Switch to WSA WCCP transperent redirection
Hello all,
The transparent redirection term first implied to me that the client will be totally unaware of the presence of a WSA proxy, however i delpoyed the following setup and found that the client is receiving HTTP proxy-redirect message (code 307) with source IP of the final destination server but i tells the client to request HTTP from the WSA. Redirection mode is L2 forwarding.
Here is the Setup:
Server
|
client----L3 Switch----WSA
My understanding of transperent redirection in this setup is:
- client sends HTTP GET request to the server
- the switch intercepts the GET and redirect it to the WSA
- the WSA sends the request to the server with source IP of the WSA
- the server replies to the WSA
- the WSA replies to the client (not sure if the source will be spoofed as server IP or WSA)
However, my findings were different... again http-redirect arrives at the client with WSA URL
Please advise,
thanks in advance.
The HTTP 307 redirect is likely coming because you are using authentication. The way the WSA performs NTLM authentication is to redirect the browser to access the WSA directly, so that NTLM authentication can happen. Once authenticated, another 307 will redirect it back to the original website.
If you are looking for a 100% transparent deployment, you may want to consider deploying the Cisco Context Directory Agent so that the WSA can ask the agent which user is logged onto that IP (instead of doing the NTLM authentication).
The term Transparent really just means the browser does not have a proxy setting.
Similar Messages
-
Hello,
I am trying to redirect packets to a bluecoat proxy sg using WCCP on a 3750x stack with IP services.
I cant get the packets to redirect.
The bluecoat device is on the same vlan as the client traffic that I am trying to redirect.
It seems that when I apply the redirect on the vlan interface, the Bluecoat can see the traffic though.
(After it is applied, I can no longer access the websites, but the bluecoat device shows some activity)
SDM prefer is enabled.
Here is the config:
SiteA#sh run
Building configuration...
Current configuration : 7699 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SiteA
boot-start-marker
boot-end-marker
enable secret 5 $1$V1w8$6bmKd6oXWk//FH7/BaoFG.
username systemsgo privilege 15 secret 5 $1$vu8O$1uMdtS1Gzk12.YT3RObZO1
no aaa new-model
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
ip wccp 90 redirect-list 115 group-list 15
vtp mode transparent
track 1 ip sla 1 reachability
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 10
ip ssh version 2
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.20.2 255.255.255.252
speed 100
duplex full
interface GigabitEthernet1/0/2
no switchport
ip address 192.168.20.9 255.255.255.252
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet2/0/1
description *BlueCoat Proxy*
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/0/2
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet2/1/2
interface GigabitEthernet2/1/3
interface GigabitEthernet2/1/4
interface TenGigabitEthernet2/1/1
interface TenGigabitEthernet2/1/2
interface Vlan1
no ip address
interface Vlan10
ip address 10.10.20.3 255.255.255.0
standby 10 ip 10.10.20.1
standby 10 priority 110
standby 10 preempt
ip wccp 90 redirect in
router eigrp 1
network 10.10.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.3
redistribute static
ip local policy route-map IP_SLA_SiteA
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1
ip sla 1
icmp-echo 4.2.2.2 source-ip 192.168.20.9
threshold 300
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
logging esm config
access-list 15 permit 10.10.20.220
access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443
route-map IP_SLA_SiteA permit 10
match ip address 101
set ip next-hop 192.168.20.10
SiteA#
SiteA#show ip wccp 90
Global WCCP information:
Router information:
Router Identifier: 192.168.20.9
Protocol Version: 2.0
Service Identifier: 90
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: 115
Total Packets Denied Redirect: 52389
Total Packets Unassigned: 71
Group access-list: 15
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
SiteA#show ip wccp 90 detail
WCCP Client information:
WCCP Client ID: 10.10.20.220
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 0
Connect Time: 00:19:36
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
0000: 0x00000000 0x0000003F 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
0000: 0x00000000 0x00000000 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0001: 0x00000000 0x00000001 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0002: 0x00000000 0x00000002 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0003: 0x00000000 0x00000003 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0004: 0x00000000 0x00000004 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0005: 0x00000000 0x00000005 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0006: 0x00000000 0x00000006 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0007: 0x00000000 0x00000007 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0008: 0x00000000 0x00000008 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0009: 0x00000000 0x00000009 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0010: 0x00000000 0x0000000A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0011: 0x00000000 0x0000000B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0012: 0x00000000 0x0000000C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0013: 0x00000000 0x0000000D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0014: 0x00000000 0x0000000E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0015: 0x00000000 0x0000000F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0016: 0x00000000 0x00000010 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0017: 0x00000000 0x00000011 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0018: 0x00000000 0x00000012 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0019: 0x00000000 0x00000013 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0020: 0x00000000 0x00000014 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0021: 0x00000000 0x00000015 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0022: 0x00000000 0x00000016 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0023: 0x00000000 0x00000017 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0024: 0x00000000 0x00000018 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0025: 0x00000000 0x00000019 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0026: 0x00000000 0x0000001A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0027: 0x00000000 0x0000001B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0028: 0x00000000 0x0000001C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0029: 0x00000000 0x0000001D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0030: 0x00000000 0x0000001E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0031: 0x00000000 0x0000001F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0032: 0x00000000 0x00000020 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0033: 0x00000000 0x00000021 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0034: 0x00000000 0x00000022 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0035: 0x00000000 0x00000023 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0036: 0x00000000 0x00000024 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0037: 0x00000000 0x00000025 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0038: 0x00000000 0x00000026 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0039: 0x00000000 0x00000027 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0040: 0x00000000 0x00000028 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0041: 0x00000000 0x00000029 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0042: 0x00000000 0x0000002A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0043: 0x00000000 0x0000002B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0044: 0x00000000 0x0000002C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0045: 0x00000000 0x0000002D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0046: 0x00000000 0x0000002E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0047: 0x00000000 0x0000002F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0048: 0x00000000 0x00000030 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0049: 0x00000000 0x00000031 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0050: 0x00000000 0x00000032 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0051: 0x00000000 0x00000033 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0052: 0x00000000 0x00000034 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0053: 0x00000000 0x00000035 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0054: 0x00000000 0x00000036 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0055: 0x00000000 0x00000037 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0056: 0x00000000 0x00000038 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0057: 0x00000000 0x00000039 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0058: 0x00000000 0x0000003A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0059: 0x00000000 0x0000003B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0060: 0x00000000 0x0000003C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0061: 0x00000000 0x0000003D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0062: 0x00000000 0x0000003E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0063: 0x00000000 0x0000003F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
SiteA#
SiteA#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
SiteA#Hi Jon,
There are no more throughput issues.
Everything is working well. Thanks so much!
As for the WCCP,
I put the redirect acl on the L3 ports that connect back to 3750_3, but it is still not catching the traffic from the user vlan 20 on 3750_3. (We did however get it working for the server vlan in Site1 and Site2)
I'm not sure what you meant when you said:
Then you simply use site1 or site2's devices for web traffic.
Do I need to change the gateway for the users vlan in Site 3750_3 to something else?
Right now it is pointing to 10.20.20.1 on the 3750_3.
Below is what I have so far on the 3750_3.
I tried to force the traffic via PBR to the BlueCoat device, but that didnt seem to work either.
UserSite(config)#do sh run
Building configuration...
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname UserSite
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750x-48p
switch 2 provision ws-c3750x-48p
system mtu routing 1500
ip routing
vtp mode transparent
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 10
vlan 20
name clients
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
interface GigabitEthernet1/0/47
description *CERTES-MGMT-MAIN*
switchport access vlan 20
switchport mode access
interface GigabitEthernet1/0/48
description *MAN-LINE-TO-DC-MAIN*
no switchport
ip address 192.168.20.1 255.255.255.252
speed 100
duplex full
interface GigabitEthernet1/1/1
interface GigabitEthernet1/1/2
interface GigabitEthernet1/1/3
interface GigabitEthernet1/1/4
interface TenGigabitEthernet1/1/1
interface TenGigabitEthernet1/1/2
interface GigabitEthernet2/0/47
description *CERTES-MGMT-DR*
switchport access vlan 20
switchport mode access
interface GigabitEthernet2/0/48
description *MAN-LINE-TO-DC-DR*
no switchport
ip address 192.168.20.5 255.255.255.252
speed 100
duplex full
interface GigabitEthernet2/1/1
interface GigabitEthernet2/1/2
interface GigabitEthernet2/1/3
interface GigabitEthernet2/1/4
interface TenGigabitEthernet2/1/1
interface TenGigabitEthernet2/1/2
interface Vlan1
ip address 192.168.10.254 255.255.255.0
interface Vlan20
ip address 10.20.20.1 255.255.255.0
ip helper-address 10.10.20.30
router eigrp 1
network 10.20.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.7
offset-list 10 in 100 GigabitEthernet2/0/48
eigrp stub connected summary
ip local policy route-map PBR_Proxy
ip classless
ip http server
ip http secure-server
ip access-list extended Traffic2Proxy
permit tcp 10.20.20.0 0.0.0.255 eq www any
permit tcp 10.20.20.0 0.0.0.255 eq 443 any
ip sla enable reaction-alerts
route-map PBR_Proxy permit 10
match ip address Traffic2Proxy
set ip next-hop 192.168.50.220
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login local
line vty 0 4
exec-timeout 30 0
privilege level 15
logging synchronous
login local
length 0
transport input telnet ssh
line vty 5 15
exec-timeout 30 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
end -
WAAS - WCCP L2-redirection in WS-C6509-E
Hi,
I have a costumer with three offices, one is the data center. The other two offices get information from the data center and between them.
Each one of these remotes offices go through two different SP to the data center, and each one is received in his own router. The core of the data center is a switch WS-C6509-E (IOS s72033-entservicesk9_wan-vz.122-18.SXF7.bin).
Because there are two different SP in the data center, the traffic redirection must be done in the switch c6500. I think that the following configuration is the correct one:
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Vlan1
description *** WAN routers and users ***
ip address 10.0.16.1 255.255.240.0
ip wccp 62 redirect out
ip wccp 61 redirect in
interface Vlan 200
description *** WAEs ***
ip address 10.34.114.65 255.255.255.252
ip wccp redirect exclude in
interface Vlan201
description *** Servers and Users 1 ***
ip address 10.15.240.1 255.255.240.0
ip wccp 61 redirect in
interface Vlan202
description *** Servers and Users 2 ***
ip address 10.16.128.1 255.255.240.0
ip wccp 61 redirect in
But now I read about the problems using GRE redirection in the switch c6500. I read too that the best way to do this is using L2-redirection, but I don't have any idea of how to do this. I am using the WAAS version 4.1.1.
Can anybody help me with explaining me the way to configure that?Dan,
I think that the best option for this network is number one, use WCCP on the two 7206VXRs, and redirect the traffic to a single WAE in the same subnet of the hosts.
But now, I don't understand the implications of use the command âegress-method negotiated-return intercept-method wccpâ. What else should I consider or configure (in the router or in the WAE) to make this interception works?
I think that the configuration on the routers and in the WAE should be something like this:
--- Router 1
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Serial3/3:1
ip address 10.34.113.213 255.255.255.252
ip wccp 61 redirect in
ip wccp 62 redirect in
interface GigabitEthernet0/1
ip address 10.0.16.2 255.255.240.0
ip wccp redirect exclude in
--- Router 2
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Serial3/3:1
ip address 10.134.143.217 255.255.255.252
ip wccp 61 redirect in
ip wccp 62 redirect in
interface GigabitEthernet0/1
ip address 10.0.16.3 255.255.240.0
ip wccp redirect exclude in
--- WAE
interface GigabitEthernet 1/0
ip address 10.0.16.4 255.255.255.0
exit
egress-method negotiated-return intercept-method wccp
wccp router-list 1 10.0.16.2 10.0.16.3
wccp tcp-promiscuous router-list-num 1
Thanks and Regards,
Pablo -
Egress wccp software redirection limit
I am forced to redirect egress packets on my 6500 to a Websence gateway.
I know that egress wccp is software switched. has anyone load tested the limits of egress wccp on Sup720?
I need to know how much redirected traffic will push the CPU to 70%, 80% , 100%.Below is a list of best practices to follow when doing wccp redirection on hardware based platforms like the 3750. I have found this in the link below.
http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200806.html
The following best practices should be followed for implementing WCCP on a hardware-based platform:
L2 Forwarding
Mask Assignment
Inbound Interception
No "ip wccp redirect exclude in"
Your configuration of "egress-method negotiated-return intercept-method wccp" will call for a WCCP GRE tunnel to be created from the 3750 to the WAE. All traffic will then be software redirected based on this line of configuration.
"Set negotiated-return as the egress method. With this specification, the Cisco WAE will use GRE to return redirected traffic to the intercepting router. Note: In this case, WCCP negotiated WCCP GRE as the return method."
Found here: https://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/prod_white_paper0900aecd806d976a_ps6474_Products_White_Paper.html
I would stick to the best practices that Zach has outlined in the link at the beginning of this post. It is a very well written article on WCCP redirection.
Regards -
WCCP not redirecting users traffic from other subnets
Hello,
I have configured WCCP redirection on ASA for redirecting transparently http and https traffic.
I have configured a service ID 90 that contains 80 and 443 port. The ironport S160 has two interfaces, one for management and the other for data.
The interface used for data is on a different subnet that the inside interface of ASA where it is configured WCCP.
The problem is that the users that are in the same subnet with ironport data interface, their traffic gets redirected, while the traffic of the other users that are not in the same subnet with ironport data interface is not processed correctly from ironport and this users does not have internet access.
Any idea ?
BR,
IlirIlir,
How is this second group of users connected to the ASA? Their outbound traffic has to be going out the "inside" interface also. If they are on another port on the ASA, WCCP won't catch their traffic. i.e. You can't use the DMZ interface on an ASA and point its web traffic at a WSA that lives inside.
Ken -
WCCP GRE Redirection multiple hops
When using GRE redirection and negotiated return, is it possible to place the WAEs on a segment that is not directly attached to the routers? I have seen some documentation state, "It allows the WCCP clients to be separate from the router via multiple hops. With WAAS, the WAEs need to be connected directly to a tertiary or sub-interface of the router." This has left me a little confused, but seems like it is possible with new code. If it is possible, is there any possibility on looping occuring? I assume there isn't since the packets are tunneled to and from the routers which would bypass the inspection. This would also allow me to take advantage of WAAS over a high-speed/low latency link to a datacenter that does not physically have WAEs deployed.
Any input is much appreciated,
PatrickPatrick,
You are correct, the WAE with negotiated return can be multiple L3 hops away from the router (back in your DC). However for performance, of course it's recommended to be as close as possible. With the return traffic using GRE, the traffic is not being re-intercepted.
Thanks,
Dan -
WAAS: Standard vs Extended ACL's for WCCP Transparent Redirection
I've come across a number of implementations where the ACL's associated with services 61 & 62 are using extended access-list. I am writing with specific reference to wccp configured in promiscuous mode.
Since WCCP will only redirect TCP, and the WAAS solution in general applies only to TCP - then is there really a need for extended acls for redirection?. Furthermore, in a simple implementation you do not need separate acls linked to 61 & 62 - i don't think so.
Standard acls parse the filteration process more quickly than extended.
thanks
AjazThe extended access-lists are used because some TCP traffic does not to be optimized (telnet, BGP, SNMP, ...), or some hosts have compressed traffic for any application and need to be excluded from redirection. Besides that standard access-lists can be used.
-
WCCP L2-redirection feature support
Hello,
I've read that the l2-redirect feature is only supported on the Cat6500 and the 7600 router. Nevertheless, if I use the feature navigator tool Im able to find IOS versions that supposedly support the l2-redirect feature for the 3745 or the 7204 router.
Using one of those IOS images and configuring WCCP with l2 redirection I still see, in the output of the show wccp services detail command, the GRE tunnel as the negotiated forwarding method.
Can I really use l2-redirect with the 3745 or the 7204?
Thanks in advance.
RicardoFrom what I have read, You can use the L2 redirection feature on platforms based on Supervisor Engine and MSFC.
Take a look at this document for details.
http://www.cisco.com/en/US/products/hw/contnetw/ps546/products_configuration_example09186a00801c1db5.shtml -
Hi,
I have an Ironport set up with my 6500 through WCCP.
It seems to be working ok, but I have a question.
Right now, I'm only redirecting a specific VLAN (let's say 40).
I can filter the traffic ok, but I'm seeing the it's also redirecting traffic inter vlan (from VLAN 100 to 40, for example).
Is there a way to exclude this traffic?
Thanks in advance for any help.This is the access-list I'm using.
Each line corresponds to a different VLAN.
Extended IP access list IRONPORT
10 permit tcp 10.180.4.0 0.0.0.255 any (8 matches)
20 permit tcp 10.180.2.0 0.0.1.255 any (3 matches)
30 permit tcp 10.180.1.0 0.0.0.255 any
40 permit tcp 10.180.11.0 0.0.0.255 any
50 permit tcp 10.180.5.0 0.0.0.255 any
60 permit tcp 10.180.6.0 0.0.0.255 any
70 permit tcp 10.180.7.0 0.0.0.255 any
80 permit tcp 10.180.8.0 0.0.0.255 any
90 permit tcp 10.180.9.0 0.0.0.255 any
Then I have a "ip wccp redirect in" in each VLAN I want to inspect traffic.
Is it best to just have this line on the interface connected to the router that leaves our LAN?
We have a MPLS network from our provider, that connects to remote sites.
Can I exclude this sites from inspection with "deny" commands on the access-list? -
X-Fi Xtereme Music mode switching and troubles with channels redirection
Good Day.
I have bought a X-Fi sound card and now I have troubles with my speaker system. I have analog stereo system and headphones, I connect them using my amplifier. All cables are connected properly.
When I use entertainment mode there are no problems with speaker system if 2.0/2.1 is set. But if I set headphones channels become redirected: left becomes right and right becomes left.
When i use game mode channels are redirected both in 2.0/2.1 and headphones modes.
If I connect my headphones to sound card directly there are no problems excepting entertainment mode 2.0/2.1 when channels are redirected.
Please halp me to resolve the problem.
Thank you.Don`t care. I have found the way. Now all clear.:smileyvery-happy:
-
Hi all,
Please see the attached diag for our waas setup. The traffic is not optimized and shows as pass-through in one end and no stats are shown in other end.
4500 switch config:
ip wccp 61 redirect-list wccp_list password xxxx
ip wccp 62 redirect-list wccp_list password xxxx
Interface Gi1/1
ip address 10.1.46.1 255.255.255.252
ip wccp 62 redirect in
interface vlan 170
ip address 10.46.170.10 255.255.255.0
ip wccp 61 redirect in
ip access-list extended wccp_list
permit ip 10.46.170.0 0.0.0.255 any
show commands:
sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 10.46.1.1
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 150487
Process: 0
CEF: 0
Platform: 150487
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: wccp_list
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 2
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
Platform: 0
Service Identifier: 62
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 232994
Process: 0
CEF: 0
Platform: 232994
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: wccp_list
Total Packets Denied Redirect: 3685761
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
Platform: 0
3750x switch config:
ip wccp 61 redirect-list wccp_list password xxxx
ip wccp 62 redirect-list wccp_list password xxxx
Interface Gi1/0/1
ip address 10.1.46.2 255.255.255.252
ip wccp 62 redirect in
interface vlan 170
ip address 10.45.170.10 255.255.255.0
ip wccp 61 redirect in
ip access-list extended wccp_list
permit ip 10.45.170.0 0.0.0.255 any
show commands:
sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 10.45.1.1
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 62
Process: 15
CEF: 47
Redirect access-list: wccp_list
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 62
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: wccp_list
Total Packets Denied Redirect: 795
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Traffic is shown as pass-through in 10.46.40.20 and there is no tcp connections shown in 10.45.40.20! Any inputs?
RegardsG'day Giovanni,
The waas plugged in the 4500 shows PT no peer and the 3750X doesnt show anything at all.
I checked the 3750x it shows it is using desktop routing as the template.
Below is the output from 3750 about wccp 61 detail:
#sh ip wccp 61 detail
WCCP Client information:
WCCP Client ID: 10.45.40.20
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 62
Connect Time: 3w1d
Assignment: MASK
I can see the matches in the redirect list but nothing shows in the WAAS being optimized.
Extended IP access list wccp_list
10 permit tcp 10.45.170.0 0.0.0.255 any (76 matches)
20 permit tcp any 10.45.170.0 0.0.0.255
There is no firewall or bypass lists involved in this setup.
regards -
Hi,
We have 2 x WSA S670s that we wish to load balance across. The WSAs are running 7.5.1 and can only be in transparent mode. These are connected through WCCP to a pair of Nexus 7ks, running 6.1(3). We are seeing active/standby behaviour and we are expecting A/A. If we shut the port on the active WSA, the second WSA will begin proxing traffic. When we remove the shut command, the traffic will again go back to first WSA. Is this expected behaviour? We were expecting both WSA to handle traffic.
ThanksThis may be more of a Nexus question than a WSA question, but check this:
Go to Network>Transparent Redirection> Click on your Service Profile name
Check "Load balance based on client address"
Click on Advanced near the bottom.
Set the Load-Balancing Select "Allow Mask Only" and try a custom mask of 0x1
That should make it switch between WSA's based on whether the last bit in the client's IP is 1 or 0...
There are some good comments in this thread:
https://supportforums.cisco.com/thread/2109988
Nexus want's "mask"
http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nx-os/unicast/configuration/guide/wccp.html#wp1278718 -
Dears,
i have 2 no's of wsa i am planning to have redundancy, if incase one of the wsa fails still the 6509 will forwards traffic to fails wsa ???
I want to know what does actually layer 4 switch does ??
below is the configuration
access-list 10 permit host 10.1.1.1-----WSA-1
access-list 10 permit host 10.1.1.2---WSA--2
ip access-list extended protocols
permit tcp any any eq 443
permit tcp any any eq 20
permit tcp any any eq 21
permit tcp any any eq 80
ip wccp version 2
ip wccp 120 redirect-list protocol
ip wccp web-cache group-list 10
interface gigabitethernet2/1
description wsa-1
ip wccp 120 redirect in
interface gigabitethernet2/2
description wsa-2
ip wccp 120 redirect in
Thanksdon't worry about "layer 4", it doesn't affect you...
I think you have the config wrong.
I have some questions first...
Is the firewall plugged into the 6509? If so, which port(s)?
Which firewall do you have? Is it redundant? -
Hi all,
I am trying to setup a web cache using a WAE-612 and a C3750 switch. The switch is configured with three interfaces:
CLIENTS ----- VLAN 1 ----- SWITCH ----- GI1/0/1 routed ---- SERVER(s)
WAE-ENGINE ---- VLAN2--|
I have configured inbound redirection on vlan 1 and inbound redirection on gi1/0/1
ip wccp web-cache redirect in
I am using L2 redirect & L2 return & my state is "enabled":
Switch#show ip wccp web-cache detail
WCCP Client information:
WCCP Client ID: 10.101.2.202
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 02:24:08
Assignment: MASK
First, the "packets redirected" counter doesn't increment, is this normal (maybe due to hardware redirection ?)
Second, i am seeing HTTP GET requests from my clients going to my WAE-engine and i am also seeing the WAE-engine sending them back to the switch (changed mac address, L2 redirection)
Third, my cache savings are 0 %
Fourth, i don't see any traffic returning into the WAE-engine. How can the WAE cache traffic if he never sees the server return traffic ?
Fifth, i have "spoof client ip" enabled on the WAE (need this for security reasons, web server verifies source ip address)
Now i am thinking it is logical that my cache savings are 0% . The web-cache service group redirects port 80 packets and the switch supports only "inbound" direction. This means that the switches never redirects the ANSWER of the server,so how on earth can it ever "cache" the response ?
Am i correct or am i wrong ? How to solve it ?
Should i use different WCCP service groups on the interfaces (for example: based on source ip redirection, the other on destination ip redirection)
PS. I am running 12.2(44)SE6 on the switch and 5.5.9.B9 on the WAE
regards,
GeertHi Geert,
With L2 redirection 'packets redirected' counter won't increment since its Hardware redirection. You might want to
check on WAE counter 'Transparent non-GRE packets received:' by running 'show wccp gre'
With wccp ip-spoofing enabled, requests will be sent to web server with Clients IP address. So yes you will need
to configure WCCP to catch return traffic coming from web server to be redirected to WAE.
To redirect return traffic you will need to configure WCCP Dynamic Service group ,
By default web-cache service will Mask on Destination address. Since we need to make sure return traffic is sent to
same WAE as forwarding traffic, we need to Mask return traffic on Source IP address.
This will config Service group 95 and it will Mask on Source IP which will be Webservers IP address
wccp service-number 95 mask src-ip-mask 0x1741 dst-ip-mask 0x0
wccp service-number 95 router-list-num 1 port-list-num 1 application cache l2-redirect mask-assign l2-return
wccp version 2
wccp spoof-client-ip enable
You will then need to enable 'ip wccp 95 redirect in' on the WAN interface.
Hope this helps,
Best Regards,
Rahul -
Wccp redirection for waas on same platform as wccp for websense?
just wondering if anyone knows if a Cisco router or switch can handle wccp redirection enabled for both waas and some other web content filtering appliance using a different service group?
seems like the priority value would come into play determining which service group gets handled first?
we currently do WCCP for WaaS on our 3945s.
I am going to advocate to my customer that we separate this out for CPU load issues, config complexity issues, IOS issues, etc... but the question is going to come up - "can we do WCCP for different applications on our Catalyst 3750 core switch, or our 3945 WAN routers?"
Thanks,
PaulHi Paul,
Yes, it's technically possible to have WCCP redirection for several services even in those devices that don't support setting the priority. However, in this case, both WAAS and Websense need to redirect HTTP traffic, and that's what makes things complicated.
Assuming you first want to send the traffic to Websense and then to WAAS, I would recommend doing the WAAS redirection only on the WAN link (with one service inbound and the other outbound). You can then configure Web-cache redirection inbound on the client vlan and, a service for the return traffic (I'm not sure if this is required for websense), inbound on the interface where the WAE is connected (with a redirect-list to match only the return direction)
Even if it's possible to have both redirections in the same device, if possible, I would strongly suggest you to either use different devices for the redirection or to make them mutually exclusive (for example, not sending HTTP to WAAS), otherwise, if you make a small mistake with the configuration, you can end up with a redirection loop.
Regards
Daniel
Maybe you are looking for
-
Modifications made to duplicate projects in FCP X also made to the original
Hi. I'm basically trying to make a "save as" version of a project so I can change what I have without risk of losing everything I've done. But every time I save a new version of the project (and even rename it, store it on another drive, etc.), the c
-
When I dictate on my iPad and press done the dictation is erased, how can I resolve this issue
When I dictate on my iPad and press done my dictation is erased, how can I resolve this issue?
-
Dear Abapers, Can anyone help in writing the report(code) to just display Purchase Orders without the Purchase Requisition Numbers. Thanx, Suruchi
-
I have a song that i've been working on, but it will not open up anymore. I get the message: "The application GarageBand quit unexpectedly..." and the option to close, report, and reopen. When I hit reopen, garageband opens up and all the tracks are
-
Cant see friends photo's on my Shared photo stream?
I will try to explain this as good as i can Basically today i have set up a 'shared photo stream' and i added my Girlfriend to it. She got the email and officially subscribed to the photo stream. When i upload a photo to that stream, only i can see t