Ip wccp redirect-list acl

Similar Messages

• WCCP Redirect list ACL mask for WAAS

  Good day,
  I would like to conform if the following would be correct to implement for WCCP redirection list on 6500. We have over 800 branches and we also need to manage the intra-server traffic in the Data Center which we do not want to be re-directed.
  ip access-list extended WCCPLIST-61
  permit tcp 10.112.0.0 0.0.31.255 any
  ip access-list extended WCCPLIST-62
    permit tcp any 10.112.0.0 0.0.31.255
  So, as an example, would these masks work for us, as the number of entries otherwise would be exhaustive.
  Just want to confirm that the mask in the ACL doesn't have to match exactly.
  Thanks in advance.

  Hi Zach,
  Thanks for the response and confirmation.
  I was wanting to make sure that it is not required to have the masks match the source masks, resulting in the exhaustive list (operational nightmare).
  A quick question on the ACL for WCCP redirect-list. Should we not see hits on specific entry's (e.g.permit tcp 10.113.9.0 0.0.0.31 any for the 61 redirect list, and the same for the permit tcp any 10.113.9.0 0.0.0.31 for the 62 redirect list).
  If we don't, no traffic? We see flows on the branch WAE, although very few (not many users), but no hits on the ACL on the DC 6500. Is this due them being handled in hardware maybe, TCAM's?
  Any input would be apprecited.
  Thanks again.
  Paul.

• ASR1002 throughput degradation when wccp redirect-list is changed

  We have two ASR 1002's going to 2 different WAN service providers, and two 7371 WAE load balanced by mask assignment. When we change the ACL (adding or removing lines) from our wccp redirect-list, the throughput on interfaces applied to the wccp service-groups is degraded to almost no traffic passing, until we completely remove wccp service group from the global configuration and then reapply. Then traffic throughput on the interface goes back to normal.
  Our ACL defined in the redirect list specifies our specific networks on our WAN that have WAE's and need the redirection. All other networks are denied implicitly. We need to regularly change this ACL, and this service interruption is a major issue. This was not an issue before moving to the ASR platform from 7206's.
  At TAC's request we have upgraded our IOS version to 15.1(3)S4 and that did not make any difference. Does anyone know why this occurs and if there is a way to work around this other than removing wccp configuration and adding back, every time the ACL needs to be modified?
  As a side note to this... We have recently added riverbed appliances, and created separate service groups with separate redirect-lists. The exact same behavior occurs on the ASR 1002 when the ACL for the riverbed's redirect list is altered.

  Thank you very much for sharing that information.  It is great to hear verification that the mask assignment change did resolve your problem.   That is the latest resolution that TAC has recommended, but we have to restart the WCCP service on all redundant edge routers to be able to implement this, so planning the outage window is taking some time.   We've been told that TAC will set this up in a lab and test for us by our Cisco SE.  We're hoping to get verfication that this actually resolves the problem before we take the outage.   
       If you could, can you tell me if this resolved the issue 100% or do you still have any performance issues when making a change to your WCCP ACL going to your bluecoat equipment?    We may also need to implement this in our redirects to BlueCoat from our Nexus.  Do you happen to have a link to how to make this change in Bluecoat?   Thanks again!

• Can't make redirect-list on 4507R-E

  I need to deploy WAAS between a branch and HQ.
  The HQ side is a catalyst switch 6509-E (VSS) and branch side is a catalyst 4507R-E.
  The 6509-E supports  "Redirect Filter" (an access-list) filtering just the traffic you want. The following is my access-list on HQ side :
  ip wccp 61 redirect-list WCCPLIST group-list 3
  ip wccp 62 redirect-list WCCPLIST group-list 3
  access-list 3 permit 10.X.X.X     <--------- WAE IP address
  ip access-list extended WCCPLIST
  remark ** ACL used for WCCP redirect-list **
  remark Deny VoIP Control Traffic
  deny tcp any any eq 1300
  deny tcp any any eq 2428
  deny tcp any any eq 2000
  deny tcp any any eq 2001
  deny tcp any any eq 2002
  deny tcp any any eq 2443
  deny tcp any any eq 1718
  deny tcp any any eq 1719
  deny tcp any any eq 1720
  deny tcp any any eq 5060
  deny tcp any any range 11000 11999
  remark Deny MGT Traffic
  deny tcp any any eq telnet
  deny tcp any eq telnet any
  deny tcp any any eq 22
  deny tcp any any eq 161
  deny tcp any any eq 162
  deny tcp any any eq 123
  deny tcp any any eq 8443
  remark Deny Routing
  deny tcp any any eq bgp
  remark Deny Authentication Traffic
  deny tcp any any eq tacacs
  remark Accelerate Traffic between Branch and HQ
  permit tcp 10.Br.Br.0 0.0.0.255 10.HQ.HQ.0 0.0.0.255
  permit tcp 10.HQ.HQ.0 0.0.0.255 10.Br.Br.0 0.0.0.255
  Whereas on the Branch side, the platform 4507R-E doesn't support ACL with WCCP, so it means the WCCP will intercept all the TCP traffic.
  What would be the impact and how do i deal with this situation.
  Or is the WAEintellgent enough to pass through the unwanted traffic ?
  Or do i need to make individual policy for pass-through for each of the unwanted traffic ?
  Regards,
  Jilani

  Hi Jilani,
  Can't see from your mail what kind of supervisor you are using in your 45xx switch.
  But please be aware that if your're using af SUP-7-E or a SUP-7-L-E WCCP is NOT supported for the time being.
  WCCP is supported in Hardware but we're waiting for a software release, which supports this.
  This is according to the release notes :
  SUP-7-L-E : http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/release/note/OL_25346.html
  SUP-7-E : http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/release/note/OL_24726.html
  Strange thing is that you can actually "configure" some WCCP stuff, but the config will never hit the running-config.
  And you cannot enable WCCP.
  Feature navigator states that WCCP is available in IOS XE 3.2.0XO (for SUP-7-L-E) but release notes tend to be more trustworthy that feature navigator.
  Best Regards
  Finn Poulsen

• Lots of deny statements in the redirect list

  The following WAAS Configuration Guide has you configure the long redirect list below for "Network Modules."  Does Cisco recommend we us the same redirect list for WAAS appliances as well?
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/waas/v421/quick/guide/waasqcg.html#wp1432144
  ip wccp version 2
  ip wccp 61 redirect-list waas-wccp-redirect-list
  ip wccp 62 redirect-list waas-wccp-redirect-list
  ip access-list extended waas-wccp-redirect-list
  remark WAAS WCCP Pilot Redirect list
  deny tcp any any eq telnet
  deny tcp any any eq 22
  deny tcp any any eq 161
  deny tcp any any eq 162
  deny tcp any any eq 123
  deny tcp any any eq bgp
  deny tcp any any eq tacacs
  deny tcp any any eq 2000
  deny tcp any any eq 5060
  deny tcp any any eq 1718
  deny tcp any any eq 1719
  deny tcp any any eq 1720
  deny tcp any any eq 554
  deny tcp any any eq 1755
  deny tcp any eq telnet any
  deny tcp any eq 22 any
  deny tcp any eq 161 any
  deny tcp any eq 162 any
  deny tcp any eq 123 any
  deny tcp any eq bgp any
  deny tcp any eq tacacs any
  deny tcp any eq 2000 any
  deny tcp any eq 5060 any
  deny tcp any eq 1718 any
  deny tcp any eq 1719 any
  deny tcp any eq 1720 any
  deny tcp any eq 554 any
  deny tcp any eq 1755 any
  permit tcp any any
  end

  A short addendum to this post as it causes some confusion for customers:
  You don't have to configure a redirection ACL.
  Some reasons to exclude traffic from WCCP redirection are:
  you know some networks are not behind a WAE, so you can exclude them
  you know some server is doing bad things and want to exclude it from acceleration, for example DC -> DC traffic is signed, so WAAS cannot accelerate it.
  you want to reduce the latency on some very sensitive traffic that cannot get WAAS accelerated
  you want to reduce the amount of redirected traffic on a software platform to reduce the general CPU/traffic load
  Take into account that the WAAS will only ask to redirect TCP IPv4 traffic, so there is no need to exclude UDP for example.
  Please note that on hardware platforms (Catalyst 3750, Catalyst 4500, Catalyst 6500, ASR 1000 or Nexus 7000) the redirection is often accelerated in hardware, so  'free', and the limitation to watch is the amount of TCAM space. Having a complex redirection ACL will eat up that TCAM space very fast so is actually worse.
  Of course if you are redirecting too much traffic and this is causing overload on the attached WAAS devices you should consider having a redirection ACL.
  Also always check the WCCP platform support white paper for platform specific limitations.
  So in short: it depends , many customers take the easy route and don't have one, removing one more component to maintain and check.
  Peter

• Does wccp redirect break routing protocol?

  This may be a dumb question to ask, sorry i don't have equipment to test it at this moment.
  If wccp redirect is configured on an interface running routing protocol (such as eigrp or ospf), will this redirect the "unicast" ospf database or eigrp topology update to WAAS?  and/or will this also redirect ospf & eigrp "multicast" update which maintains neighbor relationship to WAAS?
  Should this type of traffic be denied on wccp redirect-list?
  Thanks

  Hi Joe,
  Since WAAS normally uses TCP promiscuous mode services, based on service group number 61 and 62 - you'll only get TCP redirected ... and neither OSPF nor EIGRP runs on top of TCP, so don't worry.
  If you run a TCP based routing protocol like BGP, it will get redirected.
  Later versions of WAAS don't, by default, try to optimize on BGP, as it has given some problems in the past due to sequence number manipulation.
  Best Regards
  Finn Poulsen

• Router WCCP redirect ACLs for WAAS

  Since WAAS accelerates TCP connections only, would it be more efficient to code my router WCCP redirect ACLS for protocol TCP instead of all IP traffic between my source and dest subnets I want redirected?

  Greg,
  The protocol (TCP) is an attribute of the WCCP service group, so using IP in your ACL is fine.
  Regards,
  Zach

• Does introducing WCCP redirect for WAAS disrupt Netflow information?

  Before installing WAAS and WCCP redirect on some 6500 interfaces in our data center, those interfaces showed Netflow flows for users at a remote location accessing servers at our data center. Now with WCCP redirecting that traffic to the WAEs, I notice the only netflow flows for that remote location are UDP flows and some ICMP stuff.
  Is this an unintended consequence of installing WAAS - that netflow statistics are going to be skewed by not showing flows that are now accelerated?

  I believe your problem may be due to the fact that you are redirecting http
  based traffic per the ACL configuration. The sup720 uses wccp v2 as a default
  version,however, the Sup720 does NOT support the hardware-based redirection for the TCP port 80 when we enable wccpv2.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/wccp.
  htm#wp1017009
  Support for Non-HTTP Services:
  WCCPv2 allows redirection of traffic other than HTTP (TCP port 80 traffic), including a variety of UDP and TCP traffic. WCCPv1 supported the redirection of HTTP (TCP port 80)traffic only. WCCPv2 supports the redirection of packets intended for other ports, including those used for proxy-web cache handling, File Transfer Protocol (FTP) caching, FTP proxy handling, web caching for ports other than 80, and real audio, video, and telephony applications.

• Wccp redirection for waas on same platform as wccp for websense?

  just wondering if anyone knows if a Cisco router or switch can handle wccp redirection enabled for both waas and some other web content filtering appliance using a different service group?
  seems like the priority value would come into play determining which service group gets handled first?
  we currently do WCCP for WaaS on our 3945s.
  I am going to advocate to my customer that we separate this out for CPU load issues, config complexity issues, IOS issues, etc... but the question is going to come up - "can we do WCCP for different applications on our Catalyst 3750 core switch, or our 3945 WAN routers?"
  Thanks,
  Paul

  Hi Paul,
  Yes, it's technically possible to have WCCP redirection for several services even in those devices that don't support setting the priority. However, in this case, both WAAS and Websense need to redirect HTTP traffic, and that's what makes things complicated.
  Assuming you first want to send the traffic to Websense and then to WAAS, I would recommend doing the WAAS redirection only on the WAN link (with one service inbound and the other outbound). You can then configure Web-cache redirection inbound on the client vlan and, a service for the return traffic (I'm not sure if this is required for websense), inbound on the interface where the WAE is connected (with a redirect-list to match only the return direction)
  Even if it's possible to have both redirections in the same device, if possible, I would strongly suggest you to either use different devices for the redirection or to make them mutually exclusive (for example, not sending HTTP to WAAS), otherwise, if you make a small mistake with the configuration, you can end up with a redirection loop.
  Regards
  Daniel

• Wccp redirection

  We're utilizing wccp redirection in conjunction with WAE 4.1, where we have a good number of edge sites and the core site. If we disable wccp on the edge WAE, the session will not be optimized. However, would a packet still hit the WAE on the core?
  Thanks.

  If you are still intercepting traffic on the core and not excluding it via a redirect-list, then the core WAE will see the packets, but put them into PassThrough No-Peer. It would not be counted against optimized sessions.
  Dan

• WAAS Redirect -list on 4506

  I am trying to configure a redirect on my 4506 device to restrict some data from being processed by the WAE located in my datacenter. Outside the redirect-list command, how do I prevent data from being processed by the WAE?
  The IOS I am running is bootflash:cat4500-entservicesk9-mz.122-40.SG.bin and I run WCCPv2 on both the edge and the core appliances.
  Thanks

  Zach,
  Thanks for your timely response. Is it possible to use the service group approach to block subnets that I do not want the WAE device to process?
  On another note, if I have 2 frame relay subinterfaces. Where do I need to apply the "IP wccp 62 redirect in" command. Should I put them on only the physical interface (S0/0) or on both of the subinterfaces (S0/0.100 and S0/0.109)?
  Thanks

• Wccp redirect V2

  Are all Cisco ISR's support wccp redirect V2, included 19xx and 29xx routers?
  Thanks,
  Eric

  Hello,
  1. "ip wccp web-cache redirect in"
  It would work if you squid proxy have another default gateway to internet.
  Otherwise the traffic from the SQUID is also forwarded. You have to use different interfaces for users and squid. On sabinterfeyse vlan SQUID you should not use a configuration wccp
  2. Web-cache permit only http. You must configuring Dynamic WCCP.
  some example:
  in global:
  ip wccp 120 redirect-list 120
  access-list 120 remark REDIRECTION_CRITERIA
  access-list 120 deny   ip host 192.168.1.2 any
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq 443
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq 443
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq 443
  access-list 120 deny   ip any any
  on interface:
  ip wccp 120 redirect in
  See link below for more information
  http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-wccp.html#GUID-5E9AE273-1AFD-4598-9325-85F8C822D168
  Best regards

• WCCP Redirection not happening on 3750

  I have a problem with WCCP redirection on a 3750 switch. hardware and IOS versions are listed as supporting WCCPv2. WAE configured at a core site and at the remote site. "ip wccp 62 redirect in" configured on the interfaces at each end connected to the WAN link. A WAE is directly connected to the WCCP switch at each end. Traffic is successfully being optimised when ssh to the remote site WAE itself (can see in sh tfo conn summ) but traffic coming from remote site clients does not appear to be getting redirected at the remote site. "ip wccp 61 redirect in" configured on vlan int didn't work and also have tried setting up the int as L3 and configured the same on physical int but still not redirecting. Looks like the traffic from the client IS being redirected at core site though, since we are seeing the traffic in "show tfo conn summ" on the core WAE but it is listed under pass through. Also getting PT no peer for this traffic. Nothing showing up from clients on the remote site WAE unfortunately.
  If anyone has some ideas on how to resolve this please advise.

  Thanks Zach,
  double checked my configs and found it was hash instead of mask. now all working OK...
  Takes a little time to negotiate before the services become "usable" and even when you set it to hash it still comes up as usable so was a bit misleading. We were also using wrong SDM template (which I noticed yesterday in the logging and fixed).
  cheers for the quick responses.

• ORA-24247: network access denied by access control list (ACL)error-UTL_HTTP

  I am getting following ACL error while executing following procedure:
  create or replace procedure sat_proc as
  http_req utl_http.req;
  http_resp utl_http.resp;
  BEGIN
  http_req := utl_http.begin_request('www.yahoo.com');
  http_resp := utl_http.get_response(http_req);
  utl_http.end_response(http_resp);
  END;
  exec sat_proc;
  ORA-29273: HTTP request failed
  ORA-06512: at "SYS.UTL_HTTP", line 1130
  ORA-24247: network access denied by access control list (ACL)
  ORA-06512: at "TRANSDBA.SAT_PROC", line 5
  ORA-06512: at line 1
  I am able to execute successfully while executing above code as PL/SQL block:
  DECLARE
  http_req utl_http.req;
  http_resp utl_http.resp;
  BEGIN
  http_req := utl_http.begin_request('www.yahoo.com');
  http_resp := utl_http.get_response(http_req);
  utl_http.end_response(http_resp);
  END;
  PL/SQL procedure successfully completed.
  Could help me find why I am getting error while executing same code in a procedure? Is there any privilege missing?

  GRANT EXECUTE ON SYS.UTL_HTTP TO <your_user>;
  SQL> set time on
  17:21:01 SQL> set role none;
  Role set.
  17:21:23 SQL> @utl_http.sql
  17:21:34 SQL> DECLARE
  17:21:34   2  http_req utl_http.req;
  17:21:34   3  http_resp utl_http.resp;
  17:21:34   4  BEGIN
  17:21:34   5  http_req := utl_http.begin_request('www.yahoo.com');
  17:21:34   6  http_resp := utl_http.get_response(http_req);
  17:21:34   7  utl_http.end_response(http_resp);
  17:21:34   8  END;
  17:21:34   9  /
  PL/SQL procedure successfully completed.
  17:21:35 SQL> connect / as sysdba
  Connected.
  17:22:47 SQL> connect dbadmin/admindb
  Connected.
  17:23:06 SQL> @utl_http.sql
  17:23:22 SQL> DECLARE
  17:23:22   2  http_req utl_http.req;
  17:23:22   3  http_resp utl_http.resp;
  17:23:22   4  BEGIN
  17:23:22   5  http_req := utl_http.begin_request('www.yahoo.com');
  17:23:22   6  http_resp := utl_http.get_response(http_req);
  17:23:22   7  utl_http.end_response(http_resp);
  17:23:22   8  END;
  17:23:22   9  /
  PL/SQL procedure successfully completed.
  17:23:23 SQL> set role none;
  Role set.
  17:23:29 SQL> @utl_http.sql
  17:23:31 SQL> DECLARE
  17:23:31   2  http_req utl_http.req;
  17:23:31   3  http_resp utl_http.resp;
  17:23:31   4  BEGIN
  17:23:31   5  http_req := utl_http.begin_request('www.yahoo.com');
  17:23:31   6  http_resp := utl_http.get_response(http_req);
  17:23:31   7  utl_http.end_response(http_resp);
  17:23:31   8  END;
  17:23:31   9  /
  DECLARE
  ERROR at line 1:
  ORA-29273: HTTP request failed
  ORA-06512: at "SYS.UTL_HTTP", line 1130
  ORA-24247: network access denied by access control list (ACL)
  ORA-06512: at line 5
  17:23:31 SQL> above is from test user
  Below is from SYSDBA account
  SQL> set time on
  17:20:53 SQL> revoke execute on sys.utl_http to dbadmin;
  revoke execute on sys.utl_http to dbadmin
  ERROR at line 1:
  ORA-00905: missing keyword
  17:22:03 SQL> revoke execute on sys.utl_http from dbadmin;
  revoke execute on sys.utl_http from dbadmin
  ERROR at line 1:
  ORA-04020: deadlock detected while trying to lock object
  ACLiLZU+w09hR7gQAB/AQAjcw==
  17:22:32 SQL> /
  Revoke succeeded.
  17:22:52 SQL> Edited by: sb92075 on Jun 10, 2010 5:24 PM

• HR User, REST example - network access denied by access control list (ACL)

  Hi,
  I am new to APEX and am running the 'Oracle Developer Days' vm. I'm logged into APEX as the default HR/oracle account and I've been following the 'Creating and Using a RESTful Web Service in Application Express 4.2' training video, however when I try to retrieve information by entering a dept no. and clicking submit I get:
  ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1130 ORA-24247: network access denied by access control list (ACL)
  I've seen the following thread:
  ORA-24247: network access denied by access control list (ACL)error-UTL_HTTP
  and I've tried running the command:
  GRANT EXECUTE ON SYS.UTL_HTTP TO HR;
  but I'm not getting anywhere, presumably the HR user does not have permissions to access 'http://localhost:8888/apex/hr/employee_test'
  Any help much appreciated, also if this is the wrong forum for this question please let me know.
  Many Thanks

  Hi,
  Thank you for the link; I executed the first block of code to 'grant connect privileges to any host for the APEX_040200 database user' that did not work so I changed the user to HR within the code and re-executed and that seems to have done the trick. I guess the HR user is now in the power_users list/group?
  Thanks again!