WCCP GRE Redirection multiple hops
When using GRE redirection and negotiated return, is it possible to place the WAEs on a segment that is not directly attached to the routers? I have seen some documentation state, "It allows the WCCP clients to be separate from the router via multiple hops. With WAAS, the WAEs need to be connected directly to a tertiary or sub-interface of the router." This has left me a little confused, but seems like it is possible with new code. If it is possible, is there any possibility on looping occuring? I assume there isn't since the packets are tunneled to and from the routers which would bypass the inspection. This would also allow me to take advantage of WAAS over a high-speed/low latency link to a datacenter that does not physically have WAEs deployed.
Any input is much appreciated,
Patrick
Patrick,
You are correct, the WAE with negotiated return can be multiple L3 hops away from the router (back in your DC). However for performance, of course it's recommended to be as close as possible. With the return traffic using GRE, the traffic is not being re-intercepted.
Thanks,
Dan
Similar Messages
-
Hello,
I am trying to redirect packets to a bluecoat proxy sg using WCCP on a 3750x stack with IP services.
I cant get the packets to redirect.
The bluecoat device is on the same vlan as the client traffic that I am trying to redirect.
It seems that when I apply the redirect on the vlan interface, the Bluecoat can see the traffic though.
(After it is applied, I can no longer access the websites, but the bluecoat device shows some activity)
SDM prefer is enabled.
Here is the config:
SiteA#sh run
Building configuration...
Current configuration : 7699 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SiteA
boot-start-marker
boot-end-marker
enable secret 5 $1$V1w8$6bmKd6oXWk//FH7/BaoFG.
username systemsgo privilege 15 secret 5 $1$vu8O$1uMdtS1Gzk12.YT3RObZO1
no aaa new-model
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
ip wccp 90 redirect-list 115 group-list 15
vtp mode transparent
track 1 ip sla 1 reachability
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 10
ip ssh version 2
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.20.2 255.255.255.252
speed 100
duplex full
interface GigabitEthernet1/0/2
no switchport
ip address 192.168.20.9 255.255.255.252
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet2/0/1
description *BlueCoat Proxy*
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/0/2
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet2/1/2
interface GigabitEthernet2/1/3
interface GigabitEthernet2/1/4
interface TenGigabitEthernet2/1/1
interface TenGigabitEthernet2/1/2
interface Vlan1
no ip address
interface Vlan10
ip address 10.10.20.3 255.255.255.0
standby 10 ip 10.10.20.1
standby 10 priority 110
standby 10 preempt
ip wccp 90 redirect in
router eigrp 1
network 10.10.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.3
redistribute static
ip local policy route-map IP_SLA_SiteA
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1
ip sla 1
icmp-echo 4.2.2.2 source-ip 192.168.20.9
threshold 300
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
logging esm config
access-list 15 permit 10.10.20.220
access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443
route-map IP_SLA_SiteA permit 10
match ip address 101
set ip next-hop 192.168.20.10
SiteA#
SiteA#show ip wccp 90
Global WCCP information:
Router information:
Router Identifier: 192.168.20.9
Protocol Version: 2.0
Service Identifier: 90
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: 115
Total Packets Denied Redirect: 52389
Total Packets Unassigned: 71
Group access-list: 15
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
SiteA#show ip wccp 90 detail
WCCP Client information:
WCCP Client ID: 10.10.20.220
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 0
Connect Time: 00:19:36
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
0000: 0x00000000 0x0000003F 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
0000: 0x00000000 0x00000000 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0001: 0x00000000 0x00000001 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0002: 0x00000000 0x00000002 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0003: 0x00000000 0x00000003 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0004: 0x00000000 0x00000004 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0005: 0x00000000 0x00000005 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0006: 0x00000000 0x00000006 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0007: 0x00000000 0x00000007 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0008: 0x00000000 0x00000008 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0009: 0x00000000 0x00000009 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0010: 0x00000000 0x0000000A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0011: 0x00000000 0x0000000B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0012: 0x00000000 0x0000000C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0013: 0x00000000 0x0000000D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0014: 0x00000000 0x0000000E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0015: 0x00000000 0x0000000F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0016: 0x00000000 0x00000010 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0017: 0x00000000 0x00000011 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0018: 0x00000000 0x00000012 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0019: 0x00000000 0x00000013 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0020: 0x00000000 0x00000014 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0021: 0x00000000 0x00000015 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0022: 0x00000000 0x00000016 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0023: 0x00000000 0x00000017 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0024: 0x00000000 0x00000018 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0025: 0x00000000 0x00000019 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0026: 0x00000000 0x0000001A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0027: 0x00000000 0x0000001B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0028: 0x00000000 0x0000001C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0029: 0x00000000 0x0000001D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0030: 0x00000000 0x0000001E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0031: 0x00000000 0x0000001F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0032: 0x00000000 0x00000020 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0033: 0x00000000 0x00000021 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0034: 0x00000000 0x00000022 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0035: 0x00000000 0x00000023 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0036: 0x00000000 0x00000024 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0037: 0x00000000 0x00000025 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0038: 0x00000000 0x00000026 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0039: 0x00000000 0x00000027 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0040: 0x00000000 0x00000028 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0041: 0x00000000 0x00000029 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0042: 0x00000000 0x0000002A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0043: 0x00000000 0x0000002B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0044: 0x00000000 0x0000002C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0045: 0x00000000 0x0000002D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0046: 0x00000000 0x0000002E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0047: 0x00000000 0x0000002F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0048: 0x00000000 0x00000030 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0049: 0x00000000 0x00000031 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0050: 0x00000000 0x00000032 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0051: 0x00000000 0x00000033 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0052: 0x00000000 0x00000034 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0053: 0x00000000 0x00000035 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0054: 0x00000000 0x00000036 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0055: 0x00000000 0x00000037 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0056: 0x00000000 0x00000038 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0057: 0x00000000 0x00000039 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0058: 0x00000000 0x0000003A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0059: 0x00000000 0x0000003B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0060: 0x00000000 0x0000003C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0061: 0x00000000 0x0000003D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0062: 0x00000000 0x0000003E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0063: 0x00000000 0x0000003F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
SiteA#
SiteA#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
SiteA#Hi Jon,
There are no more throughput issues.
Everything is working well. Thanks so much!
As for the WCCP,
I put the redirect acl on the L3 ports that connect back to 3750_3, but it is still not catching the traffic from the user vlan 20 on 3750_3. (We did however get it working for the server vlan in Site1 and Site2)
I'm not sure what you meant when you said:
Then you simply use site1 or site2's devices for web traffic.
Do I need to change the gateway for the users vlan in Site 3750_3 to something else?
Right now it is pointing to 10.20.20.1 on the 3750_3.
Below is what I have so far on the 3750_3.
I tried to force the traffic via PBR to the BlueCoat device, but that didnt seem to work either.
UserSite(config)#do sh run
Building configuration...
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname UserSite
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750x-48p
switch 2 provision ws-c3750x-48p
system mtu routing 1500
ip routing
vtp mode transparent
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 10
vlan 20
name clients
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
interface GigabitEthernet1/0/47
description *CERTES-MGMT-MAIN*
switchport access vlan 20
switchport mode access
interface GigabitEthernet1/0/48
description *MAN-LINE-TO-DC-MAIN*
no switchport
ip address 192.168.20.1 255.255.255.252
speed 100
duplex full
interface GigabitEthernet1/1/1
interface GigabitEthernet1/1/2
interface GigabitEthernet1/1/3
interface GigabitEthernet1/1/4
interface TenGigabitEthernet1/1/1
interface TenGigabitEthernet1/1/2
interface GigabitEthernet2/0/47
description *CERTES-MGMT-DR*
switchport access vlan 20
switchport mode access
interface GigabitEthernet2/0/48
description *MAN-LINE-TO-DC-DR*
no switchport
ip address 192.168.20.5 255.255.255.252
speed 100
duplex full
interface GigabitEthernet2/1/1
interface GigabitEthernet2/1/2
interface GigabitEthernet2/1/3
interface GigabitEthernet2/1/4
interface TenGigabitEthernet2/1/1
interface TenGigabitEthernet2/1/2
interface Vlan1
ip address 192.168.10.254 255.255.255.0
interface Vlan20
ip address 10.20.20.1 255.255.255.0
ip helper-address 10.10.20.30
router eigrp 1
network 10.20.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.7
offset-list 10 in 100 GigabitEthernet2/0/48
eigrp stub connected summary
ip local policy route-map PBR_Proxy
ip classless
ip http server
ip http secure-server
ip access-list extended Traffic2Proxy
permit tcp 10.20.20.0 0.0.0.255 eq www any
permit tcp 10.20.20.0 0.0.0.255 eq 443 any
ip sla enable reaction-alerts
route-map PBR_Proxy permit 10
match ip address Traffic2Proxy
set ip next-hop 192.168.50.220
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login local
line vty 0 4
exec-timeout 30 0
privilege level 15
logging synchronous
login local
length 0
transport input telnet ssh
line vty 5 15
exec-timeout 30 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
end -
Egress wccp software redirection limit
I am forced to redirect egress packets on my 6500 to a Websence gateway.
I know that egress wccp is software switched. has anyone load tested the limits of egress wccp on Sup720?
I need to know how much redirected traffic will push the CPU to 70%, 80% , 100%.Below is a list of best practices to follow when doing wccp redirection on hardware based platforms like the 3750. I have found this in the link below.
http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200806.html
The following best practices should be followed for implementing WCCP on a hardware-based platform:
L2 Forwarding
Mask Assignment
Inbound Interception
No "ip wccp redirect exclude in"
Your configuration of "egress-method negotiated-return intercept-method wccp" will call for a WCCP GRE tunnel to be created from the 3750 to the WAE. All traffic will then be software redirected based on this line of configuration.
"Set negotiated-return as the egress method. With this specification, the Cisco WAE will use GRE to return redirected traffic to the intercepting router. Note: In this case, WCCP negotiated WCCP GRE as the return method."
Found here: https://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/prod_white_paper0900aecd806d976a_ps6474_Products_White_Paper.html
I would stick to the best practices that Zach has outlined in the link at the beginning of this post. It is a very well written article on WCCP redirection.
Regards -
WAAS - WCCP L2-redirection in WS-C6509-E
Hi,
I have a costumer with three offices, one is the data center. The other two offices get information from the data center and between them.
Each one of these remotes offices go through two different SP to the data center, and each one is received in his own router. The core of the data center is a switch WS-C6509-E (IOS s72033-entservicesk9_wan-vz.122-18.SXF7.bin).
Because there are two different SP in the data center, the traffic redirection must be done in the switch c6500. I think that the following configuration is the correct one:
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Vlan1
description *** WAN routers and users ***
ip address 10.0.16.1 255.255.240.0
ip wccp 62 redirect out
ip wccp 61 redirect in
interface Vlan 200
description *** WAEs ***
ip address 10.34.114.65 255.255.255.252
ip wccp redirect exclude in
interface Vlan201
description *** Servers and Users 1 ***
ip address 10.15.240.1 255.255.240.0
ip wccp 61 redirect in
interface Vlan202
description *** Servers and Users 2 ***
ip address 10.16.128.1 255.255.240.0
ip wccp 61 redirect in
But now I read about the problems using GRE redirection in the switch c6500. I read too that the best way to do this is using L2-redirection, but I don't have any idea of how to do this. I am using the WAAS version 4.1.1.
Can anybody help me with explaining me the way to configure that?Dan,
I think that the best option for this network is number one, use WCCP on the two 7206VXRs, and redirect the traffic to a single WAE in the same subnet of the hosts.
But now, I don't understand the implications of use the command âegress-method negotiated-return intercept-method wccpâ. What else should I consider or configure (in the router or in the WAE) to make this interception works?
I think that the configuration on the routers and in the WAE should be something like this:
--- Router 1
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Serial3/3:1
ip address 10.34.113.213 255.255.255.252
ip wccp 61 redirect in
ip wccp 62 redirect in
interface GigabitEthernet0/1
ip address 10.0.16.2 255.255.240.0
ip wccp redirect exclude in
--- Router 2
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Serial3/3:1
ip address 10.134.143.217 255.255.255.252
ip wccp 61 redirect in
ip wccp 62 redirect in
interface GigabitEthernet0/1
ip address 10.0.16.3 255.255.240.0
ip wccp redirect exclude in
--- WAE
interface GigabitEthernet 1/0
ip address 10.0.16.4 255.255.255.0
exit
egress-method negotiated-return intercept-method wccp
wccp router-list 1 10.0.16.2 10.0.16.3
wccp tcp-promiscuous router-list-num 1
Thanks and Regards,
Pablo -
WCCP GRE between ProxySg & 6509 ?
Hello,
I want to run wccp gre between bluecoat proxsg and 6509 but i don't understand if it is possible with GRE (best practices "Cisco catalyst 6500 wccp gre return is handled in software", Bluecoat doc :"Typically, GRE forwarding is supported on software-based switching
platforms such as the Cisco 800, 1800, 2800, 3800, 7200, and 7500").
currently it's not run with windows seven client and ie7 and http in vlan 62 (wccp 1 redirect in).
Packets are bypassed (Total Bypassed Packets Received: 281) but there are exchanges between proxysg and 6509. where is the problem ? GRE ?
Thank you for your help !
Currently :
Cisco 6509 :
6509#show ip wccp 1
Global WCCP information:
Router information:
Router Identifier: 10.42.11.61
Protocol Version: 2.0
Service Identifier: 1
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 110
Process: 0
CEF: 110
Redirect access-list: 100
Total Packets Denied Redirect: 0
Total Packets Unassigned: 36
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 281
6509#show ip wccp 1 view
WCCP Routers Informed of:
10.42.11.61
WCCP Clients Visible:
10.193.118.30
WCCP Clients NOT Visible:
-none-
ip wccp 1 redirect-list 100
Extended IP access list 100
10 permit ip any any (110 matches)
20 permit tcp any any eq www
30 permit tcp any any eq 443
40 permit tcp any any eq 8080
interface Vlan62
description EvoLAN_data
ip address 10.194.62.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip wccp 1 redirect in
ip pim sparse-mode
end
ProxySG
WCCP : v2
Forwarding/Return : Generic Gre
Assignment type : Mask
Home IP Router : 10.42.11.61 (Loopback 6509)Hi,
Please look at the following document.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtwccpbc.html#wp1018512
I see that the Bypass counter is incrementing in the given output.
WCCP Bypass Packets
Web Cache Communication Protocol (WCCP) intercepts IP packets and redirects those packets to a destination other than the destination that is specified in the IP header. Typically the packets are redirected from a web server on the Internet to a web cache that is local to the destination.
Occasionally a web cache decides that it cannot deal with the redirected packets appropriately and returns the packets unchanged to the originating router. These packets are called "bypass packets" and are returned to the originating router encapsulated in generic routing encapsulation (GRE). The router decapsulates and forwards the packets normally.
Troubleshooting Tips
Problems have been encountered because CPU usage is very high when WCCP is enabled. The counters enable a determination of the bypass traffic directly on the router and can indicate whether or not this is the cause. In some situations, 10 percent bypass traffic may be normal; in other situations, it may be high. However, any figure above 25 percent should prompt a closer investigation of what is occurring in the web cache.
If the counters suggest that the level of bypass traffic is high, the next step is to examine the bypass counters in the web cache and determine why the web cache is choosing to bypass the traffic. You can log in to the web-cache console and use the command line interface (CLI) to investigate further. The counters allow you to determine the percent of traffic being bypassed.
see if the above doc helps.
regards,
Ajay Kumar -
Hello everyone
First time writing in the support community. So exiting!!!!
I am trying to have a transparent WSA (7.5) with a CAT6509 SXF7 WCCP. between them there is a Firewall/router. so I built the WCCP with GRE/L3.
so far so good. WCCP GRE tunnel is there.
However cannot surf the internet.
After much troubleshooting (wireshark mainly) I believe I know where the problem is.
Client want to surf the Internet (http)
Client sends a SYN request to the IP of the website (after resolving DNS)
CAT6500 tunnels the request with GRE to WSA
WSA receives request and sends to SYN packet to the webpage.
Webpage sends a SYN ACK to WSA (no spoofing)
PROBLEM: WSA then sends the SYN ACK without GRE to client with in turn does not go through the FW
Client does not receive SYN ACK, sends another SYN and then another until he gives up.
Question: How can I force the WSA to return traffic through the GRE tunnel.
I already chose return method as "alloow GRE only" under WCCPv2 Service
So look forward to receive some helpHi,
Yes, it will work.
Regards,
Erik
Sent from Cisco Technical Support iPad App -
WCCP L2-redirection feature support
Hello,
I've read that the l2-redirect feature is only supported on the Cat6500 and the 7600 router. Nevertheless, if I use the feature navigator tool Im able to find IOS versions that supposedly support the l2-redirect feature for the 3745 or the 7204 router.
Using one of those IOS images and configuring WCCP with l2 redirection I still see, in the output of the show wccp services detail command, the GRE tunnel as the negotiated forwarding method.
Can I really use l2-redirect with the 3745 or the 7204?
Thanks in advance.
RicardoFrom what I have read, You can use the L2 redirection feature on platforms based on Supervisor Engine and MSFC.
Take a look at this document for details.
http://www.cisco.com/en/US/products/hw/contnetw/ps546/products_configuration_example09186a00801c1db5.shtml -
WAAS: Standard vs Extended ACL's for WCCP Transparent Redirection
I've come across a number of implementations where the ACL's associated with services 61 & 62 are using extended access-list. I am writing with specific reference to wccp configured in promiscuous mode.
Since WCCP will only redirect TCP, and the WAAS solution in general applies only to TCP - then is there really a need for extended acls for redirection?. Furthermore, in a simple implementation you do not need separate acls linked to 61 & 62 - i don't think so.
Standard acls parse the filteration process more quickly than extended.
thanks
AjazThe extended access-lists are used because some TCP traffic does not to be optimized (telnet, BGP, SNMP, ...), or some hosts have compressed traffic for any application and need to be excluded from redirection. Besides that standard access-lists can be used.
-
Hi,
I have an Ironport set up with my 6500 through WCCP.
It seems to be working ok, but I have a question.
Right now, I'm only redirecting a specific VLAN (let's say 40).
I can filter the traffic ok, but I'm seeing the it's also redirecting traffic inter vlan (from VLAN 100 to 40, for example).
Is there a way to exclude this traffic?
Thanks in advance for any help.This is the access-list I'm using.
Each line corresponds to a different VLAN.
Extended IP access list IRONPORT
10 permit tcp 10.180.4.0 0.0.0.255 any (8 matches)
20 permit tcp 10.180.2.0 0.0.1.255 any (3 matches)
30 permit tcp 10.180.1.0 0.0.0.255 any
40 permit tcp 10.180.11.0 0.0.0.255 any
50 permit tcp 10.180.5.0 0.0.0.255 any
60 permit tcp 10.180.6.0 0.0.0.255 any
70 permit tcp 10.180.7.0 0.0.0.255 any
80 permit tcp 10.180.8.0 0.0.0.255 any
90 permit tcp 10.180.9.0 0.0.0.255 any
Then I have a "ip wccp redirect in" in each VLAN I want to inspect traffic.
Is it best to just have this line on the interface connected to the router that leaves our LAN?
We have a MPLS network from our provider, that connects to remote sites.
Can I exclude this sites from inspection with "deny" commands on the access-list? -
WCCP not redirecting users traffic from other subnets
Hello,
I have configured WCCP redirection on ASA for redirecting transparently http and https traffic.
I have configured a service ID 90 that contains 80 and 443 port. The ironport S160 has two interfaces, one for management and the other for data.
The interface used for data is on a different subnet that the inside interface of ASA where it is configured WCCP.
The problem is that the users that are in the same subnet with ironport data interface, their traffic gets redirected, while the traffic of the other users that are not in the same subnet with ironport data interface is not processed correctly from ironport and this users does not have internet access.
Any idea ?
BR,
IlirIlir,
How is this second group of users connected to the ASA? Their outbound traffic has to be going out the "inside" interface also. If they are on another port on the ASA, WCCP won't catch their traffic. i.e. You can't use the DMZ interface on an ASA and point its web traffic at a WSA that lives inside.
Ken -
Howto use Service Discovery Gateway with multiple hops?
Hi,
does anybody know when mulitple hop support will be implemented in SDG?Hi Brian, thank you for using our forum, my name is Luis I am part of the Small business Support community. What happen when you try to reach one of these web sites? Did you create ACL in order to gain access to these Web sites? In this case I think that will help you in order to gain access to them.
I hope you find this answer useful
Greetings,
Luis Arias.
Cisco Network Support Engineer. -
Tracert Same IP in multiple hops
Hello all,
Can you please help me to understand why i am gettign same IP repated in trace route:-
tracert 103.1.191.10
Tracing route to 103.1.191.10 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.10.10.10
2 <1 ms <1 ms <1 ms 10.10.10.120
3 <1 ms <1 ms <1 ms 19.20.146.241
4 1 ms <1 ms <1 ms 38.100.34.8
5 193 ms 3 ms 207 ms 66.250.10.1
6 1 ms 1 ms 1 ms 15.54.30.225
7 7 ms 7 ms 7 ms 15.54.42.30
8 8 ms 8 ms 8 ms 15.54.47.30
9 8 ms 7 ms 7 ms 66.28.4.229
10 8 ms 8 ms 8 ms 15.24.2.22
11 8 ms 8 ms 8 ms 38.104.73.198
12 226 ms 226 ms 226 ms 19.227.108.133
13 279 ms 281 ms 279 ms 14.30.1.42
14 274 ms 275 ms 278 ms 10.10.18.243
15 275 ms 275 ms 274 ms 10.10.18.243
16 277 ms 276 ms 274 ms 10.10.18.243
17 275 ms 275 ms 275 ms 10.10.18.243
18 275 ms 296 ms 275 ms 10.10.18.243
19 275 ms 275 ms 276 ms 10.10.18.243
20 275 ms 275 ms 275 ms 10.10.18.243
21 276 ms 275 ms 275 ms 10.10.18.243
22 276 ms 275 ms 275 ms 10.10.18.243
23 275 ms 275 ms 275 ms 10.10.18.243
24 275 ms 275 ms 276 ms 10.10.18.243
25 276 ms 276 ms 276 ms 10.10.18.243
26 276 ms 276 ms 276 ms 10.10.18.243
27 277 ms 276 ms 276 ms 10.10.18.243
28 277 ms 276 ms 276 ms 10.10.18.243
29 279 ms 299 ms 276 ms 10.10.18.243
30 276 ms 276 ms 277 ms 10.10.18.243
Trace complete.
Thanks in advance
JagdevYou're welcome,
If it is a Cisco ASA or Pix, the gloabl policy needs to be modified to accomodate traceroute. Cisco has an article on how to do so here.
Other vendors would need a similar remedy applied.
Please rate helpful responses. -
Redirecting Multiple IMAP and POP Accounts to iCloud?
My ultimate goal is be able to sync all of my mail between my desktop and laptop Macs (both on Yosemite). I have 8 email accounts — a few IMAPs, but mostly POPs. I have thousands and thousands of emails saved in Apple Mail mailboxes. Rather than converting each account individually to IMAP, can I redirect all of them to iCloud? And, if so, can I then maintain all of those accounts and all of those mailboxes, without countless hours of work?
Excellent and helpful answer, Roger. Thank you very much. That opened my eyes to a couple of things.
I've been dragging my feet (for a year or two) on doing this, in part because I feel more confident in storing my massive email history locally than somewhere that I can't see. It's just old-school thinking. I do have my Apple Calendar and Contacts now in iCloud, so an old dog can learn new tricks. Still, I back them up locally, maybe once a week, plus I have Time Machine going all the time. And I back up my Mail and Mail Downloads folders, both for safekeeping, as well as to bring my laptop momentarily up-to-date with my desktop Apple Mail.
So, if I were to store my entire Apple Mail life in iCloud, with all of my individual email accounts actually living there (not just pointed there, as I was considering), is there an easy and fast way to keep a local backup? (Zipping and backing up the Mail and Mail Downloads folders literally takes something like four hours.) Or would Time Machine also be backing up what's in the cloud, too, without any effort?
And now to you other eye-opening point about replying. If I actually convert all of my accounts to IMAP and sync all of those accounts with iCloud, would I then be able to send and receive emails as I do now, through my other servers, and using my various email addresses and signatures? By the way, my primary server is Comcast, if that makes any difference. -
Switch to WSA WCCP transperent redirection
Hello all,
The transparent redirection term first implied to me that the client will be totally unaware of the presence of a WSA proxy, however i delpoyed the following setup and found that the client is receiving HTTP proxy-redirect message (code 307) with source IP of the final destination server but i tells the client to request HTTP from the WSA. Redirection mode is L2 forwarding.
Here is the Setup:
Server
|
client----L3 Switch----WSA
My understanding of transperent redirection in this setup is:
- client sends HTTP GET request to the server
- the switch intercepts the GET and redirect it to the WSA
- the WSA sends the request to the server with source IP of the WSA
- the server replies to the WSA
- the WSA replies to the client (not sure if the source will be spoofed as server IP or WSA)
However, my findings were different... again http-redirect arrives at the client with WSA URL
Please advise,
thanks in advance.The HTTP 307 redirect is likely coming because you are using authentication. The way the WSA performs NTLM authentication is to redirect the browser to access the WSA directly, so that NTLM authentication can happen. Once authenticated, another 307 will redirect it back to the original website.
If you are looking for a 100% transparent deployment, you may want to consider deploying the Cisco Context Directory Agent so that the WSA can ask the agent which user is logged onto that IP (instead of doing the NTLM authentication).
The term Transparent really just means the browser does not have a proxy setting. -
Router IOS requirements to work with WAAS WCCP?
Can some help me with up to date switch and router IOS requirements to work with WAAS WCCP configuration? There used to be a Cisco document explaining that but I can't find it any more.
Here is out WAAS 4.2.3 deployment in the network:
Data center: Cat6500 Sup720-3B running IOS 12.2(18)SXF12a will do WCCP L2 redirection. I've seen minimum Sup720 IOS requirement of 12.2(18)SXF13 in one place and 12.2(18)SXF16 in another, but there are also examples of using 12.2 (18) SXF5. Which one is the latest Cisco recommendation?
Remote sites: 3825 and 3845 routers (some are running 12.4 T train and some are in 12.4 main line) will do WCCP GRE redirection to WAE's. One of the routers will use a WAE-NME-522 module. Others are WAE applicances. Again, what are the latest Cisco recommendations?
Another question: for an IOS release, does it matter which package to use, such as advanced IP services, enterprise services, or SP services?
Thanks a lot.Here you go.
http://www.cisco.com/en/US/partner/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html
For IOS release, you will need a package that has WCCP support.
Hope this helps.
Regards.
PS: Please mark this as Answered, if this answers your question.
Maybe you are looking for
-
Hi Experts, IS it possible to know from a field of segment in XML format IDOC coming from SAP system to JCO that whether that transaction is a new record (create) or change pointer record , so that i can either Insert the data or Update in to the D
-
When trying to start the wsm-pm component , I'm getting the following errors. Any ideas? MDS-01370: MetadataStore configuration for metadata-store-usage "OWSM_TargetRepos" is invalid. MDS-01377: Unable to get database connection from data source conf
-
Safari dosen't ask for a password
Whenever i try to log into website's like these apple forums, facebook, or anything like that - Safari dosen't give me the option to save the password "never for this website", "not now", or "yes". It always used to before i installed Leopard! Any id
-
I have a bit of a unique problem. I just got my macbook about five months ago and have loved everything about it. not too long ago my uncle bought the leopard and ilife 08 family packs and let me install them on my computer. i used time machine to ba
-
N85 on Orange UK - missing effects
Apols if this has been answered elsewhere. Just had my N85 delivered by Orange and I notice that there are no effects No option for Icon Animation, No rotate effect (zoom out, rotate, zoom back) etc. Has the latest firmware 11.047 Custom version is