How to pick up WCCP redirect out interface

Unanswered Question
Jan 6th, 2009

There are two 6500 core switches and firewall modules in our network environemnt.we use the same ISP as internal (between branches each other)and internet connection.The all traffics of internet will be gone through the same firewall module in our data center. We also use the same L2 switch (for internal and internet) to uplick our ISP.For using WCCP,we have to pickup an internafce as redirect interface.We know that the 'ip wccp web-cache redirect out' command must be implemented on the outbound interface going to the Internet.But how to choose ounbound interface in our environment? how about the port connect to L2 switch? but it included in internal and inertnet traffic. Could you give me some advice? Thanks a lot!

we use the 3rd party proxy server. It is Blue coat solution. It also supports WCCP.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
dstolt Tue, 01/06/2009 - 08:51

The L2 switch is out as WCCP requires L3 functionality to be enabled to work.

You have 2 different solutions to use on the CAT6K depending on if you want to redirect before or after the firewall inspects the traffic. To exclude your internal traffic, I would consider using a wccp redirect-list (ACL) to exclude interception of your addresses that are internal and only intercept your internet bound traffic.

1. Inbound on your LAN interfaces, using wccp-redirect list to exclude the local traffic. This would be before your firewall inspects the traffic.

2. Using outbound on the ISP link, again excluding your internal traffic. This would be after your firewall inspects the traffic.

If you could separate your ISP and internal traffic, that would be optimal, however, from what you describe, I think using the wccp redirect-list is your best bet.

Hope that gives you a starting place.

HWangLoyalty_2 Tue, 01/06/2009 - 11:03

Thanks for your suggeation. We know that either L2 switch or firewall could not support WCCP. We have to begin it from our core switch.

I will pick up option 1 as our solution because we use the web cache with only internet traffic. we also could use "redirect-list" to exclude the internal traffic.

I supposed that Vlan 100 is interface connected our firewall as inside interface. Would i will setup the following command in that vlan 100 interface:

ip wccp web-cache redirect out

Is it correct? thanks again!

dstolt Wed, 01/07/2009 - 07:48

If you are on the LAN interface of the switch, I would use "ip wccp web-cache redirect in", not out. You want to cache the requests coming "in" to the interface from the users, not going "out" after hitting the remote web server.

Hope that helps,



This Discussion