cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1453
Views
0
Helpful
5
Replies

WCCP Commands for Transparent Proxy

Vinesh_ironport
Level 1
Level 1

Hello,

Can someone pls confirm on the WCCP commands below on cisco routers for transparent proxy on WSA?
Note that the router is connected to a switch and WSA P1 connected to that switch.
How can i then test the the WCCP config on cisco and WSA is correct and working?

interface [Interface carrying outgoing/incoming traffic]
ip web-cache redirect
CTRL Z
write mem


Thanks,
Vinesh

5 Replies 5

qsnow_ironport
Level 1
Level 1

Where are you attempting to apply the wccp? On the switch or on the router? What model switch and router are we talking about?

On a 6500 switch you will have something like this:

ip wccp web-cache group-address redirect-list accelerated

You then have an access list that controls what gets sent over to the WSA via wccp. For us we have multiple VLANs so our server vlan, for example, we do a deny on that vlan so it doesn't get redirected. At the end of the ACL, you obviously have your permit any any in there.

Hope this helps.

Vinesh_ironport
Level 1
Level 1

Hi,

It's a Cisco 7206 router.
It's for an ISP network and given that we don't have any test environment, we will need to test the WCCP config on production traffic itself.

Are you aware whether there are any limitations when enabling with WCCP with regards to the WSA?

Thanks,
Vinesh

qsnow_ironport
Level 1
Level 1

There's no limitations that i'm really aware of. From my understanding WCCP is the preferred method for connecting these devices now.

We did have an issue during our setup/installation where the IronPort device just wouldn't work with wccp. We kept getting failures and lockups. This actually turned out to be a bug in the IOS code on our Cisco switch we were running. Once we upgraded the code, the WCCP side of things worked fine. I would say this would definitely be the connection method you would want, especially if you are going into a test environment. Being able to put an access list on what traffic gets passed to the WSA and what doesn't will allow you to test the box (in production) before going into a FULL LIVE situation. Just add a 'permit ip host ' followed by a 'deny ip any any' to yoru WCCP ACL that points to the WSA. You can non-intrusively test 1 machine, get your rules and such setup and then modify the ACL once testing is complete to slowly (or fast) move into FULL Production.

Hope this helps.

Vinesh_ironport
Level 1
Level 1

Noted.thanks very for the points.

jowolfer
Level 1
Level 1

Here is some sample ACL in regards to WCCP:

ip wccp redirect-list 110 group-list 10

access-list 110 permit tcp host 192.168.1.200 any eq www
access-list 110 permit tcp host 192.168.1.201 any eq www
access-list 110 deny ip any any

access-list 10 permit 192.168.1.10
access-list 10 permit 192.168.1.11

192.168.1.200 and 192.168.1.201 would be clients you want to use WCCP.
192.168.1.10 and 192.168.1.10 would be the WSAs you want to use WCCP, assuming you had more then 1 and you wanted to limit which WSA is redirected to for testing.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: