How do you restrict src/dst IP addresses using inline mode

Unanswered Question
Nov 14th, 2008
User Badges:

I have an environment where I will be using inline on the remote side and WCCP in the hub. We have a known issue for a set of servers when they are redirected via WCCP. We're using ACL's on the routers to deny WCCP redirection for these servers. Now I have to briing up a WAE using inline mode. How do I accomplish denying these server IP addresses from getting WAAS'd on the inline device? Or do I need to since I have it configured via ACL's at the hub site. TIA

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dstolt Fri, 11/14/2008 - 11:57
User Badges:
  • Cisco Employee,

If you have it bypassed on the core with ACLs, then it will be in PT no peer on the edge, but it may still go through autodiscovery (adding tcp options to the syn). Do you know what causes the problems with the servers, WCCP or the optimization?


I would add an application policy at the edges with the IP addresses in your ACL and set it to Passthrough. Unfortunitely there is not a way to use an ACL on a inline card, but that is the next best thing.


Let me know if that works,

Dan

Michael Anderson Fri, 11/14/2008 - 12:25
User Badges:

I'm not sure what causes the problem. It's a TN5250 application using ports 23 and 80. It's on my list to figure it out, but for now we have ACL'd the servers from getting wccp redirected. Like you said, he end goal would be to create an application policy. But I'm a little confused by your response. Are you saying you can create a App Policy using IP addresses with an inline card?

dstolt Fri, 11/14/2008 - 12:36
User Badges:
  • Cisco Employee,

Yes,


For the application policy, go into your all devices group (or where ever you are assigning the policies), Acceleration, Policy Definitions, and create a new Basic Application Policy. Then edit the Classifier, create new match conditions with the destination IP addresses of your server. Submit, change the Action to Passthrough and submit again. Make sure your edges pick up and policy and test it again. You should see those connections in PT from the CLI.


Hope that helps,

Dan

Actions

This Discussion