[c-nsp] WCCPv2 Cisco 7600 + mask assignment problems

Lincoln Dale (ltd) ltd at cisco.com
Mon Sep 11 19:18:04 EDT 2006 

> When we had TCAM issues...It would have been L2 Redirect + NetApp
caches.
> The TCAM was an ACL merge thing - we had outbound ACLs and the
redirect
> (controlled by ACL) on the same interface. A minor change to an ACL
kicked
> it all to the MSFC and things got very slow, very quickly. It was a
while

actually, very likely it was both a combination of ACL & MLS cache.

if you were using L2-redirect (good) + XOR-hashing, enabling the WCCP
service group would have resulted in the switch installing an ACL like:

	for any TCP traffic with destination port 80, punt to s/w
	for all other traffic, forward as per normal in CEF h/w path

depending on how you did your ACL for sites that you didn't want to
intercept, it may have meant that you had an ACL of something like:

	for TCP with a dst ip-addr "site#1" port 80, send as per normal
	for TCP with a dst ip-addr "site#2" port 80, send as per normal
 	for TCP with a dst ip-addr "site#3" port 80, send as per normal
	...
	for TCP with a dst ip-addr "site#N" port 80, send as per normal
	for any TCP traffic with destination port 80, punt to s/w
	for all other traffic, forward as per normal in CEF h/w path

programming ACLs into a TCAM isn't a trivial thing - and if you were
making frequent changes, that wouldn't be good.

but more than likely the real issue was that you were already sending a
significant amount of traffic to the MSFC because of the "punt to s/w"
anyway.

> We use an ACL to determine some sites/clients that aren't cached. We
try
> to
> keep it to a minimum but its easier to let some clients bypass the
cache
> than spend 2 weeks persuading them that issues accessing www.acme.com
are
> non-cache related.

if netapp supported "L2 return" and policies for what to 'bypass' (don't
know if they did when netapp still had a cache product), then the policy
could have been entirely in the cache & the burden not put on the
switch/router.

> This is the current "sh ip wccp web-cache detail" (one of 6 caches). -
> which
> I presume to mean we're Hashed not Masked ?. IOS is 12.3(3). I don't
think
> we've had to change IOS since deployment on those boxes. I see the
command
> ref for 12.4 now also shows the process/fast/CEF switched counts.

yes, "masked" is only really relevant for cat6k/7600 and some other
Cisco platforms with h/w-accelerated switching.  on a 7200 NPE-G1 it
won't really add anything.

> #sh ip wccp web-cache detail
> 
> WCCP Cache-Engine information:
>         Web Cache ID:          x.x.x.x
>         Protocol Version:      2.0
>         State:                 Usable
>         Initial Hash Info:     00000000000000000000000000000000
>                                00000000000000000000000000000000
>         Assigned Hash Info:    00000000000000000000000000000000
>                                00000000000000000000000003FFFFFF
>         Hash Allotment:        26 (10.15%)
>         Packets Redirected:    3861396156
>         Connect Time:          7w0d

btw, if there are 6 caches here, looks like they're either dealing with
different traffic allocations - OR - they're not coping with the load
you're giving them & they've reduced the amount of traffic being pushed
at them; note that its 10.15% traffic allotment, not 1/6th of 100%...


cheers,

lincoln.

More information about the cisco-nsp mailing list