×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

WCCP Vlan redirection

Unanswered Question
May 10th, 2012
User Badges:

Hi,


I have an Ironport set up with my 6500 through WCCP.

It seems to be working ok, but I have a question.


Right now, I'm only redirecting a specific VLAN (let's say 40).

I can filter the traffic ok, but I'm seeing the it's also redirecting traffic inter vlan (from VLAN 100 to 40, for example).

Is there a way to exclude this traffic?



Thanks in advance for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sfiebran Sat, 05/12/2012 - 08:39
User Badges:
  • Cisco Employee,

Hi,


basically the router decides what to redirect. Within your e.g. access-list you can define what to redirect (and what not). Would you mind to include your wccp config parts?


-Stephan

Rui Taveira Tue, 05/15/2012 - 03:14
User Badges:

This is the access-list I'm using.

Each line corresponds to a different VLAN.


Extended IP access list IRONPORT

    10 permit tcp 10.180.4.0 0.0.0.255 any (8 matches)

    20 permit tcp 10.180.2.0 0.0.1.255 any (3 matches)

    30 permit tcp 10.180.1.0 0.0.0.255 any

    40 permit tcp 10.180.11.0 0.0.0.255 any

    50 permit tcp 10.180.5.0 0.0.0.255 any

    60 permit tcp 10.180.6.0 0.0.0.255 any

    70 permit tcp 10.180.7.0 0.0.0.255 any

    80 permit tcp 10.180.8.0 0.0.0.255 any

    90 permit tcp 10.180.9.0 0.0.0.255 any


Then I have a "ip wccp redirect in" in each VLAN I want to inspect traffic.

Is it best to just have this line on the interface connected to the router that leaves our LAN?

We have a MPLS network from our provider, that connects to remote sites.

Can I exclude this sites from inspection with "deny" commands on the access-list?

Ken Stieers Tue, 05/15/2012 - 04:17
User Badges:
  • Gold, 750 points or more

Yes, it would be best to put that on the port going to the router, though in that case, you want that traffic redirected on egress from the port, instead of ingress.


Yes, you can exclude traffic by using deny statements in the access list. In fact, if you move the redirect to the port, you'll want one to exclude traffic from the WSA from being redirected to itself.


Ken


sfiebran Tue, 05/15/2012 - 05:01
User Badges:
  • Cisco Employee,

As the router is always the source for the redirection, I would suggest to exclude the according IP addresses from being redirected in the fist place (access-list modified to deny for the particular traffic).


Another way is to use the proxy bypass list which will make advantage of the WCCPv2 protocol to return the SYN packet to the router to indicate to bypass the entire session afterward directly at the router (this is all implemented inside wccp, so nothing to configure further). This solutions is probably more convenient to maintain, however creates a little overhead as the initial SYN packet has to go back and forth to the WSA proxy.

I would advice to only use IP addresses on the Proxy Bypass list as it will be anyway only used to build an IP access-list.

In your case you would have to exclude each other's vlan subnets to assure its being router directly.


-Stephan

Actions

This Discussion