Troubleshooting guide
1-16
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
Chapter 1 Configuring Traffic Interception
Configuring WCCP on WAEs
a. If the WAE decides to accept the request, it sends a TCP SYN ACK packet to the client. In this
response packet, the WAE uses the IP address of the original destination (origin server) that was
specified as the source address so that the WAE can be invisible (transparent) to the client; it
pretends to be the destination that the TCP SYN packet from the client was trying to reach.
b. If the WAE decides not to accept the request, it reencapsulates the TCP SYN packet in GRE,
and sends it back to the WCCP-enabled router. The router understands that the WAE is not
interested in this connection and forwards the packet to its original destination (that is, the
origin server).
Layer 2 Redirection as a Packet-Forwarding Method
Layer 2 redirection is accomplished when a WCCP-enabled router or switch takes advantage of internal
switching hardware that either partially or fully implements the WCCP traffic interception and
redirection functions at Layer 2. This type of redirection is currently supported only with the
Catalyst 6500 series switches and Cisco 7200 and 7600 series routers. With Layer 2 redirection, the first
redirected traffic packet is handled by the router software. The rest of the traffic is handled by the router
hardware. The branch WAE instructs the router or switch to apply a bit mask to certain packet fields,
which in turn provides a mask result or index mapped to the branch WAE in the service group in the form
of a mask index address table. The redirection process is accelerated in the switching hardware, making
Layer 2 redirection more efficient than Layer 3 GRE.
Note WCCP is licensed only on the WAE and not on the redirecting router. WCCP does not interfere with
normal router or switch operations.
Information About WCCP Flow Redirection on WAEs
Flow protection reduces the impact on existing client TCP connections when branch WAEs are added
and removed from a service group. By default, WCCP flow redirection is disabled on a WAE. The client
impact is reduced because of flow protection in the following situations, typical in large WCCP service
farms:
• WAAS network expansion—When branch WAEs are added to the service group, the newly started
branch WAEs receives traffic that was previously processed by a different branch WAE. It forwards
the traffic to the relevant branch WAE for continued processing. New connections are processed by
the new branch WAE.
• Branch WAE replacement following a failure—When a branch WAE fails, another branch WAE may
receive traffic that was previously processed by either that branch WAE or the origin file server. The
receiving branch WAE operates according to the previous two use cases.
Without flow protection, established client connections are broken through a TCP RESET in the
situations listed earlier. Flow protection applies to all supported WCCP services and cannot be
configured on a per-service basis.
To enable flow protection for a specified time period, use the wccp flow-redirect enable timeout
seconds global configuration command. After the timeout period, flow protection ceases. If you do not
specify the timeout option, flow protection is enabled indefinitely.
Note Network designs that require redirected frames to be returned to the originating router are not compatible
with the WCCP flow protection feature.