Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Need wccp configuration assistance

I'm running wccp between a Nexus 7K and a Bluecoat ProxySG.  I've attached a Visio which shows a overview of how all the pieces fit together.  I'll also describe it here:

For the purpose of discussing this issue, only two VLANs on the 7K matter.  These are VLAN38, on which the firewall to the Internet is attached on the Inside and VLAN39, on which the web-cache engine (ProxySG) is attached.  The relevant wccp configuration is below:

feature wccp

!

ip wccp 97 redirect-list Remote-WCCP

ip wccp 98 redirect-list FNB-WCCP

!

IP access list FNB-WCCP

        10 deny ip 172.19.0.0/16 156.99.45.0/25

        20 deny ip 172.19.0.0/16 156.99.46.0/25

        30 deny ip 172.19.0.0/16 156.99.112.0/25

        40 deny ip 172.19.0.0/16 156.99.242.208/28

        50 deny ip 172.19.0.0/16 156.99.167.192/26

        60 deny ip 172.19.0.0/16 156.99.8.192/28

        70 deny ip 172.19.0.0/16 156.99.193.0/25

        80 deny ip 172.19.0.0/16 192.168.0.0/16

        90 permit tcp 172.19.30.96/32 any eq www

        100 permit tcp 172.19.30.96/32 any eq 443

!

interface Vlan38

  no ip redirects

  ip address 172.19.38.3/24

  ip ospf passive-interface

  ip router ospf 100 area 0.0.0.0

  ip wccp 98 redirect out

  hsrp 38

    authentication text deed

    preempt

    priority 110

    ip 172.19.38.1

  description IP Inside Firewall

  no shutdown

!

interface Vlan39
  description Bluecoat
  no shutdown
  no ip redirects
  ip address 172.19.39.3/24
  ip ospf passive-interface
  ip router ospf 100 area 0.0.0.0
  ip wccp redirect exclude in
  hsrp 39
    authentication text deed
    preempt
    priority 110
    ip 172.19.39.1

Two other pieces of information that I think is relevant is that the ProxySG was configured to use the HSRP virtual IP address of the SVI on the Nexus and wccp is in L2 mode (not GRE).

So here's the problem.  When the ProxySG receives traffic that is to be bypassed (policy NOT applied) it seems to send the traffic back to the Nexus but not via WCCP.  In other words, the "Total Bypassed Packets Received" counter doesn't increment.  The traffic comes back to the Nexus because the ProxySG sends the traffic on its way towards the Internet and since the Nexus is the default gateway for the ProxySG, that's where it goes.  The problem is (at least this is what I think) that the Nexus then tries to send it back out.  In the process it hits the wccp redirect ACL again and it goes back to the ProxySG.  This loop is repeated over and over again.  This is what I see when I do a packet capture on the port connected to the ProxySG.  I think that I can get around this if I move the ProxySG to VLAN38 and change the default gw of the ProxySG to the firewall's address.  I am wondering about this counter "Total Bypassed Packets Received".  That counter seems to suggest that if the web-cache engine determines that the traffic is to bypass policy that it'd send it back to the wccp server for normal processing.

Everyone's tags (4)
3 REPLIES
Community Member

Need wccp configuration assistance

We ran into problems as well, but were on an unsupported NX-OS version.  What version of NX-OS are you running?

Cheers,

Ben

Community Member

Need wccp configuration assistance

6.0(2).

I opened a TAC case on this and the TAC engineer stated that I was hitting a new bug.

Community Member

Need wccp configuration assistance

Thank you for the information.  We'll keep an eye on that when we're ready to move to 6.

Cheers,

Ben

1032
Views
0
Helpful
3
Replies
CreatePlease to create content