Wccp Negotiation; Md5 Security; Packet Redirection And Service Groups - Cisco Catalyst 3560-X Software Configuration Manual

Chapter 1 Configuring Cache Services By Using WCCP

WCCP Negotiation

In the exchange of WCCP protocol messages, the designated application engine and the WCCP-enabled
switch negotiate these items:
•
•
•

MD5 Security

WCCP provides an optional security component in each protocol message to enable the switch to use
MD5 authentication on messages between the switch and the application engine. Messages that do not
authenticate by MD5 (when authentication of the switch is enabled) are discarded by the switch. The
password string is combined with the MD5 value to create security for the connection between the switch
and the application engine. You must configure the same password on each application engine.

Packet Redirection and Service Groups

You can configure WCCP to classify traffic for redirection, such as FTP, proxy-web-cache handling, and
audio and video applications. This classification, known as a service group, is based on the protocol type
(TCP or UDP) and the Layer 4 source destination port numbers. The service groups are identified either
by well-known names such as web-cache, which means TCP port 80, or a service number, 0 to 99.
Service groups are configured to map to a protocol and Layer 4 port numbers and are established and
maintained independently. WCCP allows dynamic service groups, where the classification criteria are
provided dynamically by a participating application engine.
You can configure up to 8 service groups on a switch or switch stack and up to 32 cache engines per
service group. WCCP maintains the priority of the service group in the group definition. WCCP uses the
priority to configure the service groups in the switch hardware. For example, if service group 1 has a
OL-25303-03
Forwarding method (the method by which the switch forwards packets to the application engine).
The switch rewrites the Layer 2 header by replacing the packet destination MAC address with the
target application engine MAC address. It then forwards the packet to the application engine. This
forwarding method requires the target application engine to be directly connected to the switch at
Layer 2.
Assignment method (the method by which packets are distributed among the application engines in
the cluster). The switch uses some bits of the destination IP address, the source IP address, the
destination Layer 4 port, and the source Layer 4 port to determine which application engine receives
the redirected packets.
Packet-return method (the method by which packets are returned from the application engine to the
switch for normal forwarding). These are the typical reasons why an application engine rejects
packets and starts the packet-return feature:
The application engine is overloaded and has no room to service the packets.
–
The application engine receives an error message (such as a protocol or authentication error)
–
from the server and uses the dynamic client bypass feature. The bypass enables clients to bypass
the application engines and to connect directly to the server.
The application engine returns a packet to the WCCP-enabled switch to forward to the server as if
the application engine is not present. The application engine does not intercept the reconnection
attempt. In this way, the application engine effectively cancels the redirection of a packet to the
application engine and creates a bypass flow. If the return method is Layer 2 rewrite, the packets are
forwarded in hardware to the target server. When the server responds with the information, the
switch uses normal Layer 3 forwarding to return the information to the requesting client.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Understanding WCCP
1-3