Wccp Bypass Packets - Cisco ASR 1000 Series Configuration Manual

WCCP Bypass Packets

WCCP Bypass Packets
WCCP intercepts IP packets and redirects those packets to a destination other than the destination that is
specified in the IP header. Typically the packets are redirected from a web server on the Internet to a web
cache that is local to the destination.
Occasionally a web cache cannot manage the redirected packets appropriately and returns the packets unchanged
to the originating router. These packets are called bypass packets and are returned to the originating router
using either Layer 2 forwarding without encapsulation (L2) or encapsulated in generic routing encapsulation
(GRE). The router decapsulates and forwards the packets normally. The VRF associated with the ingress
interface (or the global table if there is no VRF associated) is used to route the packet to the destination.
GRE is a tunneling protocol developed by Cisco that encapsulates packet types from a variety of protocols
inside IP tunnels, creating a virtual point-to-point link over an IP network.
WCCP Closed Services and Open Services
In applications where packets are intercepted and redirected by a Cisco IOS router to external WCCP client
devices, it may be necessary to block the packets for the application when a WCCP client device is not
available. This blocking is achieved by configuring a WCCP closed service. When a WCCP service is
configured as closed, the packets that fulfill the services, but do not have an active client device, are discarded.
By default, WCCP operates as an open service, wherein communication between clients and servers proceeds
normally in the absence of an intermediary device.
The ip wccp service-list or the ipv6 wccp service-list command can be used only for closed-mode services.
Use the service-list keyword and service-access-list argument to register an application protocol type or port
number.
When there is a mismatch between the service list ACL and the definition received from a cache engine, the
service is not allowed to start.
WCCP Outbound ACL Check
When WCCP is enabled for redirection on an ingress interface, the packets are redirected by WCCP and
instead egress on an interface other than the destination that is specified in the IP header. The packets are still
subject to ACLs configured on the ingress interface. However, redirection can cause the packets to bypass
the ACL configured on the original egress interface. Packets that would have been dropped because of the
ACL configured on the original egress interface can be sent out on the redirect egress interface, which poses
a possible security problem. Enabling the WCCP Outbound ACL check feature ensures that redirected packets
are subject to any ACL conditions configured on the original egress interface.
WCCP Service Groups
WCCP is a component of Cisco IOS software that redirects traffic with defined characteristics from its original
destination to an alternative destination. The typical application of WCCP is to redirect traffic bound for a
remote web server to a local web cache to improve response time and optimize network resource usage.
IP Application Services Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
98
WCCPv2—IPv6 Support