Solved: 3750 WCCP support in conjuction with McAfee Web Gateway 6 - problems!

bgfl-tech · ‎06-29-2010

Hi,

I'm trying to configure WCCP support on a 3750 running IOS 12.2.53.SE2 IP Services in conjunction with a McAfee Web Gateway proxy (formerly a Secure Computing Webwasher) but not getting very far.

As WCCP-vrf support is not yet available on a 6509 I'm looking to integrate the functionality into the network with the minimum of disruption and topology changes.

My plan is to place a 3750G running WCCP in between a trunk link between two 6509s effectively as a bump in the wire, the single vlan on the trunk representing the default route traffic takes towards the Internet if an end device is not configured to use an explicit proxy.

The 3750 and McAfee Web Gateway are on the same vlan / subnet with my test PC on a different vlan within the same vrf.

The 3750 reports that it can see the WCCP client (the Web Gateway) but I don't see any redirections.

The config on the 3750 is very basic - just 'ip wccp 51' globally and 'ip wccp 51 redirect in' on the SVI vlan interface (service 51 is the default WCCP service on the Web Gateway). I've also changed the SDM template to 'routing' and 'IP routing' is not enabled.

Below are the output of various 'sh ip wccp' commands and I've attached a screenshot of the McAfee Web Gateway config page. Can anyone point me in the direction of where I'm going wrong?

thanks in advance

Matthew

Switch#sh ip wccp 51 detail
WCCP Client information:
        WCCP Client ID:          172.16.224.100
        Protocol Version:        2.0
        State:                   Usable
        Redirection:             L2
        Packet Return:           GRE
        Packets Redirected:    0
        Connect Time:          00:01:59
        Assignment:            MASK

Switch#sh ip wccp interfaces counts
WCCP interface counts:
    Vlan609
        Output packets redirected
            Process: 0
            CEF:     0
        Input packets redirected
            Process: 0
            CEF:     0

Switch#sh ip wccp interfaces detail
WCCP interface configuration details:
    Vlan609
        Output services: 0
        Input services: 1
        Static:          None
        Dynamic:         051
        Mcast services: 0
        Exclude In:      FALSE

Switch#sh ip wccp 51 view
WCCP Routers Informed of:
172.16.224.2

WCCP Clients Visible:
172.16.224.100

WCCP Clients NOT Visible:
-none-

Edison Ortiz · ‎07-02-2010

Those are software counters. WCCP is done in hardware on the 3750 platform. I know it's hard to prove that is working without counters but you've found the differences with and without WCCP so it's definitely working. Glad I was able to help.

Regards,

Edison

View solution in original post

Edison Ortiz · ‎06-29-2010

The 3750 and McAfee Web Gateway are on the same vlan / subnet with my test PC on a different vlan within the same vrf.

I haven't seem any implementation of WCCP without IP routing enabled.

The 'wccp in' command must be placed on the SVI facing the client so packets can be re-directed as they hit the switch.

Also, the test PC must have the 3750 as the default gateway.

You need to treat WCCP the same way you would treat PBR. Packets entering the switch will be redirected if it matches a clause.

In your case, it's matching 'web' traffic or whatever traffic is included on service 51.

Regards,

Edison

bgfl-tech · ‎06-30-2010

Thanks for the reply. Is there a way to implement WCCP on a device where the clients aren't directly connected, i.e. not using the 3750 as the default gateway?

To give a bit more context I'm actually looking to provide a transparent proxy solution to wireless clients being tunneled through a WiSM to a guest WLC. The user vlan(s) will actually be created on the local vrf-enabled 6509 (which is why VRF-aware WCCP would be perfect if it were supported on a 6509). I had hoped to insert the device providing WCCP services in line to the flow of traffic as it is routed towards the Internet.

I did have a nice PBR solution in place using the 'set ip vrf xxx next-hop' command in a route-map that matched http and https traffic; the next hop being the virtual cluster address of two Web Gateway proxies. Unfortunately the proxy cluster was active-passive with the virtual IP being basically a HSRP/VRRP address and for capacity reasons I need an active-active proxy solution. Hence, my interest in WCCP being able to load-balance between two WCCP client proxies.

Could PBR be applicable here? Would setting the next hop for http/https traffic to the (SVI) IP of the 3750 running WCCP work?

thanks in advance

Matthew

Edison Ortiz · ‎06-30-2010

Thanks for the reply. Is there a way to implement WCCP on a device where
the clients aren't directly connected, i.e. not using the 3750 as the
default gateway?

I'm afraid not. If the traffic is not being pushed towards this switch, how the switch is going to redirect?

Could PBR be applicable here? Would setting the next hop for http/https traffic to the (SVI) IP of the 3750 running WCCP work?

In theory, it should work. I recommend testing before deploying.

bgfl-tech · ‎06-30-2010

I'm happy to report that using PBR did work. The user vlan was created on the 6509 with WCCP running on a directly connected 3750 (with a single link into the proxy vlan). The user vlan and WCCP / proxy vlans were different but in the same vrf. Using the 'set ip vrf xxx next-hop' command within a route-map I set the next hop as the SVI IP of the 3750 and WCCP just worked!

The only thing I've noticed is that the 'sh ip wccp interfaces counts' counters are not incrementing and neither is the 'Packets Redirected' counter under the 'sh ip wccp 51 detail' command? I'm just assuming that they are supposed to be incremental and don't represent realtime values when the command was issued?

Edison Ortiz · ‎06-30-2010

Perhaps the WCCP is not doing the redirection but simply PBR is doing the whole thing?

Like I said, a WCCP design requires for routing to be enable on the switch and the incoming packets directed to the SVI with WCCP in.

Did you enable routing on the 3750?

bgfl-tech · ‎07-01-2010

Sorry, I should have mentioned - after your previous post I enabled IP routing. It's definitely the WCCP doing its thing as it stops working when I take WCCP off the SVI 'no ip wccp51 redirect in'. I understand what you were saying now in that WCCP won't work if traffic if just passing through a device running WCCP (even if 'ip wccp xx redirect in' is configured on its only SVI) but rather the traffic has to be specifically directed at the SVI of the device running WCCP.

Any ideas on the counters?

Edison Ortiz · ‎07-02-2010

Those are software counters. WCCP is done in hardware on the 3750 platform. I know it's hard to prove that is working without counters but you've found the differences with and without WCCP so it's definitely working. Glad I was able to help.

Regards,

Edison

bgfl-tech · ‎07-02-2010

Ah, I see. Thanks very much for your help.

Kind regards

Matthew