I'm running wccp between a Nexus 7K and a Bluecoat ProxySG. I've attached a Visio which shows a overview of how all the pieces fit together. I'll also describe it here:
For the purpose of discussing this issue, only two VLANs on the 7K matter. These are VLAN38, on which the firewall to the Internet is attached on the Inside and VLAN39, on which the web-cache engine (ProxySG) is attached. The relevant wccp configuration is below:
ip wccp 97 redirect-list Remote-WCCP
ip wccp 98 redirect-list FNB-WCCP
IP access list FNB-WCCP
10 deny ip 172.19.0.0/16 18.104.22.168/25
20 deny ip 172.19.0.0/16 22.214.171.124/25
30 deny ip 172.19.0.0/16 126.96.36.199/25
40 deny ip 172.19.0.0/16 188.8.131.52/28
50 deny ip 172.19.0.0/16 184.108.40.206/26
60 deny ip 172.19.0.0/16 220.127.116.11/28
70 deny ip 172.19.0.0/16 18.104.22.168/25
80 deny ip 172.19.0.0/16 192.168.0.0/16
90 permit tcp 172.19.30.96/32 any eq www
100 permit tcp 172.19.30.96/32 any eq 443
no ip redirects
ip address 172.19.38.3/24
ip ospf passive-interface
ip router ospf 100 area 0.0.0.0
ip wccp 98 redirect out
authentication text deed
description IP Inside Firewall
interface Vlan39 description Bluecoat no shutdown no ip redirects ip address 172.19.39.3/24 ip ospf passive-interface ip router ospf 100 area 0.0.0.0 ip wccp redirect exclude in hsrp 39 authentication text deed preempt priority 110 ip 172.19.39.1
Two other pieces of information that I think is relevant is that the ProxySG was configured to use the HSRP virtual IP address of the SVI on the Nexus and wccp is in L2 mode (not GRE).
So here's the problem. When the ProxySG receives traffic that is to be bypassed (policy NOT applied) it seems to send the traffic back to the Nexus but not via WCCP. In other words, the "Total Bypassed Packets Received" counter doesn't increment. The traffic comes back to the Nexus because the ProxySG sends the traffic on its way towards the Internet and since the Nexus is the default gateway for the ProxySG, that's where it goes. The problem is (at least this is what I think) that the Nexus then tries to send it back out. In the process it hits the wccp redirect ACL again and it goes back to the ProxySG. This loop is repeated over and over again. This is what I see when I do a packet capture on the port connected to the ProxySG. I think that I can get around this if I move the ProxySG to VLAN38 and change the default gw of the ProxySG to the firewall's address. I am wondering about this counter "Total Bypassed Packets Received". That counter seems to suggest that if the web-cache engine determines that the traffic is to bypass policy that it'd send it back to the wccp server for normal processing.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...