WCCP?
Web Cache Communication Protocol is something that, in the most simple sense, can be referred to as layer 4 routing, just like Policy Based Routing (PBR). I refer to it like that so it’s clear on which layer you’re going to have to think for this article.
PBR has the advantage that you can check incoming traffic on an interface, and depending on the layer 3 and layer 4 source and destination information, you can influence the next hop. WCCP is a specialization and automation of this process: specialization, because it works for proxies (oh, and WAN accelerators) and certain ports only, and automation, because somewhat similar to a routing protocol, the routers and proxies communicate using WCCP.
I assume it’s clear what a proxy is: a server that requests a webpage on behalf of a client computer. The proxy can filter inappropriate content, cache it to speed up other requests to the same website, and some even have an anti-virus scan build in.
While WCCP is developed by Cisco, it’s been adapted by many proxy vendors. I’m going to use the open-source Squid, running on OpenBSD. Since I’m mainly interested in WCCP, I did a basic Squid install, and tweaked the WCCP parameters in the config file (/etc/squid/squid.conf).
Now how does it exactly work? Well, the proxies advertise their proxy capabilities using a WCCP ‘Here I am’ frame. If configured correctly, the routers respond with an ‘I see you’ frame. I’m not making up these names: I’ve uploaded a capture of this on CloudShark. Since it’s possible that the proxy and the router(s) do not share the same subnet, UDP port 2048 is used.
Once a router or multilayer switch and a proxy see each other, the router checks the parameters advertised by the proxy: what can it do? Proxy for http, https, and/or ftp? If it’s considered interesting (matching the desired features), the router starts forwarding traffic for those specific services (ports) towards the proxy. Because the router starts forwarding based on layer 4 information, the clients are unaware of this and don’t need any proxy configured in the browser. It can do forwarding in one of two ways: a GRE tunnel or directly on layer 2. Layer 2 requires the proxy and the router to share a subnet or VLAN, and this method is widely supported by layer 3 switches. The GRE tunnel method is usually supported by routers.
Topology
The topology uses three VLANs: one for the clients, one for the proxy, and one towards the gateway.
Because I’m using a multilayer switch as WCCP Router, which only supports layer 2 forwarding of WCCP, the proxy has to be in a different subnet, as the switch somehow refuses to do a MAC address rewrite of the frame on the same interface. The proxy has to have internet access too of course, as it will do the connections to the web servers on behalf of the clients. The connection to the gateway is a third VLAN, or a layer 3 interface on the switch towards the gateway (remember ‘no switchport’?).
Configuration
As said, I’m going to focus mostly on the WCCP Router here. I’m going to use the following parameters: the standard service ‘web-cache’ (which are basic proxy capabilities for http, more advanced configuration require a custom service group with parameters which will be included in the WCCP frames), layer 2 forwarding, and unicast WCCP frames. In the Squid.conf file these are all configurable options, with extra information present in the file itself.
Assuming 192.168.168.0/24 for the clients, and 192.168.163.0/24 for the proxy, with the Squid at .5, the configuration is as following:
WS-C3560-8PC(config)#interface Vlan163
WS-C3560-8PC(config-if)#ip address 192.168.163.1 255.255.255.0
WS-C3560-8PC(config-if)#exit
WS-C3560-8PC(config)#ip access-list standard ACL-WCCP
WS-C3560-8PC(config-std-nacl)#10 permit 192.168.163.5
WS-C3560-8PC(config-std-nacl)#exit
WS-C3560-8PC(config)#ip access-list standard ACL-PROXY
WS-C3560-8PC(config-std-nacl)#10 permit 192.168.168.0 0.0.0.255
WS-C3560-8PC(config-std-nacl)#exit
WS-C3560-8PC(config)#ip wccp web-cache
WS-C3560-8PC(config)#ip wccp web-cache redirect-list ACL-PROXY group-list ACL-WCCP
WS-C3560-8PC(config)#interface Vlan168
WS-C3560-8PC(config-if)#ip address 192.168.168.1 255.255.255.0
WS-C3560-8PC(config-if)#ip wccp web-cache redirect in
WS-C3560-8PC(config-if)#exit
The ACL-WCCP defines the WCCP clients which may be used, and the ACL-PROXY defines the clients that can use the redirect service (you can exclude certain clients this way). Note that both are standard ACLs, using an extended ACL didn’t work.
The discovery of an interesting proxy comes with a nice syslog:
%WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP Client 192.168.163.5
After that the switch starts sending the http frames towards the proxy, who does the rest.
I have to admit, I had a great deal of help from the people of Networking-forum.com, and in particular Steven King who has explained WCCP in great detail.
Reggle 
When transparent redirection with a WCCP-enabled router is used to redirect requests to a Content Engine, the web clients send their content requests to the source and are not aware that their requests are being redirected to the Content Engine by a WCCP-enabled router. Because this interception and redirection process is completely “invisible,” or “transparent,” to the client who is requesting the content, no desktop changes are required (clients do not have to configure their browsers or media players to point to a specific proxy server). The Content Engine operation is transparent to the network; the WCCP-enabled router operates entirely in its normal role for nonredirected traffic.
Thanks for the information. I was wondering if you had also attempted using dynamic WCCP configuration. This all works great with web–cache but I can’t get any redirection with the dynamic configuration even though I’m trying to redirect port 80. Thanks for any insight you can provide.
Hi David,
Unfortunately, I got just as far as you did, trying to get port 80 running with a dynamic config, but it wouldn’t work.
HI Reggie, I got it working a couple of days ago and then broke it again trying to figure out what change was required. I’ll let you know what my setup looks like when I get it running again.
OK, I got it working again after putting the original configuration back in and doing a reload.
My configuration is a bit different as I’m using squid to get traffic to a tunnel and the traffic isn’t seen by the switch again.
Here’s my squid configuration for the dynamic service; Some of the flags may be unnecessary but it works.
wccp2_service_info 90 protocol=tcp flags=src_ip_alt_hash,dst_ip_alt_hash priority=240 ports=80,23,20,21,6000
wccp2_service_info 91 protocol=tcp flags=src_ip_alt_hash,ports_source priority=220 ports=80,23,20,21,6000
On the switch one of the things I did differently was to use a numbered standard ACLs and the permit host entries.
Here’s the switch config for WCCP:
ip wccp 90 redirect-list 15
ip wccp 91 redirect-list 16
interface GigabitEthernet0/13
no switchport
ip address 10.1.6.247 255.255.255.0
ip wccp 90 redirect in
ip wccp 91 redirect in
access-list 15 permit 10.1.6.105
access-list 15 permit 10.1.5.101
access-list 15 permit 10.1.6.143
access-list 16 permit 10.1.6.105
access-list 16 permit 10.1.5.101
access-list 16 permit 10.1.6.143
That’s it. I’m still looking at what is actually required.
Have fun,
Dave