all other ports normally. Note that you can only specify 8 ports to redirect within a single
service group. If you want to redirect more than 8 ports, you must create multiple service groups.
Figure 4-7
Redirection of Specific Protocol and Ports Example
CONFIGURATION EXAMPLEREDIRECT SPECIFIC TRAFFIC

Router A
Router>enable
Router(config)#access-list 103 deny ip any host 1.2.3.6
Router(config)#access-list 103 permit ip any any
ProxySG 1
Configure WCCP from the Management Console:

text file:
wccp enable
wccp version 2
service-group 90
interface 0:1
priority 1
home-router 1.2.3.1
protocol 6
service-flags ports-defined
ports 80 8080 443 0 0 0 0 0
end
49
Multiple Service Group Configuration

In some cases you may want to create separate service groups, for example, to handle the redirection of
different types of traffic. The following example shows a configuration in which a single router is
configured to participate in two service groups that are handled by different ProxySG appliances.
Figure 4-8
Multiple Service Groups Example
CONFIGURATION EXAMPLEMULTIPLE SERVICE GROUPS

Router A
50
Router>enable
0/1
in
0/1
in
CONFIGURATION EXAMPLEMULTIPLE SERVICE GROUPS (CONTINUED)

ProxySG 1
From the Management Console on the first

ProxySG, configure WCCP as follows:
Or install the WCCP settings from

a text file on the first ProxySG:
wccp enable
wccp version 2
service-group 90
interface 0:1
protocol 6
priority 1
ports 80 8080 0 0 0 0 0 0
home-router 1.2.3.1
end
ProxySG 2
From the Management Console on the second


a text file on the second ProxySG:
service-group 91
ports 554 1755 0 0 0 0 0 0
interface 0:1
protocol 6
priority 1
home-router 1.2.3.1
end
51
Load Balancing Using Hash Assignment Configuration

In the following example, the two ProxySG appliances in service group 91 are configured for load balancing
using hash assignment. The service group is configured so that the router uses the destination IP address
and the destination port in the header of the packet it is redirecting to run the hashing algorithm. Because
ProxySG 1 has the lowest IP address, it automatically becomes the designated cache and is responsible for
communicating the load balancing assignment information to the router.
Figure 4-9
Load Balancing Using Hash Assignment Example
CONFIGURATION EXAMPLELOAD BALANCING USING HASH ASSIGNMENT

Router A
52
Router>enable
CONFIGURATION EXAMPLELOAD BALANCING USING HASH ASSIGNMENT (CONTINUED)

ProxySG 1
From the Management Console on the first Or install the WCCP settings from a text
file on the first ProxySG:
wccp enable
wccp version 2
service-group 91
interface 0:3
priority 1
protocol 6
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.1
service-flags destination-port-hash
end
ProxySG 2
From the Management Console on the

second ProxySG, configure WCCP as
follows:

text file on the second ProxySG:
wccp enable
wccp version 2
service-group 91
interface 0:3
priority 1
protocol 6
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.1
end
53
Hotspot Detection Configuration

Because the hashing function that is used for load balancing is based on a packet header field, a
disproportionate amount of traffic can sometimes be redirected to the same ProxySG. For example if the
hashing function is based on destination IP address and many users are sending requests to the same
destination, a disproportionate number of packets will get redirected to the same ProxySG. To prevent this
situation, you can configure an alternate hashing field or fields for the router to use if the number of GRE
packets or MAC addresses (depending on the forwarding method youre using) redirected to a given
ProxySG exceeds a certain number. Note that this is only supported when you are using hash assignment;
hotspot detection is not supported with mask assignment.
In the following example, the service group is configured so that the router will perform the hashing
function using both the destination IP address and port. If one of the ProxySG appliances becomes
overloaded, the router will perform the hash using the source IP address instead.
Figure 4-10
Load Balancing Using an Alternate Hash Example
CONFIGURATION EXAMPLEHOTSPOT DETECTION

Router A
54
Router>enable
CONFIGURATION EXAMPLEHOTSPOT DETECTION (CONTINUED)

ProxySG 1


text file on the first ProxySG:
wccp enable
wccp version 2
service-group 90
interface 0:3
priority 1
protocol 6
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.1
service-flags source-ip-alternate-hash
end
ProxySG 2

follows:

text file on the second ProxySG:
wccp enable
wccp version 2
service-group 90
interface 0:3
priority 1
protocol 6
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.1
end
55
Load Balancing Using Unequal Loads Configuration

hash table. However, you can override this behavior by configuring a hash-weight value to each ProxySG
in the service group to adjust the proportion of the hash table that get assigned to it. In the following
example, ProxySG 1 and ProxySG 2 have weight values of 100 and receive about twice as much redirected
traffic as ProxySG 3, which has a weight value of 50.
Figure 4-11
Load Balancing Using Unequal Weights Example
CONFIGURATION EXAMPLELOAD BALANCING USING UNEQUAL LOADS

Router A
56
Router>enable
CONFIGURATION EXAMPLELOAD BALANCING USING UNEQUAL LOADS (CONTINUED)

ProxySG 1
From the Management Console on the first Or install the WCCP settings from a
text file on the first ProxySG:
wccp enable
service-group 90
interface 0:3
priority 1
protocol 6
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.1
primary-hash-weight 0:3 100
end
ProxySG 2

follows:

text file on the second ProxySG
wccp enable
service-group 90
interface 2:1
priority 1
protocol 6
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.1
end
57
CONFIGURATION EXAMPLELOAD BALANCING USING UNEQUAL LOADS (CONTINUED)

ProxySG 3
58

third ProxySG, configure WCCP as follows: text file on the third ProxySG
wccp enable
service-group 90
interface 0:3
priority 1
protocol 6
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.1
end
Load Balancing Using Mask Assignment Configuration

values for each mask; each value is assigned to a specific ProxySG in the service group. As with hash
assignment, you can also assign a weight value to each ProxySG to force unequal loads (see Figure 4-11).
CONFIGURATION EXAMPLELOAD BALANCING USING MASK ASSIGNMENT
Router A
Router>enable
ProxySG 1


from a text file on the first
ProxySG:
wccp enable
service-group 90
interface 0:3
priority 1
protocol 6
forwarding-type L2
returning-type L2
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.1
assignment-type mask
mask-scheme destination-port
end
59
CONFIGURATION EXAMPLELOAD BALANCING USING MASK ASSIGNMENT (CONTINUED)

ProxySG 2
From the Management Console on the second


from a text file on the second
ProxySG:
wccp enable
service-group 90
interface 0:3
priority 1
protocol 6
forwarding-type L2
returning-type L2
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.1
end
ProxySG 3
From the Management Console on the third


from a text file on the third
ProxySG:
wccp enable
service-group 90
interface 0:3
priority 1
protocol 6
forwarding-type L2
returning-type L2
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.1
end
60
Single ProxySG Multiple Router Configuration

In this example, two routers are in a service group with a single ProxySG. Therefore, the ProxySG
configuration requires two home-router settings. Additionally, because the routers are on different
subnets, GRE forwarding and return must be used.
Figure 4-12
Service Group with Multiple Routers and a Single ProxySG Example
CONFIGURATION EXAMPLESINGLE PROXYSG MULTIPLE ROUTERS

Router A
Router>enable
Router B
Router>enable
61
CONFIGURATION EXAMPLESINGLE PROXYSG MULTIPLE ROUTERS (CONTINUED)

ProxySG 1
62


from a text file:
wccp enable
wccp version 2
service-group 90
interface 0:3
priority 1
home-router 1.2.3.1
home-router 5.6.7.2
end
Multicast Configuration
With multicast addressing, the ProxySG appliances and the routers in the service group use a single
multicast addressin the range of 224.0.0.0 to 239.255.255.255to communicate with all other group
members simultaneously. In the following example, the routers in service group 90 are all configured to
listen on multicast address 224.1.1.103. Additionally, the ProxySG appliances in the group use the multicast
address as their home-router address.
CONFIGURATION EXAMPLEMULTICAST
Router A
Router>enable
Router(config)#ip multicast
Router(config)#ip wccp 90 group-address 224.1.1.103
Router(config-if)#ip pim dense-mode
Router B
Router>enable
Router(config)#interface gigabitethernet 0/0/0
Router(config-if)#ip pim dense-mode
ProxySG 1


a text file on the first ProxySG:
wccp enable
wccp version 2
service-group 90
interface 0:3
priority 1
forwarding-type L2
returning-type L2
home-router 224.1.1.103
end
63
CONFIGURATION EXAMPLEMULTICAST
ProxySG 2
64

follows:

a text file on the second ProxySG:
wccp enable
wccp version 2
service-group 90
interface 0:1
priority 1
forwarding-type L2
returning-type L2
end
Client IP Reflection Configuration

If you are using WCCP in a client IP reflection configuration, you will have to redirect traffic in two
directions: first as the request is sent from the client to the server and second as the server sends the response
back to the client. As a best practice, you should use separate service groups for the different traffic
directions: one that redirects traffic from the client based on destination port and one that redirects traffic
from the server based on source port. To prevent redirection loops, you should attach the ProxySG to a third,
dedicated interface as shown in Figure 4-13. Notice that you would use the IP address of the router interface
to which the ProxySG attaches as your home router address.
Figure 4-13
Client IP Reflection Example
CONFIGURATION EXAMPLECLIENT IP REFLECTION

Router A
Router>enable
Router(config)#interface gigabitethernet 0/0/0
65
CONFIGURATION EXAMPLECLIENT IP REFLECTION (CONTINUED)

ProxySG 1
66
From the Management Console, create the first Or define both service groups in a
service group as follows and then click OK.
single text file as follows and install
it on the ProxySG:
wccp enable
wccp version 2
service-group 90
interface 0:3
priority 1
ports 80 8080 443 0 0 0 0 0
home-router 1.2.3.3
end
service-group 91
ports 80 8080 443 0 0 0 0 0
service-flags ports-source
interface 0:3
Click New to create the second service group as priority 1
home-router 1.2.3.3
follows and then click OK.
end
LAN/WAN Traffic Segregation Using VLANs Configuration

The following example shows a configuration in which the router uses separate WCCP service groups to
redirect traffic from its LAN- and WAN-facing interfaces to the ProxySG. Each service group uses a different
VLAN interface to redirect traffic to the ProxySG, which allows the ProxySG to distinguish the LAN traffic
from the WAN traffic and make the appropriate decision as to whether to intercept or bypass a particular
packet.
Figure 4-14
WCCP VLAN Configuration Example
CONFIGURATION EXAMPLEWCCP VLAN CONFIGURATION

Router A
Router>enable
Router#conf t
Router(config)#interface vlan700
Router(cofig-if)#ip address 192.0.2.177 255.255.255.0
Router(config-if)#end
Router(config-if)#switchport
Router(config-if)#switchport trunk encapsulation dot1q
Router(config-if)#switchport trunk allowed vlan 700, 710, 180
Router(config-if)#switchport mode trunk
Router(config-if)#switchport
Router(config-if)#switchport trunk encapsulation dot1q
Router(config-if)#switchport trunk allowed vlan 184
Router(config-if)#switchport mode trunk

Router(config)#exit
67
CONFIGURATION EXAMPLEWCCP VLAN CONFIGURATION

Switch A
interface gigabitethernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 180
end
switchport trunk allowed vlan 177, 178, 180
switchport mode trunk
end
switchport trunk allowed vlan 177, 178
end
ProxySG 1
From the Management Console, create the first Or define both service groups in a
service group as follows and then click OK.
single text file as follows and install
it on the ProxySG:
wccp enable
wccp version 2
service-group 3
interface 0:2.700
protocol 6
priority 1
end
service-group 4
interface 0:2.710
protocol 6
priority 1
Click New to create the second service group as home-router 192.0.3.178
follows and then click OK.
end
Note: The home-router address
for each service group is
the IP address of the
corresponding VLAN
interface on the router. See
the router configuration.
68
Monitoring and Troubleshooting WCCP
This chapter provides information on how to verify that your WCCP configuration is working properly as
well as information to help you troubleshoot problems. It includes the following topics:
Service Group States on page 70
Viewing ProxySG Service Group Statistics on page 71
Viewing Router Statistics on page 74
Why Dont My Configuration Changes Take Effect? on page 77
Tested Platform Configurations on page 78
69
Service Group States
Service Group States

The ProxySG maintains state information for its configured service groups. The state of a service group
helps you monitor whether the service group was configured properly and how it is functioning. Table 5-1
lists and describes each service group state. To view the state of the service groups you have configured, see
"Viewing ProxySG Service Group Statistics" on page 71.
Table 5-1
WCCP Service Group States
State
Description
Assignment mismatch
The router does not support the assignment type (hash or mask) that is
configured for the service group.
Bad router id
The home-router specified in the service group configuration does not match
the actual router ID.
Bad router view
The list of ProxySG appliances in the service group does not match.
Capability mismatch
The WCCP configuration includes capabilities that the router does not
support.
Initializing
WCCP was just enabled and the ProxySG is getting ready to send out its first
HERE_I_AM message.
Interface link is down
The ProxySG cannot send the HERE_I_AM message because the interface
link is down.
Negotiating assignment
The ProxySG received the I_SEE_YOU message from the router but has not
yet negotiated the service group capabilities.
Negotiating membership
The ProxySG sent the HERE_I_AM message and is waiting for an

I_SEE_YOU message from the router.
Packet forwarding mismatch
The router does not support the forwarding method (GRE or L2) that is
configured for the service group.
Packet return mismatch
The router does not support the return method (GRE or L2) that is configured
for the service group. Note that on the ProxySG, the return method is always
the same as the forwarding method.
Ready
The service group formed successfully and the ProxySG sent the
REDIRECT_ASSIGN message to the router with the hash or mask values
table.
Service group mismatch
The router and the ProxySG have a mismatch in port, protocol, priority,
and/or other service flags.
Security mismatch
The service group passwords on the router and the ProxySG do not match.
70
Viewing ProxySG Service Group Statistics

After you install the WCCP configuration, the WCCP routers and ProxySG appliances in the service groups
you have defined begin negotiating the capabilities you have configured. As long as the configurations you
have defined are correct and all of the routers and ProxySG appliances in the group support the capabilities
that have been configured and have the required network connectivity, the service group will form and the
router will begin redirecting traffic to the ProxySG appliances in the service group.
You can monitor statistics about the service groups you have configured on a given ProxySG from the
Management Console or from the CLI as described in the following sections:
Viewing Service Group Statistics from the Management Console on page 72
Viewing Service Group Statistics from the CLI on page 73
Table 5-2 lists and describes each ProxySG WCCP statistic.

Table 5-2
ProxySG WCCP Statistics
Statistic
Description
Last Refresh
The date and time the displayed statistics were last refreshed. Click Refresh
WCCP Statistics to refresh them now.
GRE Redirected Packets
The number of packets that have been redirected using GRE forwarding.
Layer-2 Redirected Packets The number of packets that have been redirected using L2 forwarding.
Service Groups
Lists the service groups that have been configured on this ProxySG. If the
group has successfully formed, you can click the arrow next to the group to
see a list of the caches (ProxySG appliances) and routers that have joined the
group.
State
Shows the service group state. See Table 5-1 for a description of each state.
Here I Am Sent
The number of HERE_I_AM messages that this ProxySG has sent to the
routers in the group.
I See You Received
The number of I_SEE_YOU messages that this ProxySG has received from the
routers in the group.
Redirect Assign Sent
The number of REDIRECT_ASSIGN messages that this ProxySG has sent to

the routers in the group. The REDIRECT_ASSIGN message contains the hash
table or mask values table that the router will use to determine which
ProxySG to redirect packets to. Only the designated cachethe cache with
the lowest IP addresssends REDIRECT_ASSIGN messages.
71
Viewing Service Group Statistics from the Management Console

MONITOR WCCPVIEW WCCP STATUS FROM THE MANAGEMENT CONSOLE
Console.

Step 2 Check the status of the service groups.
The status of each service group you have

configured is displayed in the State column in
the WCCP Configuration section of the screen. To
ensure that you are viewing the most up-to-date
information, click Refresh State. For a list of
states, see "Service Group States" on page 70.
Step 3 View detailed WCCP statistics.

Statistics > Network > WCCP.
This tab indicates whether WCCP is enabled. If

it is not enabled, no statistics are displayed. If it
is enabled, the statistics for each service group
are displayed. See Table 5-2 for a description of
each statistic.
72
Viewing Service Group Statistics from the CLI

MONITOR WCCPVIEW WCCP STATUS FROM THE CLI
Step 1 Log in to the ProxySG CLI and
enter enabled mode.
login as: admin

Blue Coat SG200>en
Enable Password:
Blue Coat SG200#
Step 2 Display the service group status.

For a description of each field, see
Table 5-2.
Note
Blue Coat SG200#show wccp status

;WCCP Status
;Version 1.3
The * next to the Cache IP indicates Number of GRE redirected packets: 15628
Number of Layer 2 redirected packets: 0
that ProxySG is the designated
Service group: 9
cache.
State: Ready
Router IP: 199.20.20.1
Cache IP: *10.9.44.22
73
Viewing Router Statistics

You can also monitor the service group information from the router as follows:
MONITOR WCCPDISPLAY ROUTER WCCP STATISTICS
Step 1 Log in to the router CLI and enter
privileged mode.
Router>enable
Step 2 Display global WCCP statistics for Router#show ip wccp

all service groups that have been
Global WCCP information:
configured on the router.
Router information:
Router Identifier:
Protocol Version:
199.20.20.1
2.0
Service Identifier: 0
Number of Service Group Clients:
Number of Service Group Routers:
Total Packets s/w Redirected:
Process:
Fast:
CEF:
Service mode:
Service access-list:
Total Packets Dropped Closed:
Redirect access-list:
Total Packets Denied Redirect:
Total Packets Unassigned:
Group access-list:
Total Messages Denied to Group:
Total Authentication failures:
Total Bypassed Packets Received:
Process:
Fast:
CEF:
74
0
0
0
0
0
0
Open
-none0
-none0
0
-none0
0
0
0
0
0
0
0
0
MONITOR WCCPDISPLAY ROUTER WCCP STATISTICS (CONTINUED)

Step 3 Display global WCCP statistics for Router#show ip wccp 9
a specific service group.
Global WCCP information:
Router information:
Router Identifier:
Protocol Version:
199.20.20.1
2.0
Process:
Fast:
CEF:
Service mode:
Service access-list:
Total Packets Dropped Closed:
Redirect access-list:
Total Packets Denied Redirect:
Total Packets Unassigned:
Group access-list:
Total Messages Denied to Group:
Total Authentication failures:
Total Bypassed Packets Received:
Step 4 Display detailed statistics for the
service group.
Router#show ip wccp 9 detail

WCCP Client information:
WCCP Client ID:
Protocol Version:
State:
Initial Hash Info:
00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info:
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment:
Packets s/w Redirected:
Connect Time:
Bypassed Packets
Process:
Fast:
CEF:
Errors:
1
1
0
0
0
0
Open
-none0
-none0
0
-none0
0
0
10.9.44.222
2.0
Usable
256 (100.00%)
0
00:02:00
0
0
0
0
75
MONITOR WCCPDISPLAY ROUTER WCCP STATISTICS (CONTINUED)

Step 5 Display the router view. The router Router#show ip wccp 9 view
view contains a list of all of the
WCCP Routers Informed of:
caches that the router has allowed
199.20.20.1
into the service group as
announced in the I_SEE_YOU
WCCP Clients Visible:
messages from the router. Use the
10.9.44.222
router view to determine whether
the ProxySG appliances you expect
WCCP Clients NOT Visible:
to be in a service group have joined.
-noneNote
WCCP Clients NOT Visible

field indicates which ProxySG
appliances are not visible to all
other routers to which this router is
connected.
Note
76
You can also use the show ip interface command to

determine whether any WCCP redirect commands are configured
on an interface.
Why Dont My Configuration Changes Take Effect?
Why Dont My Configuration Changes Take Effect?

Some WCCP configuration changes will not take effect until the WCCP service group re-negotiates.
Therefore, if you change any of the following configuration settings, you must also disable and re-enable
WCCP on all appliances in the service group to force a service group re-negotiation:
Home router IP address

ProxySG interface IP address
Weight assignments
77
Tested Platform Configurations

Table 5-1 summarizes the Cisco hardware and software platforms that Blue Coat has tested with the
ProxySG WCCP feature. Although you can use other WCCP-capable Cisco hardware and software in your
ProxySG WCCP deployment, you must check the Cisco documentation to determine the specific WCCP
features that are supported on the platform.
Table 5-1
Cisco Hardware and Software Platform
Features Tested With ProxySG

L2/L2
Cisco 2821
Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Cisco 3825
Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Cisco 3650E
Version 12.2(44r)SE3 RELEASE SOFTWARE
GRE /GRE Hash
Cisco 6506 Software

(s72033_rp-ADVENTERPRISEK9-M), Version
12.2(33)SXH3a, RELEASE SOFTWARE (fc1)
L2/GRE
ROM: Bootstrap program is C3560 boot loader

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M)
Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
78
Cisco IOS Software, 3800 Software

(C3825-ADVENTERPRISEK9-M), Version 12.4(22)T,
RELEASE SOFTWARE (fc1)
Cisco IOS Software, C2951 Software

(C2951-UNIVERSALK9-M), Version 15.0(1)M3,
RELEASE SOFTWARE (fc2)
Mask
WCCP Command Quick Reference
This appendix lists and describes each WCCP command on both the ProxySG and the router side. In
addition, it describes how to create a WCCP configuration text file and install it on the ProxySG. For more
detailed information on how to use the router commands, see Chapter 2, Configuring WCCP on the Router.
This appendix includes the following sections:
Router WCCP Commands on page 80
ProxySG WCCP Commands on page 83
Installing the WCCP Configuration on the ProxySG on page 89
79
Router WCCP Commands

Table A-1
Router WCCP Command Quick Reference
Command
Description
Global Commands (apply to all service groups on the router)

ip wccp version [1 | 2]
Defines the WCCP version to use for all service groups configured on the
router. Version 2 is the default and is the recommended version.
Example:
Service Group Definition Commands

ip wccp [web-cache | <0-99>]
Defines the service group and enables WCCP on the router. Use the
keyword web-cache to create the well-known web-cache service group
(redirects traffic on TCP destination port 80 only) or specify a unique
service group identifier in the range of 0-99.
Example:

password [0 | 7] <password>
Defines an MD5 password (up to 8 characters) to use to authenticate

ProxySG appliances to the service group. The passwords you define on
the router and on the ProxySG must match in order for the ProxySG to be
authenticated. This command must also include the encryption type,
which can be 0 (indicating that password is not yet encrypted) or 7
(indicating that the password is encrypted using a Cisco-proprietary
encryption algorithm).
Example:
ip wccp 90 0 mypa$$
Multicast Addressing Commands

ip multicast-routing
Enables multicast routing on the router. Note that if there are any
intervening routers between the WCCP router and the ProxySG
appliances, you must enable multicast routing on those routers also.
Example:
Router(config)#ip multicast-routing

group-address <address>
Defines the multicast address for the service group. The multicast
address must be in the range 224.0.0.0 to 239.255.255.255.
Example:
80
Command
Description

group-listen
Enables the WCCP multicast group address on an interface.

Example:
Router(config>#interface fastethernet1/1
ip pim [sparse-dense-mode |
sparse-mode]
Enables Protocol Independent Multicast (PIM) on an interface. This is

required on certain Cisco platforms only, such as the Catalyst 6500 and
Catalyst 7600. Refer to your router documentation for more information.
Example:
Router(config>#interface fastethernet1/1
Router(config-if)#ip pim sparse-mode
Service Group Filtering Commands

redirect-list <list-name>
Associates an access control list (ACL) with a WCCP service group for
filtering which traffic to redirect. For information on how to create an
ACL, refer to your router documentation.
Example:
Router(config)#access-list 103 deny ip any host
10.1.0.43

group-list <list-name>
Associates an ACL with a WCCP service group for filtering which

ProxySG appliances to allow into the service group. For information on
how to create an ACL, refer to your router documentation.
Example:
Router(config)#access-list 3 permit 10.1.1.5 0.0.0.255
81
Command
Description
Interface Redirection Commands

redirect [in | out]
Applies the service group to an interface and direction. After you apply
the service group to an interface, traffic entering (redirect in) or exiting
(redirect out) the interface will be evaluated for redirection. Whenever
possible, you should apply WCCP service groups to inbound interfaces
because it is faster and requires less processing.
Example:
ip wccp redirect exclude in
Excludes inbound traffic on an interface from redirection. You should use

this command on the router interface to which the ProxySG is connected
to prevent redirection loops if you are using outbound redirection on the
router. If you are using inbound redirection only, you do not need to use
this command.
Example:
Router(config-if)#ip wccp redirect exclude in
82
ProxySG WCCP Commands

As an alternative to configuring WCCP from the Management Console, you can configure WCCP on the
ProxySG by defining the configuration settings in a separate text file and then installing this file to the
ProxySG.
The first step is to create the file. You can create a WCCP configuration file three ways:
Using the text editor of your choice, create a text file on a remote machine that is accessible by the
ProxySG via a URL.
Using the text editor of your choice, create a text file locally on the system from which you run the
Management Console.
Create a text file using the text editor in the Management Console.
Table A-1 describes each WCCP setting that you can define in the text file. For instructions on how to install
the file once its created, see "Installing the WCCP Configuration on the ProxySG" on page 89.
Table A-2
ProxySG WCCP Command Quick Reference
Command
Description
Global Commands (apply to all service groups on the ProxySG)

wccp [enable | disable]
Enables or disables WCCP. If you include this command in the WCCP

configuration file, WCCP will automatically be enabled or disabled
when you install the settings. By default WCCP is disabled. If you do not
include this command in the configuration file, you can manually enable
WCCP from the Management Console or the CLI.
Example:
wccp enable
wccp version [1 | 2]
Defines the WCCP version to use for all service groups configured on the
ProxySG. Version 2 is the default and is the recommended version.
Example:
wccp version 2
Service Group Definition Commands

service-group [web-cache |
<0-255>
Defines the service group. Use the keyword web-cache to create the
well-known web-cache service group (redirects traffic on TCP
destination port 80 only) or specify a unique service group identifier in
the range of 0-255.
Example:
service-group 90
83
Command
Description
interface <interface_number>
Specifies the ProxySG interface to which to apply the service group. As a

best practice, apply the service group to the first LAN interface on the
appliance, for example 0:1 on the 210 platform, 2:1 on the 510 and 810
platforms, or 3:1 on the 8100. An interface can be a physical interface or
a virtual interface (VLAN). Virtual interfaces are depicted as
adapter:interface.vlan id, for example, 0:1.3.
Example:
interface 2:1
priority <0-255>
Specifies the queuing priority for the service group. If there are multiple
service groups applied to the same router interface in the same direction,
the priority defines the order in which the router evaluates them.
Example:
priority 2
password <password>
Defines the MD5 password (up to 8 characters) that is required for the
ProxySG to authenticate to the service group. This field is only required
if you have configured a password on the router; the passwords must
match.
Example:
password mypa$$
end
Specifies the end of the service group. If your WCCP configuration

includes multiple service group definitions, you must include the end
command at the end of each service group configuration. If your
configuration includes a single service group, include the end command
at the end of the file.
Example:
end
Traffic Description Commands

protocol <protocol_number>
Specifies which protocol to redirect. You can specify any standard

protocol number as defined by IANA:
http://www.iana.org/assignments/protocol-numbers
You can include multiple protocol commands to redirect multiple
protocols. Typically, WCCP is used to redirect TCP (6) and/or UDP (17)
traffic.
Example:
protocol 6
84
Command
Description
Indicates that the service group will redirect traffic with specific port
numbers only. By default, the service group redirects traffic on all ports.
Include this command only if you want to redirect a subset of traffic
based on port number.
Example:
ports [num num num num num

num num num]
Specifies the specific ports you want to redirect. You can specify any
well-known port number as defined by IANA:
http://www.iana.org/assignments/port-numbers
You can specify up to eight ports per service group. Note that this
command requires eight field values, so if you dont specify eight ports,
you must use zeroes for any remaining field values.
Example:
ports 80 8080 443 0 0 0 0 0
Specifies that the router should use the source port rather than the
default destination port to determine whether to redirect the packet. If
you want to base the service group redirection on destination port, you
do not need to include this command.
Example:
Router Definition Commands

home-router <address>
Specifies the unicast or multicast address the ProxySG should use to

communicate with the router(s) in the service group.
If you are using unicast addressing (recommended) you must define a
home-router entry for each router in the service group. If the router has
more than one IP address configured, use the lowest IP address to avoid
home router mismatch errors.
If you are using multicast addressing, use a single address in the range of
224.0.0.0 to 239.255.255.255 for all routers in the service group. You must
also enable multicast on the routers and specify the group address in the
WCCP configuration.
Example:
multicast-ttl <num>
Specifies the multicast time to live (TTL) value. You only need to include
this command if you want to use a TTL value other than 1 (the default).
Cisco recommends using a value of 15 or less.
Example:
multicast-ttl 3
85
Command
Description
Forward and Return Method Command

forwarding-type [gre | L2]
Defines the method the routers in the service group use to forward
redirected packets to the ProxySG and the ProxySG appliances use to
return packets that they cant process back to the router. In this release,
the forwarding method and the return method are always the same.
Possible values are:
gre forward using Generic Routing Encapsulation (GRE). This is
the default forwarding method; to use this method no configuration is

required.
L2 forward using Layer 2 (L2) forwarding.
Example:
forwarding-type L2
returning-type [gre | L2]
Defines the method the ProxySG appliances in the service group use to
return packets to the router. In this release, the forwarding method and
the return method may be different. Possible values are:
gre return using Generic Routing Encapsulation (GRE). This is the
default return method; to use this method no configuration is
required. You can use GRE return with either GRE or L2 forwarding.
L2 return using Layer 2 (L2) return. You can only use L2 return with
L2 forwarding.
Example:
returning-type L2
router-affinity [client | server | both] Indicates whether the ProxySG will use the negotiated returning-type (GRE
or L2) to return all packets (intercepted as well as bypassed packets) to
the WCCP router t hat originally redirected the traffic to it. Possible
values are:
client return intercepted client-side traffic to the originating
WCCP router using the negotiated returning-type.
server return intercepted server-side traffic to the originating
WCCP router using the negotiated returning-type.
both return intercepted client- and server-side traffic to the
originating WCCP router using the negotiated returning-type.
Example:
router-affinity both
86
Command
Description
Assignment Type Commands

assignment-type [hash | mask]
In service groups that contain multiple ProxySG appliances, this

command defines the method for selecting the appliance to which to
redirect a given packet. Possible values are as follows:
hash the router runs designated fields in the packet header through
a hashing algorithm to determine the appliance to which to redirect

the packet. This is the default assignment type.
mask the router performs a bitwise AND operation between the
mask value and a designated field in the packet header to determine
the appliance to which to redirect the packet.
Example:
service-flags [destination-ip-hash | Specifies which field(s) in the header of the packet the router should use
source-ip-hash | destination-port | to run the hashing algorithm when using hash assignment. You can use
source-port]
multiple instances of the command to designate the use of multiple
fields. If you are using hash assignment, you must specify at least one
field.
Example:
service-flags destination-port
service-flags
[destination-port-alternate-hash |
destination-ip-alternate-hash |
source-port-alternate-hash |
source-ip-alternate-hash]
Specifies alternate packet header field(s) to use to run the hashing

algorithm when using hash assignment. This setting will be used if a
ProxySG in the service group gets overloaded.
Example:
mask-scheme [source-ip |
destination-ip | source-port |
destination-port]
Specifies which field(s) in the header of the packet the router should use
to run the mask function when using mask assignment. By default
destination-ip is used. You only need to specify a mask-scheme if
you want to use a field other than the destination IP address to run the
mask function.
Example:
mask-scheme source-ip
87
Command
Description
primary-hash-weight <interface>
<weight>
Specifies the proportion of the load that should be assigned to this

ProxySG in the load balancing scheme for the service group. This
command can be used with either mask or hash assignment. Use this
command only if you want to distribute the redirected traffic unequally
among the ProxySG appliances in the service group. The weight value
must be an integer in the range of 0-255. The default value is 0. Therefore,
if you choose to use unequal loads, you must assign weight values to
each appliance in the group in order for it to receive any of the traffic.
Example:
88
Installing the WCCP Configuration on the ProxySG

After you define all of the service groups that you want to configure on a ProxySG in your WCCP
configuration file, you must install the settings. The way you install the file depends on how and where you
created it. Use one of the following procedures to install the ProxySG WCCP configuration file:
Installing the Configuration from the Management Console Text Editor on page 89
Installing the Configuration from a Local File on page 90
Installing the Configuration from a Remote URL on page 90
Installing the Configuration from the CLI on page 91
Installing the Configuration from the Management Console Text Editor

Use the following procedure to enter the WCCP configuration commands directly into the Management
Console text editor and install the settings.
PROXYSG CONFIGURATIONINSTALL WCCP SETTINGS USING THE TEXT EDITOR
Console.

Step 2 Open the text editor.
Select Text Editor from the Install WCCP Settings

from drop-down list and then click Install. The
text editor opens. If this is a new configuration,
the following comment is displayed:
; Empty WCCP configuration object
You can delete this comment.
Step 3 Define the service groups in the text editor.
Create the WCCP settings using the syntax

described in Table A-2. For examples of
complete configuration files, see Chapter 4,
WCCP Configuration Examples.
Step 4 After configuring all of the service groups that

this ProxySG will participate in, install the
configuration file.
Click Install. The Management Console displays

a message indicating that the configuration file
was successfully installed. Click OK.
Step 5 Close the text editor.
Click Close.
89
Installing the Configuration from a Local File

Use the following procedure to install a WCCP configuration text file that is located on the system from
which youre accessing the Management Console.
PROXYSG CONFIGURATIONINSTALL WCCP SETTINGS FROM A LOCAL FILE
Console.

Step 2 Specify that you want to install the settings from Select Local File from the Install WCCP Settings
from drop-down list and then click Install. The
a local file.
Open dialog box displays.
Step 3 Install the file.
Browse to the WCCP text file and then click

Open. The Management Console displays a
message indicating that the configuration file

was successfully installed. Click OK.
Installing the Configuration from a Remote URL

Use the following procedure to install a WCCP configuration text file that is located on a remote system.
Before you start this procedure, you must post the WCCP configuration file to a web server that is accessible
from the machine where you are running the Management Console.
PROXYSG CONFIGURATIONINSTALL WCCP SETTINGS FROM A REMOTE URL
Console.

Step 2 Specify that you want to install the settings from Select Remote URL from the Install WCCP
Settings from drop-down list and then click
a remote URL.
Install. The Install WCCP Settings dialog box
displays.
Step 3 Specify the URL.
Enter the URL for the text file in the Installation

URL field. For example:
http://10.25.36.47/files/wccp.txt
Step 4 (optional) View the file to verify the WCCP
settings.
Click View. The configuration file opens in a new

browser window or tab.
Click Install. The Management Console displays

a message indicating that the configuration file
was successfully downloaded and installed.
Click OK twice.
90
Installing the Configuration from the CLI

Another way to install a WCCP configuration file is from the CLI. To do this, you must post the WCCP
configuration on a web server that is accessible from the ProxySG and then use the following procedure to
install the file.
PROXYSG CONFIGURATIONINSTALL WCCP SETTINGS FROM THE CLI
terminal mode.
login as: admin

Blue Coat SG200>en
Enable Password:
Step 2 Specify the location of the WCCP configuration Blue Coat SG200#(config)wccp path
http://10.25.36.47/files/wccp.txt
text file.
Blue Coat SG200#(config)load

wccp-settings
91
92

WCCP Reference Guide.8

Uploaded by

Copyright:

Available Formats

WCCP Reference Guide.8

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WCCP Reference Guide.8

Uploaded by

Copyright:

Available Formats

Blue Coat Systems

WCCP Reference Guide

For SGOS 6.5.x and later

Rest of the World:

Document Number: 231-02966

Configuring WCCP on the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Configuring WCCP on the ProxySG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

WCCP Reference Guide

WCCP Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Monitoring and Troubleshooting WCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

WCCP Reference Guide

WCCP Command Quick Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

WCCP Reference Guide

WCCP Reference Guide

A Simple ProxySG WCCP Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Multiple Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Service Group Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Determining What Traffic to Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

GRE Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Load Balancing Weights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Automatic Redistribution of Loads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Hash Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Figure 1-10 Mask Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Basic WCCP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40

Web-Cache Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41

Virtually In-Path ADN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-42

L2 Forwarding and Return Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-45

Router Affinity Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46

Secure Service Group Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48

Redirection of Specific Protocol and Ports Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-49

Multiple Service Groups Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-50

Load Balancing Using Hash Assignment Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-52

Figure 4-10 Load Balancing Using an Alternate Hash Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-54

WCCP Reference Guide

WCCP Reference Guide

Using WCCP with the ProxySG on page 2

WCCP Service Groups on page 3

What Gets Redirected? on page 6

How Do the Router and ProxySG Exchange Traffic? on page 7

Which ProxySG Receives the Redirected Traffic? on page 10

Getting Started on page 12

WCCP Reference Guide

Blue Coat recommends use of WCCP version 2. WCCP is available

Using WCCP with the ProxySG

Using WCCP with the ProxySG

Scalability and Load Balancing Traffic can be automatically distributed to up to 32 ProxySG

A Simple ProxySG WCCP Exchange

WCCP Reference Guide

WCCP Service Groups

WCCP Service Groups

Multiple Service Groups

WCCP Reference Guide

WCCP Service Groups

Service Group Types

Service Group Addressing

WCCP Service Group Addressing

With unicast addressing, each ProxySG must be configured with the IP

WCCP Reference Guide

WCCP Service Groups

Service Group Access Control