Md5 security, Packet redirection and service groups – Dell POWEREDGE M1000E User Manual

43-4

Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide

OL-13270-03

Chapter 43 Configuring Web Cache Services By Using WCCP

Understanding WCCP

MD5 Security

WCCP provides an optional security component in each protocol message to enable the switch to use
MD5 authentication on messages between the switch and the application engine. Messages that do not
authenticate by MD5 (when authentication of the switch is enabled) are discarded by the switch. The
password string is combined with the MD5 value to create security for the connection between the switch
and the application engine. You must configure the same password on each application engine.

Packet Redirection and Service Groups

You can configure WCCP to classify traffic for redirection, such as FTP, proxy-web-cache handling, and
audio and video applications. This classification, known as a service group, is based on the protocol type
(TCP or UDP) and the Layer 4 source destination port numbers. The service groups are identified either
by well-known names such as web-cache, which means TCP port 80, or a service number, 0 to 99.
Service groups are configured to map to a protocol and Layer 4 port numbers and are established and
maintained independently. WCCP allows dynamic service groups, where the classification criteria are
provided dynamically by a participating application engine.

You can configure up to 8 service groups on a switch and up to 32 clients per service group. WCCP
maintains the priority of the service group in the group definition. WCCP uses the priority to configure
the service groups in the switch hardware. For example, if service group 1 has a priority of 100 and looks
for destination port 80, and service group 2 has a priority of 50 and looks for source port 80, the incoming
packet with source and destination port 80 is forwarded by using service group 1 because it has the
higher priority.

WCCP supports a cluster of application engines for every service group. Redirected traffic can be sent
to any one of the application engines. The switch supports the mask assignment method of load
balancing the traffic among the application engines in the cluster for a service group.

After WCCP is configured on the switch, the switch forwards all service group packets received from
clients to the application engines. However, these packets are not redirected:

•

Packets originating from the application engine and targeted to the web server.

•

Packets originating from the application engine and targeted to the client.

•

Packets returned or rejected by the application engine. These packets are sent to the web server.

You can configure a single multicast address per service group for sending and receiving protocol
messages. When there is a single multicast address, the application engine sends a notification to one
address, which provides coverage for all routers in the service group, for example, 225.0.0.0. If you add
and remove routers dynamically, using a single multicast address provides easier configuration because
you do not need to specifically enter the addresses of all devices in the WCCP network.

You can use a router group list to validate the protocol packets received from the application engine.
Packets matching the address in the group list are processed, packets not matching the group list address
are dropped.

To disable caching for specific clients, servers, or client/server pairs, you can use a WCCP redirect
access control list (ACL). Packets that do not match the redirect ACL bypass the cache and are
forwarded normally.

Before WCCP packets are redirected, the switch examines ACLs associated with all inbound features
configured on the interface and permits or denies packet forwarding based on how the packet matches
the entries in the ACL.