43-3
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 43 Configuring Web Cache Services By Using WCCP
Understanding WCCP
WCCP Negotiation
In the exchange of WCCP protocol messages, the designated application engine and the WCCP-enabled
switch negotiate these items:
Forwarding method (the method by which the switch forwards packets to the application engine).
The switch rewrites the Layer 2 header by replacing the packet destination MAC address with the
target application engine MAC address. It then forwards the packet to the application engine. This
forwarding method requires the target application engine to be directly connected to the switch at
Layer 2.
Assignment method (the method by which packets are distributed among the application engines in
the cluster). The switch uses some bits of the destination IP address, the source IP address, the
destination Layer 4 port, and the source Layer 4 port to determine which application engine receives
the redirected packets.
Packet-return method (the method by which packets are returned from the application engine to the
switch for normal forwarding). These are the typical reasons why an application engine rejects
packets and starts the packet-return feature:
The application engine is overloaded and has no room to service the packets.
The application engine receives an error message (such as a protocol or authentication error)
from the web server and uses the dynamic client bypass feature. The bypass enables clients to
bypass the application engines and to connect directly to the web server.
The application engine returns a packet to the WCCP-enabled switch to forward to the web server
as if the application engine is not present. The application engine does not intercept the reconnection
attempt. In this way, the application engine effectively cancels the redirection of a packet to the
application engine and creates a bypass flow. If the return method is generic-route encapsulation
(GRE), the switch receives the returned packet through a GRE tunnel that is configured in the
application engine. The switch CPU uses Cisco express forwarding to send these packets to the
target web server. If the return method is Layer 2 rewrite, the packets are forwarded in hardware to
the target web server. When the server responds with the requested information, the switch uses
normal Layer 3 forwarding to return the information to the requesting client.
MD5 Security
WCCP provides an optional security component in each protocol message to enable the switch to use
MD5 authentication on messages between the switch and the application engine. Messages that do not
authenticate by MD5 (when authentication of the switch is enabled) are discarded by the switch. The
password string is combined with the MD5 value to create security for the connection between the switch
and the application engine. You must configure the same password on each application engine.
Packet Redirection and Service Groups
You can configure WCCP to classify traffic for redirection, such as FTP, proxy-web-cache handling, and
audio and video applications. This classification, known as a service group, is based on the protocol type
(TCP or UDP) and the Layer 4 source destination port numbers. The service groups are identified either
by well-known names such as web-cache, which means TCP port 80, or a service number, 0 to 99.
Service groups are configured to map to a protocol and Layer 4 port numbers and are established and
maintained independently. WCCP allows dynamic service groups, where the classification criteria are
provided dynamically by a participating application engine.