2011年2月19日 星期六

WCCP on ASA

Guidelines and Limitations

Supported WCCP Features

The following WCCPv2 features are supported with the adaptive security appliance:

Redirection of multiple TCP/UDP port-destined traffic.

Authentication for cache engines in a service group.

Unsupported WCCP Features

The following WCCPv2 features are not supported with the adaptive security appliance:

Multiple routers in a service group is not supported. Multiple Cache Engines in a service group is still supported.

Multicast WCCP is not supported.

The Layer 2 redirect method is not supported; only GRE encapsulation is supported.

WCCP source address spoofing is not supported.

WAAS devices are not supported.

WCCP Interaction With Other Features

In the adaptive security appliance implementation of WCCP, the following applies as to how the protocol interacts with other configurable features:

Cut-through proxy will not work in combination with WCCP.

An ingress access list entry always takes higher priority over WCCP. For example, if an access list does not permit a client to communicate with a server then traffic will not be redirected to a cache engine. Both ingress interface access lists and egress interface access lists will be applied.

TCP intercept, authorization, URL filtering, inspect engines, and IPS features are not applied to a redirected flow of traffic.

When a cache engine cannot service a request and packet is returned, or when a cache miss happens on a cache engine and it requests data from a web server, then the contents of the traffic flow will be subject to all the other configured features of the adaptive security appliance.

In failover, WCCP redirect tables are not replicated to standby units. After a failover, packets will not be redirected until the tables are rebuilt. Sessions redirected prior to failover will likely be reset by the web server.

If you have two WCCP services and they use two different redirection ACLs that overlap and match the same packets (with a deny or a permit action), the packets behave according to the first service-group found and installed rules. The packets are not passed thorugh all service-groups.

 

Reference: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html