| Solution |
What WCCP is:
WCCP is an abbreviation for Web Cache Communication Protocol. This protocol was designed to describe the interaction between a router (FortiGate in this case) and external web cache engines or proxy servers. WCCP generally works in selective traffic redirection toward the cache engine (WCCP client) with optimization of network performance, reducing the bandwidth consumed and improving response time.
How WCCP operates:
- Traffic Redirection:
WCCP allows routers to recognize traffic by type, e.g. HTTPS, and forward it to a cache engine for processing.
- Service Groups:
WCCP operates based on service groups. A service group is identified by a list of the inspected protocols, a list of the routers, and a list of the cache engines. The routers then redirect the traffic according to the configured service group.
- Load Balancing:
WCCP makes it possible to perform load balancing across a group of cache engines. The primary aim of load-balancing cache engines is to distribute incoming requests among them, based on previously calculated hash values, to derive more usefulness and exploit more resources.
WCCP Versions and Limitations:
| WCCPv1 |
WCCPv2 |
| Single Service Support: WCCPv1 supports only one service group, which is normally the HTTP traffic, so it is very limited regarding the type of traffic it can hold. |
Multiple Service Groups: WCCP v2 can support the ability to service more than one group, which means it will be able to take care of various forms of traffic. |
| Lack of Security Features: WCCP v1 does not include security features like MD5 authentication; hence, it is open to attacks by unauthorized redirection of traffic and other threats. |
Enhanced Security: WCCP v2 supports MD5 authentication, which provides basic security in verifying the integrity and authenticity of the communications between routers and cache engines. |
| Limited Scalability: WCCP v1 is a very simplistic design that would not scale well to larger, more complicated networks that are needed to manage multiple services or large amounts of traffic. |
Enhanced Scalability and Redundancy: Better load balancing and redundancy are provided by WCCP v2, but very large-scale deployments might still have the mechanism turning into a bottleneck or needing careful tuning. |
Compatibility limitations: WCCPv2 is not backward-compatible with WCCPv1, which creates a problem in mixed environments where all devices do not support the new version. This might therefore call for a widespread upgrade on the network in order to implement WCCP v2.
WCCP subscription:
WCCP works by having the client subscribe to the FortiGate. The FortiGate is unaware of the WCCP client until it subscribes.
WCCP uses 'Here I Am' and 'I See You' packets to subscribe, negotiate settings, and health checks:
- 'Here I Am' is sent from the WCCP client to the FortiGate to subscribe and tell it about the settings configured. This includes the port redirections, weight assignment, service ID, assignment method, redirect method, etc.
- 'I See You' is an acknowledgment from FortiGate to the WCCP client to inform that the subscription is successful.
WCCP Health checks:
WCCP uses the previously mentioned 'Here I Am' and 'I See You' packets to perform health with a 10-second frequency.
If the FortiGate does not receive a 'Here I Am' packet in 25 seconds, it will send a removal query message to the WCCP client, and it should respond as soon as possible. If no response is received within 5 seconds, the WCCP client is considered offline and removed from the WCCP pool.
WCCP protocol:
WCCP uses port UDP/2048 to communicate between FortiGate and WCCP client.
WCCP Redirection and Return:
WCCP can use GRE or L2 forward to send traffic back and forth:
| WCCP |
Redirection |
Return |
| GRE |
Packets that are forwarded will be encapsulated with a GRE header. These packets also contain a WCCP redirect header. |
The return packets are also encapsulated with a GRE header. The packet's destination IP address is FortiGate's address, while the source IP address is that of the WCCP client. |
L2 Forward
|
The MAC header of the original IP packet is replaced by the MAC header for the FortiWeb, which allows direct forwarding to the WCCP client without further lookups. The packets that need L2 redirection should have a source either from a directly connected FortiGate or from a WCCP client located in the same subnet. |
The same IP packet without any added header information will be sent back. The FortiGate receiving the return packet will recognize the source and not re-redirect. |
Note: The redirection method in WCCP does not need to match the return method.
Deployments:
Related articles:
|
