Citrix SD-WAN WANOP

WCCP Mode (Non-Clustered)

WCCP mode allows only a single appliance in a WCCP service group. If a new appliance attempts to contact the router, it discovers that the other appliance is handling the service group, and the new appliance sets an Alert. It periodically checks to determine whether the service group is still active with the other appliance, and the new appliance handles the service group when the other appliance becomes inactive.

Note: WCCP clustering allows multiple appliances per service group.

Limitations and Best Practices

Following are limitations and best practices for (non-clustered) WCCP mode:

  • On appliances with more than one accelerated pair, all the traffic for a given WCCP service group must arrive on the same accelerated pair.
  • Do not mix inline and WCCP traffic on the same appliance. The appliance does not enforce this guideline, but violating it can cause difficulties with acceleration. (WCCP and virtual inline modes can be mixed, but only if the WCCP and virtual inline traffic are coming from different routers.)
  • For sites with a single WAN router, use WCCP whenever inline mode is not practical.
  • Only one appliance is supported per service group. If more than one appliance attempts to connect to the same router with the same service group, the negotiation will succeed only for the first appliance.
  • For sites with multiple WAN routers serviced by the same appliance, WCCP can be used to support one, some, or all of your WAN routers. Other routers can use virtual inline mode.

Router Support for WCCP

Configuring the router for WCCP is very simple. WCCP version 2 support is included in all modern routers, having been added to the Cisco IOS at release 12.0(11)S and 12.1(3)T. The best router-configuration strategy is determined by the characteristics of your router and switches. Traffic shaping requires two service groups.

If your router supports Reverse Path Forwarding, you must disable it on all ports, because it can confuse WCCP traffic with spoofed traffic. This feature is found in newer Cisco routers such as the Cisco 7600.

Router Configuration Strategies

There are two basic approaches to redirecting traffic from the router to the appliance:

On the WAN port only, add a “WCCP redirect in” statement and a “WCCP redirect out” statement. On every port on the router, except the port attached to the appliance, add a “WCCP redirect in” statement.

The first method redirects only WAN traffic to the appliance, while the second method redirects all router traffic to the appliance, whether it is WAN related or not. On a router with several LAN ports and substantial LAN-to-LAN traffic, sending all traffic to the appliance can overload its LAN segment and burden the appliance with this unnecessary load. If GRE is used, the unnecessary traffic can load down the router as well.

On some routers, the “redirect in” path is faster and puts less of a load on the router’s CPU than does the “redirect out” path. If necessary, this can be determined by direct experiment on your router: Try both redirection methods under full network load to see which delivers the highest transfer rates.

Some routers and WCCP-capable switches do not support “WCCP redirect out,” so the second method must be used. To avoid overloading the router, the best practice to avoid redirecting large numbers of router ports through the appliance, perhaps by using two routers, one for WAN routing and one for LAN-to-LAN routing.

In general, method 1 is simpler, while method 2 may provide greater performance.

Traffic Shaping and WCCP

A service group can be either TCP or UDP, but not both. For the traffic shaper to be effective, both kinds of WAN traffic must pass through the appliance. Therefore:

Acceleration requires one service group, for TCP traffic. Traffic shaping requires two service groups, one for TCP traffic and one for UDP traffic.The difference between the two is configured on the appliance, and the router accepts this configuration.

Configure the Router

The appliance negotiates WCCP-GRE or WCCP-L2 automatically. The main choice is between unicast operation (in which the appliance is configured with the IP address of each router), or multicast operation (in which both the appliance and the routers are configured with the multicast address.)

Normal (Unicast) operation—For normal operation, the procedure is to declare WCCP version 2 and the WCCP group ID for the router as a whole, then enable redirection on each WAN interface. Following is a Cisco IOS example:

config term
ip wccp version 2
! We will configure the appliance to use group 51 for TCP and 52 for UDP.
ip wccp 51
ip wccp 52

! Repeat the following three lines for each WAN interface
! you wish to accelerate:
interface your_wan_interface
! If Reverse Path Forwarding is enabled (with an ip verify unicast
! source reachable” statement), delete or comment out the statement:
! ip verify unicast source reachable-via any
! Repeat on all ports.

ip wccp 51 redirect out
ip wccp 51 redirect in
ip wccp 52 redirect out
ip wccp 52 redirect in

! If the appliance is inline with one of the router interfaces
! (NOT SUPPORTED), add the following line for that interface
! to prevent loops:
ip wccp redirect exclude in
^Z
<!--NeedCopy-->

If multiple routers are to use the same appliance, each is configured as shown above, using either the same service groups or different ones.

Multicast operation—When giving the appliance and each router a multicast address, the configuration is slightly different than for normal operation. Following is a Cisco IOS example:

config term
ip wccp version 2
ip wccp 51 group-address 225.0.0.1

! Repeat the following three lines for each WAN interface
! you wish to accelerate:
interface your_wan_interface
! If Reverse Path Forwarding is enabled (with an ip verify unicast
! source reachable” statement), delete or comment out the statement:
! ip verify unicast source reachable-via any

ip wccp 51 redirect out
ip wccp 51 redirect in
!
! The following line is needed only on the interface facing the other router,
! if there is another router participating in this service group.
ip wccp 51 group-listen

!If the appliance is inline with one of the router interfaces,
!(which is supported but not recommended), add
!the following line for that interface to prevent loops:
ip wccp redirect exclude in
^Z
<!--NeedCopy-->

Basic Configuration Procedure for WCCP Mode on the SD-WAN Appliance

For most sites, you can use the following procedure to configure the WCCP mode on the appliance. The procedure has you set several parameters to sensible default values. Advanced deployments might require that you set these parameters to other values. For example, if WCCP service group 51 is already used by your router, you need to use a different value for the appliance.

To configure WCCP mode on the appliance:

  1. On the Configuration: Appliance Settings: WCCP page.
  2. If no service groups have been defined, the Select Mode page appears. The options are Single SD-WAN and Cluster (Multiple SD-WANs). Select Single SD-WAN. You are taken to the WCCP page. Note: The mode labels are misleading. “Single SD-WAN” mode is also used for SD-WAN high-availability pairs.
  3. If WCCP mode is not enabled, click Enable.
  4. Click Add Service Group.
  5. The default interface (apA), Protocol (TCP), WCCP Priority (0), Router Communication (Unicast), (Password blank) and Time to Live (1) values usually do not have to be changed for the first service group that you create, but if they do, type new values in the fields provided.
  6. In the Router Addressing field (if you are using unicast) or the Multicast Address field (if you are using multicast), type the router’s IP address. Use the IP for the router port used for WCCP communication with the appliance.
  7. If more than one router is using WCCP to communicate with this appliance, add more routers now.
  8. If your routers have special requirements, set the Router Forwarding (Auto/GRE/Level-2), Router Packet Return (Auto/GRE/Level-2), and Router Assignment (Mask/Hash) fields accordingly. The defaults produce optimal results with most routers.
  9. Click Add.
  10. Repeat the preceding steps to create another service group, for UDP traffic (for example, service group Id 52 and Protocol UDP).
  11. Go to the Monitoring: Appliance Performance: WCCP page. The Status field should change to Connected within 60 seconds.
  12. Send traffic over the link and, on the Connections page, verify that connections are arriving and being accelerated.

WCCP Service Group Configuration Details

In a service group, a WCCP router and an SD-WAN appliance (“WCCP Cache” in WCCP terminology) negotiate communication attributes (capabilities). The router advertises its capabilities in the “I See You” message. The communication attributes are:

  • Forwarding Method: GRE or Level-2
  • Packet Return Method (multicast only): GRE or Level-2
  • Assignment Method: Hash or Mask
  • Password (defaults to none)

The appliance triggers an alert if it detects an incompatibility between its attributes and those of the router. The appliance might be incompatible because of a specific attribute of a service group (such as GRE or Level-2). More rarely, in a multicast service group, an alert can be triggered when the “Auto” selection chooses a particular attribute with a particular router connected, but the attribute is incompatible with a subsequent router.

Following are the basic rules for the communication attributes within an SD-WAN Appliance.

For Router Forwarding:

  • When “Auto” is selected, the preference is for Level-2, because it is more efficient for both router and appliance. Level-2 is negotiated if the router supports it and the router is on the same subnet as the appliance.
  • Routers in a unicast service group can negotiate different methods if “Auto” is selected.
  • Routers in a multicast service group must all use the same method, whether forced with “GRE” or “Level-2,” or, with “Auto,” as determined by the first router in the service group to connect.
  • For an incompatibility, an alert announces that the router “has incompatible router forwarding.”

For Router Assignment:

  • The default is Hash.

  • When “Auto” is selected, the mode is negotiated with the router.

  • All routers in a service group must support the same assignment method (Hash or Mask).

  • For any service group, if this attribute is configured as “Auto,” the appliance selects “Hash” or “Mask” when the first router is connected. “Hash” is chosen if the router supports it. Otherwise, “Mask” is selected. The problem of subsequent routers being incompatible with the automatically selected method can be minimized by manually selecting a method common to all routers in the service group.

  • For an incompatibility, an alert announces that the router “has incompatible router assignment method.”

  • With either method, the single appliance in the service group instructs all the routers in the service group to direct all TCP or UDP packets to the appliance. Routers can modify this behavior with access lists or by selecting which interfaces to redirect to the service group.

    For the Mask method, the appliance negotiates the “source IP address” mask. The appliance provides no mechanism to select “destination IP address” or the ports for either source or destination. The “source IP address” mask does not specifically identify any specific IP address or range. The protocol does not provide a means to specify a specific IP address. By default, because there is only a single appliance in the service group, a one-bit mask is used, to conserve router resources. (Release 6.0 used a larger mask.)

For Password:

  • If the router requires a password, the password defined on the appliance must match. If the router does not require a password, the password field on the appliance must be blank.

WCCP Testing and Troubleshooting

When working with WCCP, the appliance provides different ways of monitoring the status of the WCCP interface, and your router should also provide information.

Monitoring: Appliance Performance: WCCP Page—The WCCP page reports the current state of the WCCP link, and reports most problems.

Log Entries—The Monitoring: Appliance Performance: Logging page shows a new entry each time WCCP mode is established or lost.

Figure 1. WCCP Log Entries (format varies somewhat with release)

localized image

Router Status—On the router, the “show ip wccp” command shows the status of the WCCP link:

Router>enable
Password:
Router#show ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   172.16.2.4
        Protocol Version:                    2.0

    Service Identifier: 51
        Number of Cache Engines:             0
        Number of routers:                   0
        Total Packets Redirected:            19951
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
<!--NeedCopy-->

Verify WCCP Mode

You can monitor the WCCP configuration from the SD-WAN GUI.

To monitor the WCCP configuration

  1. Navigate to the Monitoring > Appliance Performance > WCCP page.
  2. Select a cache and click Get Info. A Cache Status page displays the WCCP configuration, as shown in the following figure.

    localized image

  3. Start traffic that should be forwarded through the SD-WAN appliance and monitor the connection on the Monitoring > Optimization > Connections page.
    • If the connections are shown on the Accelerated Connections tab, that is an indicator that everything is working.
    • If the connections are on the Unaccelerated Connections tab, look at the Details column. A routing asymmetry detected message implies that one of the ip wccp redirect lines on the router is missing or has an error, or that different paths are taken by client-server and server-client traffic.
    • If no connections are shown, but the appliance reports that it is connected to the router, and the WCCP monitoring page shows no errors, the issue is probably with the router configuration.
WCCP Mode (Non-Clustered)