Networks Wetworks

I have completed a configuration write-up for WCCPv2 and the Websense Content Gateway. I go over basic configuration, IP Spoofing, and lightly touch on the differences involving using IOS Routers, Switches, and the ASA.  I also list some best-practice setups and gotchas.  Below is a very basic copy and paste of the document; it is missing pictures and formatting. You can download the full document in PDF format HERE. Enjoy!

Preface

This is an unofficial document. This document is presented as-is with no warranty involved in its accuracy of information and content. While I have been able to test and verify some of the content, it is mostly based on what “should” happen in theory and my own research. Unfortunately I do not have the environment available to test every situation.

Lastly, it is assumed you have read and are familiar with the terms and methods described in Module 1: Overview, so that information will not be re-hashed.

Planning

WCCP can be very simple and very complex at the same time. It is very important that you treat it like any other network implementation and take the time to analyze your network environment and its capabilities and limitations. Supported features can differ greatly depending on hardware/software platform, so any specific questions regarding the capabilities of a customer’s equipment should be identified and directed to Cisco during the planning phase instead of being forced to do so during troubleshooting, as this can cause delays in implementation, unnecessary outages, and even unplanned financial ramifications in the case where a software upgrade is needed.

Configure WCCP Server – IOS Router/Switch

For this example, we will configure WCCP for the given network topology below:

Create standard ACL to be used for the Group List (Optional)

In this step, we will configure an ACL to be utilized as a “group list”. This is optional, but a best practice security measure. This specifies what is allowed to participate in a given service group. Without this, any device could leverage WCCP and send Here I Am (HIA) messages and join the service group as long as it meets all requirements and includes the password if configured. In a worst case scenario, an attacker could leverage this to become the designated web cache, and then send a redirect assignment to effectively force the WCCP server to send all traffic to his machine as a man-in-the-middle attack.

In the output provided below, an ACL is configured to only permit 10.212.8.11:

! First, we configure

1711-2Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

1711-2Router(config)#ip access-list standard wccp_group_list

11711-2Router(config-std-nacl)#permit host 10.212.8.11

711-2Router(config-std-nacl)#deny any

1711-2Router(config-std-nacl)#exit

! Then, we verify

1711-2Router(config)#do sh ip access-list wccp_group_list

Standard IP access list wccp_group_list

10 permit 10.212.8.11

20 deny any[1]

Create extended ACL to be used for the Redirect List (Optional)

In the next step, we will configure an extended ACL to use for the “redirect list”. This identifies the interesting traffic that we want to redirect. In this case, we want to redirect only a part of the 10.212.0.0/16 network; specifically, IP traffic sourced from the 10.212.8.8/29 subnet, and nothing else.

! First, we configure

1711-2Router(config)#ip access-list extended wccp_redirect_list

1711-2Router(config-ext-nacl)#permit ip 10.212.8.8 0.0.0.7 any

1711-2Router(config-ext-nacl)#deny ip any any

1711-2Router(config-ext-nacl)#exit

! Then, verify

1711-2Router(config)#do sh ip access-list wccp_redirect_list

Extended IP access list wccp_redirect_list

10 permit ip 10.212.8.8 0.0.0.7 any

20 deny ip any any

Enable WCCP

Next, we enable WCCP on the router. We’re going to utilize service ID 0 for the service group, and a password for added security. Until we configure and enable WCCP on the Websense Content Gateway (WCG), the service group will not establish.

! Enable WCCP for a given service ID # and assign the associated redirect and group lists. Optionally, you can also specify a password.

1711-2Router(config)#ip wccp 0 redirect-list wccp_redirect_list group-list wccp_group_list password websense

! Verify

1711-2Router(config)#do sh ip wccp

Global WCCP information:

Router information:

Router Identifier: -not yet determined-

Protocol Version: 2.0

Service Identifier: 0

Number of Cache Engines: 0

Number of routers: 0

Total Packets Redirected: 0

Redirect access-list: wccp_redirect_list

Total Packets Denied Redirect: 0

Total Packets Unassigned: 0

Group access-list: wccp_group_list

Total Messages Denied to Group: 9

Total Authentication failures: 1

Total Bypassed Packets Received: 0

Enable WCCP on the Interface

The last part of the configuration on the router will be to enable redirection on the desired interface. For this example, all Internet traffic is coming in on the SVI for VLAN 10 (10.212.0.4). This is where we will configure WCCP redirection.

! Configure WCCP redirection on the desired interface

1711-2Router(config)#int vl 10

1711-2Router(config-if)#ip wccp 0 redirect in[2]

1711-2Router(config-if)#exit

! Verify configuration

1711-2Router(config)#do sh run int vl 10

Building configuration...

Current configuration : 151 bytes

!

interface Vlan10

ip address 10.212.0.4 255.255.0.0

ip access-group permit_all in

ip wccp 0 redirect in

ip nat inside

ip virtual-reassembly

end

Configure the WCG[3]

Moving on to the WCG, after WCCP is enabled, go to Configure > Networking > WCCP in the WCG Manager and edit the file to set up the service group as shown below. In this example, we are using dynamic service ID 0 for both HTTP and HTTPS[4].

Once this is completed and the WCG is restarted, it will start sending HIAs to the WCCP Server and the service group will establish.

Verify establishment of Service Group

It is important to verify the establishment of the service group before expecting traffic to be redirected. We can also take a look at the assignment method information as well as the router’s cluster view.

1711-2Router#sh ip wccp 0

Global WCCP information:

Router information:

Router Identifier: 10.212.0.4

Protocol Version: 2.0

Service Identifier: 0

Number of Cache Engines: 1

Number of routers: 1

Total Packets Redirected: 0

Redirect access-list: wccp_redirect_list

Total Packets Denied Redirect: 0

Total Packets Unassigned: 0

Group access-list: wccp_group_list

Total Messages Denied to Group: 4543

Total Authentication failures: 739

Total Bypassed Packets Received: 0

1711-2Router#sh ip wccp 0 det[5]

WCCP Cache-Engine information:

Web Cache ID: 10.212.8.11

Protocol Version: 2.0

State: Usable

Initial Hash Info: 00000000000000000000000000000000

00000000000000000000000000000000

Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Hash Allotment: 256 (100.00%)

Packets Redirected: 0

Connect Time: 00:00:53

Bypassed Packets

Process: 0

Fast: 0

CEF: 0

1711-2Router#sh ip wccp 0 view

WCCP Routers Informed of:

10.212.0.4

WCCP Cache Engines Visible:

10.212.8.11

WCCP Cache Engines NOT Visible:

-none-

For additional verification, you can also verify establishment of the service group within the WCG Manager. Notice that it specifies a configured mode, and a negotiated mode.

Configure and Verify Filtering

Once the service group has been established, we can reasonably expect traffic to be redirected to the WCG. The easiest way to verify this is to simply setup a policy to block traffic, and confirm you can pull a block page.

The Router ID: More than Just a Number

In the past, I have thought of the router ID as mostly just cosmetic. Over time however, I’ve found this to be very important to be aware of, for at least two major reasons.

Instability within the service group can occur if you have two routers in the same service group that happen to have the same Router ID. It’s difficult to illustrate this, but as described in the previous Overview Module, the WCCP Server sends I See You (ISU) messages to its WCG(s) with a sequential Receive ID, and it expects that same Receive ID to be communicated back to it. If the WCG receives two different Receive IDs, it will attempt to communicate the last receive ID it received back to the routers in its next HIA message. This can cause those HIAs to be dropped by one of the routers due to the Receive ID being invalid.

This condition can be identified in debug output on the router, but that will be saved for the upcoming troubleshooting module. This is easily fixed by adding a loopback interface on one of the routers with a higher IP address so that a different Router ID is acquired.

Another major concept to be aware of is that when utilizing GRE, the Router ID is used as the source IP when the initial redirection is performed, so the packet on a GRE forward looks something like this:

What this means is that you can effectively prevent this forward from occurring by having an ACL on an interface along the path this traffic takes that doesn’t permit the IP address of the Router ID, even though it explicitly allows the IP of the interface where WCCP redirection is enabled.

Making Changes to Established Service Groups

If a change is needed in the redirect list or in other areas of an active service group, it is considered a best practice to make those changes in the following order:

1. Disable WCCP on all affected WCGs

2. Remove interface configuration

3. Remove or change the global configuration

a. Redirect/Group Lists on WCCP Server

b. Forward/Return/Assignment Method on WCG

4. Apply new global configuration

5. Re-register WCGs

However, saying this, I have seen changes made to the redirect list ACL on-the-fly with no ill results many times.

IP Spoofing[6]

Enabling IP Spoofing on the WCG presents a unique challenge. In order for this to work correctly, you must control both sides of the Internet traffic; return traffic from the origin server must be redirected back to the WCG to serve to the client.

This is accomplished with a standard service group that keys off of destination port to handle the client Internet traffic, and a “reverse” service group that keys off source port to handle the return traffic from the origin server. Because IP Spoofing causes the WCG to send its traffic with the source IP of the client, this also requires that the WCG be on a different subnet/VLAN than the client traffic in order to prevent the WCCP Server from redirecting traffic sourced from the WCG back to itself.

As shown below, the redirect lists used for these service groups are mirrored. On the standard service group we are redirecting IP traffic sourced from the 10.212.8.8/29 subnet destined anywhere. On the reverse service group, we are redirecting IP traffic destined to the 10.212.8.8/29 subnet sourced from anywhere.

On the WCG, a reverse service group is specified under Advanced Settings. Also, change the assignment method to distribute traffic based off of source IP instead of destination IP.

Case Study – IP Spoofing Gone Wrong

A customer desired to utilize IP Spoofing in his environment. The general traffic flow from the internal LAN to the Internet was through the core switch fabric, up to the router, and then back through the core out to an edge firewall before finally getting to the Internet.

The problem was that the WCG resided in the same subnet/VLAN as his client traffic, resulting in the WCG’s traffic taking the same path to get out to the Internet. There wasn’t an issue with the initial redirection (blue path numbered 1), but when the WCG proxies the request on behalf of the client (red path numbered 2), this IP traffic hit the interface that WCCP redirection was configured on, and due to IP Spoofing, the source IP was that of the client and not the WCG.

Normally a WCCP Server knows not to send traffic from one of its WCCP Clients back to itself due to it keeping a record of its client’s IP addresses in the cluster view, but since the source IP of the client was maintained instead, it matched what was specified in the configured redirect list of the router, and the router sent the traffic back to the WCG (red path numbered 3).

To address this, a separate logical sub-interface was configured (fa 0/0.2) into a new VLAN 20, and the WCG was assigned a new IP address within this new VLAN. This enabled the WCG to take a separate path out to the Internet that was not through the interface where WCCP redirection was configured, as shown below.

Differences with the Cisco Switch

Thankfully there is not much difference in syntax between the IOS router and switch[7] when it comes to configuration. On a switch, you want to leverage the hardware as much as possible. This means:

· Inbound Redirection

· Utilize Mask assignment

· Use L2 Forward/Return

o Note: This requires L2 adjacency between the proxy and the WCCP Server.

Differences with the Cisco ASA

The ASA is a beast all of its own. This is probably where I see the most of the TS cases if I had to guess. Personally, I’d rather leverage WCCP elsewhere if I could, but I have seen it deployed successfully in many environments. Some of the limitations include:

· Cannot use IP Spoofing

· Cannot redirect traffic from one security zone onto another (DMZ to Inside, etc.)

· Cannot utilize bypasses in the WCG, as this will cause a WCCP redirect loop

For configuration:

· Utilize GRE Forward/Return

· Utilize Hash Assignment

· Use specific Layer 4 statements in the redirect list ACL

o Examples:

§ Good: permit tcp 10.212.8.8 255.255.255.248 any eq www

§ Bad: permit ip 10.212.8.8 255.255.255.248 any

---

[1] There is an implied “deny any” at the end of any ACL. Configuring this deny statement is to help with visualizing it.

[2] Inbound redirection is recommended wherever possible to reduce processor overhead.

[3] It should be noted that the version of the WCG used for this document is v7.6.2. Our implementation of WCCP was heavily improved upon in version 7.6.x in comparison to v7.5. This allows us to specify multiple ports for a single service ID.

[4] Customers often read Cisco documentation and attempt to use the well-known service ID of “web-cache”. The WCCP Server will accept this, however the WCG utilizes dynamic service IDs. This will cause the HIA messages sent by the WCG to be dropped and the service group will not establish.

[5] Depending on your hardware/software platform, this output can also show what methods were ultimately negotiated. Saying that, it is important to remember that what you specify in the WCG doesn’t guarantee that method is supported by the WCCP Server and/or will be negotiated.

[6] IP Spoofing with HTTPS is only supported in v7.6 but has known performance issues. This has been reported to be rectified in v7.6.2

[7] Something to note is the Nexus series of switches. At the time of this writing, I have no experience with this and the NX-OS, so I have purposely left this out. As always, refer to your Cisco documentation and representative for specific information regarding this platform.

Hello all!  Been a while.  I recently did a write up of an overview on WCCP for work as a side project.  There is no confidential information contained in this document, so I thought I would share it with all of you who are looking to deploy WCCP to transparently redirect traffic to a proxy, such as Websense’s Content Gateway. Below it is basically copy/pasted in the blog article, so it is missing pictures and formatting.  You can get the document in it’s original PDF format including pictures, HERE.

Preface

This document is presented as-is with no warranty involved in its accuracy of information and content. While I have been able to test and verify some of the content, it is mostly based on what “should” happen according to the sources listed at the end of the document, and theory. Ultimately, it is Cisco’s protocol and equipment, and given the WCG’s mysterious behavior at times, results may vary. Also, I am not claiming this document as my own work as that would be plagiarizing considering a large portion of content has been re-used from the sources listed at the end of this document. Now that that’s out of the way, enjoy!

Introduction to Web Cache Communication Protocol (WCCP)

WCCP enables routers (which of course include multilayer switches and firewalls) to transparently redirect selected traffic to a WCG or cluster of WCGs. It allows one or more routers enabled for transparent redirection to discover, verify, and advertise connectivity to one or more WCGs.

Once connectivity is established, the routers and WCGs form Service Groups to handle redirection of traffic whose characteristics are part of the Service Group definition.

The protocol provides the means to negotiate the specific method used for load distribution among WCGs and also the method used to transport traffic between the router and WCG.

A single WCG within a Service Group is elected as the designated web-cache whose responsibility is to provide the routers with the data which determines how redirected traffic is distributed between the WCGs in the Service Group.

Enhancements Provided by v2

WCCP v2 provides several enhancements over v1:

· Multi-Router Support

· Multicast Support

· Improved Security

· Support for redirection of non-HTTP traffic

· Packet return

· Alternative Hashing

· Multiple Forwarding Methods

· Multiple Assignment Methods

· Command and Status Information

Terminology

Assignment Method – The method by which redirected packets are distributed between WCGs in a cluster.

Designated Web-Cache – The WCG in a cluster that dictates to the router or routers how redirected traffic should be distributed among the WCGs in the Service Group.[1]

Forwarding Method – How redirected packets are transported from the router to the WCG.

Packet Return Method – How packets will be returned to a router for normal forwarding by the WCG.

Service Group – A group of one or more routers plus one or more WCGs working together to perform transparent redirection for a particular service such as HTTP or HTTPS.

Joining a Service Group

A Service Group is identified by Service Type and Service ID. There are two types of Service Groups; Well Known and Dynamic. The WCG uses Dynamic Service IDs, so in order for the Router to use the Dynamic Service ID by Service ID alone and no other information, the WCG must describe the characteristics of the Dynamic Service Group.

Think of yourself as a traffic cop at a busy intersection, and I’ve told you, “I want you to let regular traffic coming from this direction continue on its path, but I want to you to direct Websense traffic to turn right and go down this road instead.” You might ask yourself, “Well how do I identify the Websense traffic among the rest?” This is where I tell you that the Websense traffic will consist of SUVs, painted blue, whose license plates say “Websense”. In other words, I’m describing the characteristics of that traffic to you.

This required information is contained within the “Here I am” message sent by the WCG. This message contains the Protocol, Service Flags, and Port Fields that describe the Dynamic Service to the router.[2]

The Web Cache Identity Info component of the message identifies the WCG by IP address.

The Service Info component identifies and describes the Service Group that the WCG wishes to participate in.

A router responds to the Here I Am message with an “I See You” message. If the Here I Am message was unicast , the router responds with its own unicast message. If the Here I Am message was multicast however, the router will respond via a scheduled multicast message every 9 seconds.

The Router Identity component in an I See You message includes a list of the WCGs to which the packet is addressed.

Lastly, if a router receives a Here I Am message describing a Dynamic Service that it has not been configured for, it will discard the message.

Security

WCCP v2.0 provides simple authentication via an MD5 password. This requires that each router and WCG that wants to join a Service Group be configured with the Service Group password. This means that this password must be configured on the WCG AND the router. Each WCG and router in the Service Group will communicate the password and MD5 checksum within each packet in the Security Info component. After validating the WCCP message header, the Security Info portion is checked. Packets failing authentication are discarded.

It is normal for the checksum values to not appear to match when viewing the Here I Am and I See You messages in a packet capture.

Maintaining Connectivity

In order for the router to consider the WCG “usable”, and to maintain two-way connectivity, the router will send an “I See You” message with a “Receive ID”. This is maintained separately for each Service Group, and is incremented each time the message is sent.

This message must be reflected back by the WCG in its next Here I Am message. If the receive ID in the next Here I Am message does not match, the router discards the message. This results in the WCG not being considered useable and will prevent the WCG from joining the Service Group. In the event this begins occurring where the WCG is a member of the Service Group, this condition will eventually cause the WCG to be removed from the Service Group.

The router uses the WCG IP information to create a cluster view, or a list of WCGs in the Service Group (If you have multiple). This view is sent via an I See You message to each WCG in the Service Group, making the WCGs aware of each other. In the example below, one WCG is in the cluster view[3].

Electing the Master of the Universe (aka The Designated Web Cache)

When utilizing multiple WCGs within a Service Group, and once the Service Group has stabilized after a membership change, the WCG with the lowest IP address in the Service Group is elected as the designated web cache. The designated web-cache must be receiving I See You messages from every router in the Service Group.

WCCP Negotiation

A WCG and router will negotiate the method which packets are forwarded to a single WCG by the router, how packets are distributed between multiple WCGs in a Service Group, and how packets are returned to a router for normal forwarding.

There are two methods used forwarding and returning traffic: L2 and GRE. There are also two methods of distributing traffic among multiple WCGs: HASH and MASK.

The router advertises what methods it supports using the optional Capabilities Info component of the I See You message. The WCG then inspects this, selects a supported method based on what it has been configured for, and reports this back to the router via the optional Capabilities Info component of its next Here I Am message. The router inspects this and if the selected method is supported, the router finally considers the WCG useable and adds it to the Service Group.

Packet Forward/Redirect Method

This negotiation is per WCG, per Service Group, so WCGs participating in the same Service Group may negotiate different forwarding methods with the Service Group Routers. The absence of the optional Capabilities Info component in the WCG’s Here I Am message implies that it is requesting the default GRE encapsulation method. The absence of this in the router’s I See You message indicates that the router supports the default GRE encapsulation method only.

Assignment Method

This negotiation is per Service Group, so WCGs participating in several Service Groups may negotiate a different assignment method for each Service Group. The absence of the optional Capabilities Info component in the WCG’s Here I Am message implies that it is requesting the default Hash assignment method. The absence of this in the router’s I See You message indicates that the router supports the default Hash assignment method only.

Packet Return Method

This negotiation is per Service Group as well, so again, WCGs participating in several Service Groups many negotiate a different packet return method for each Service Group. The absence of the optional Capabilities Info component in the WCG’s Here I Am message implies that it is requesting the default GRE packet return method. The absence of this in the router’s I See You message indicates the router supports the default GRE encapsulation method only.

L2 vs. Generic Routing Encapsulation (GRE)

“L2” is translated to Layer 2, the Data Link layer of the OSI model. Utilizing the L2 method simply means that that when forwarding or returning traffic, the destination MAC address is rewritten to the appropriate device, be it the WCG or the router. The problem with L2 is that MAC addresses cannot be routed, so it requires all participating devices to be directly connected at L2, or “L2 Adjacent”.

This is where GRE comes in. GRE encapsulates packets in a second L3 header. This allows the router to forward traffic to a WCG that can be one or more “hops” away on a separate subnet.

Pictured below is a packet capture of a GET request that has been forwarded from an IOS Router to a WCG utilizing GRE. Toward the bottom, you can see the first/original L3 header with the source IP of the client, 10.212.8.8, and the destination IP of the web server (In this case, www.dyepaintball.com). Near the top you can see the second L3 header added by GRE containing the source IP address of the router, 10.212.0.3, and the destination IP address of the WCG, 10.212.8.14.

When the WCG performs a packet return to a router for normal forwarding, as would happen when the WCG receives traffic for a website that has a static bypass for it configured in ARM, the destination and source IP addresses in the second L3 header would be reversed and the first L3 header obviously stays the same. This encapsulation allows the WCG to return traffic to a router for normal forwarding that has redirection applied to its internal interface, preventing a looping condition that could exist utilizing the L2 method due to the source IP of that packet matching the interesting traffic specified in a “redirect list”[4].

Traffic Distribution

Traffic distribution is performed in one of two ways; Hash Tables and Mask/Value sets. It is the responsibility of the designated web-cache to assign the Hash Tables or Mask/Value sets to each of the routers in the Service Group. This information is contained in a “Redirect Assignment” message, which is generated whenever there is a change in Service Group membership, and is sent to the same set of routers that it sends Here I Am messages. The designated web-cache will wait 15 seconds after a change in order to allow the Service Group membership to stabilize before sending the message. The designated web-cache uses either the Assignment Info or Alternate Assignment Info Component to list the WCGs to which traffic should be distributed.

Hash Tables

When using hash assignment, each router uses a 256-bucket Redirection Hash Table to distribute traffic for a Service Group among the WCGs. The designated web-cache uses the Redirect Assignment message to assign the routers’ Redirection Hash tables.

The Redirection Hash Tables are conveyed in the Assignment Info Component of the Redirect Assignment message. This contains an Assignment Key that will be reflected back to the designated web-cache in the router’s next I See You message.

The Redirect Assignment method may be repeated after 10 seconds if the I See You message returned by the router indicates that the router has not received an assignment.

A router will flush its Redirection Hash Table if a Redirect Assignment message is not received within 50 seconds of a Service Group membership change. A router will also flush its Redirection Hash Table if it receives a Redirect Assignment message in which it is not listed.

Redirection with Hash assignment is a two-step process. In the first step, a primary key is formed from the packet, which is defined in the Service Group description within the Service Info component. This hash key is the destination IP address by default[5]. Because the hash itself is not configurable, and is deterministic in nature, all routers within the same Service Group will make the same load-distribution decision given the same hash key.

In the second step, a bitwise hash is performed on the key identified as part of the Service Group, creating an index. This index is mapped to a bucket. The packet will then ultimately be sent to the WCG that has that specific bucket assigned. If the index matches an unassigned bucket, the packet is forwarded normally.

Mask/Value Sets

When using mask assignment each router uses masks and a table of values to distribute traffic for a Service Group across the WCGs. The designated web-cache uses the Alternate Assignment Info component in a Redirect Assignment to assign the routers’ mask/value set.[6] Just like Hash Tables, this message is reflected back to the designated web-cache, and the message may be repeated after 10 seconds if the router hasn’t indicated it received an assignment. Also just like Hash Tables, a router will flush its mask/value set if a Redirect Assignment is not received within 50 seconds of a Service Group membership change, or if it receives a Redirect Assignment in which it is not listed.

Like Hash Tables, redirection with Mask/Value Sets is a two-step process. The first step involves performing a bitwise AND operation between the mask from the first mask/value set in the Service Group definition and the contents of the packet. The 96-bit output of this operation is then compared to a list of mask/value pairs. Each mask/value pair is associated with a bucket, and each bucket is assigned to a WCG. If absolutely no match is found, the packet is forwarded normally.

Sources:

Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(31)SG – Configuring WCCPv2 Services

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/wccp.html#wp1000978

Configuring Web Cache Services Using WCCP

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf018_ps1835_TSD_Products_Configuration_Guide_Chapter.html

Daren Matthews >> WCCP Load Distribution (Hash and Mask)

http://mccltd.net/blog/?p=999

Internet Draft for WCCP v2

http://www.wrec.org/Drafts/draft-wilson-wrec-wccp-v2-00.txt

---

[1] This is called the “Leader” in v7.6

[2] This is transmitted every 10 seconds over UDP port 2048. This communication can be configured as unicast to each router, or multicast.

[3] This communication can also be unicast or multicast.

[4] This is not always true. There are some special circumstances and devices that do not so simply abide by these rules; more on that in a future module.

[5] This can be and often is changed to utilize the source IP instead. An example of where this is needed is when a single site request pulls parts of the web page from multiple destination IP addresses, which end up being serviced by multiple WCGs in the Service Group and causes the site to fail to load properly.

[6] Unfortunately, I haven’t been able to get a capture of Mask assignment, so there are very little pictures in this section. This section is also for the most part word-for-word out of the RFC. Sorry!

Ever work through some labs and run into situations where you have to shut down links which will cut off access to one or more of your devices?  One of the best things in my opinion for your home lab is the ability to access all of your devices without having an active link.

This can be done with a Cisco 2509 Access Server.  You can find them for relatively cheap on EBay or where I get my stuff most of the time, Cables And Kits.com. The setup and configuration is surprisingly easy!

Here is what it looks like logically.  In my lab I have a layer 3 switch and two layer 2 switches.  In the past, if I needed to shut down the links, I’d have to get up off my lazy butt and go swap the console cable from my PC to the switches individually.  Well we can’t have that, so now I just have my console cable plugged into the 2509 AS, and it doesn’t matter if I shut down all of the Ethernet links; I’ll still have connectivity to all of my devices through the console connections!

The way this is done is by utilizing an “octal” cable.  This cable plugs into one of the Asynchronous Serial ports on the 2509, and it has 8 numbered cables that can be plugged into the console ports of devices. 

We then configure the 2509 so that we can perform a “reverse telnet” to our devices.  The reason why it is called reverse telnet is because we are basically telnetting from the 2509 to a loopback interface on a specific port, which then telnets us into one of the devices it’s hooked up to.

 

For a configuration video, click here:

Configure Terminal Services on a Cisco 2509

Finally, after four attempts and a year of studying, I passed the CCNP Switch exam!!!  It was by the skin of my teeth but after so much time and money, I’ll take it!

On to the CCNP Route!

Hi folks.  I've currently scheduled another shot at the CCNP Switch exam for January 4th, so right now I'm plugging away at the lab and books.  I promise as soon as I get some time I'll post some new content!  Thanks for your patience!

Hi folks.  Just wanted to let everyone know I’ve been extremely busy with life and school and I will hopefully be able to make some new posts and videos soon!

On a side note:

 

HAPPY TURKEY DAY!!!!!

Hey guys, Steve and the cohorts over at Networking-Forum.com are having an exciting contest!  Click here to check it out, but here’s the gist:

• Submit an essay by Oct 8th detailing why you want to earn the CCNA certification and why you make a good candidate for the scholarship.
• If selected, Cisco Press will be sponsoring your books.  And NF.com will reimburse your exam fees!

So head on over to Networking-Forum.com and get crackin’!!  Best of luck to all the participants!!