Re: WCCP not redirecting packets

support systemsGo · ‎02-20-2014

Hello,

I am trying to redirect packets to a bluecoat proxy sg using WCCP on a 3750x stack with IP services.

I cant get the packets to redirect.

The bluecoat device is on the same vlan as the client traffic that I am trying to redirect.

It seems that when I apply the redirect on the vlan interface, the Bluecoat can see the traffic though.

(After it is applied, I can no longer access the websites, but the bluecoat device shows some activity)

SDM prefer is enabled.

Here is the config:

SiteA#sh run

Building configuration...

Current configuration : 7699 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SiteA

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$V1w8$6bmKd6oXWk//FH7/BaoFG.

!

username systemsgo privilege 15 secret 5 $1$vu8O$1uMdtS1Gzk12.YT3RObZO1

no aaa new-model

switch 1 provision ws-c3750x-24

switch 2 provision ws-c3750x-24

system mtu routing 1500

ip routing

!

ip wccp 90 redirect-list 115 group-list 15

vtp mode transparent

!

track 1 ip sla 1 reachability

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 10

!

ip ssh version 2

!

interface Port-channel1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0

no ip address

no ip route-cache cef

no ip route-cache

!

interface GigabitEthernet1/0/1

no switchport

ip address 192.168.20.2 255.255.255.252

speed 100

duplex full

!

interface GigabitEthernet1/0/2

no switchport

ip address 192.168.20.9 255.255.255.252

!

interface GigabitEthernet1/0/3

switchport access vlan 10

switchport mode access

!

interface GigabitEthernet1/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode active

!

interface GigabitEthernet2/0/1

description *BlueCoat Proxy*

switchport access vlan 10

switchport mode access

!

interface GigabitEthernet2/0/2

switchport access vlan 10

switchport mode access

!

interface GigabitEthernet2/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode active

!

interface GigabitEthernet2/1/2

!

interface GigabitEthernet2/1/3

!

interface GigabitEthernet2/1/4

!

interface TenGigabitEthernet2/1/1

!

interface TenGigabitEthernet2/1/2

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 10.10.20.3 255.255.255.0

standby 10 ip 10.10.20.1

standby 10 priority 110

standby 10 preempt

ip wccp 90 redirect in

!

router eigrp 1

network 10.10.20.0 0.0.0.255

network 192.168.10.0

network 192.168.20.0 0.0.0.3

redistribute static

!

ip local policy route-map IP_SLA_SiteA

!

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1

!

ip sla 1

icmp-echo 4.2.2.2 source-ip 192.168.20.9

threshold 300

frequency 15

ip sla schedule 1 life forever start-time now

ip sla enable reaction-alerts

logging esm config

access-list 15 permit 10.10.20.220

access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2

access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www

access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443

access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443

access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www

access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www

access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443

route-map IP_SLA_SiteA permit 10

match ip address 101

set ip next-hop 192.168.20.10

SiteA#

SiteA#show ip wccp 90

Global WCCP information:

Router information:

Router Identifier: 192.168.20.9

Protocol Version: 2.0

Service Identifier: 90

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets s/w Redirected: 0

Process: 0

CEF: 0

Redirect access-list: 115

Total Packets Denied Redirect: 52389

Total Packets Unassigned: 71

Group access-list: 15

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total GRE Bypassed Packets Received: 0

SiteA#show ip wccp 90 detail

WCCP Client information:

WCCP Client ID: 10.10.20.220

Protocol Version: 2.0

State: Usable

Redirection: L2

Packet Return: GRE

Packets Redirected: 0

Connect Time: 00:19:36

Assignment: MASK

Mask SrcAddr DstAddr SrcPort DstPort

---- ------- ------- ------- -------

0000: 0x00000000 0x0000003F 0x0000 0x0000

Value SrcAddr DstAddr SrcPort DstPort CE-IP

----- ------- ------- ------- ------- -----

0000: 0x00000000 0x00000000 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0001: 0x00000000 0x00000001 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0002: 0x00000000 0x00000002 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0003: 0x00000000 0x00000003 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0004: 0x00000000 0x00000004 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0005: 0x00000000 0x00000005 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0006: 0x00000000 0x00000006 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0007: 0x00000000 0x00000007 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0008: 0x00000000 0x00000008 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0009: 0x00000000 0x00000009 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0010: 0x00000000 0x0000000A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0011: 0x00000000 0x0000000B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0012: 0x00000000 0x0000000C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0013: 0x00000000 0x0000000D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0014: 0x00000000 0x0000000E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0015: 0x00000000 0x0000000F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0016: 0x00000000 0x00000010 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0017: 0x00000000 0x00000011 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0018: 0x00000000 0x00000012 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0019: 0x00000000 0x00000013 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0020: 0x00000000 0x00000014 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0021: 0x00000000 0x00000015 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0022: 0x00000000 0x00000016 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0023: 0x00000000 0x00000017 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0024: 0x00000000 0x00000018 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0025: 0x00000000 0x00000019 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0026: 0x00000000 0x0000001A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0027: 0x00000000 0x0000001B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0028: 0x00000000 0x0000001C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0029: 0x00000000 0x0000001D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0030: 0x00000000 0x0000001E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0031: 0x00000000 0x0000001F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0032: 0x00000000 0x00000020 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0033: 0x00000000 0x00000021 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0034: 0x00000000 0x00000022 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0035: 0x00000000 0x00000023 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0036: 0x00000000 0x00000024 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0037: 0x00000000 0x00000025 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0038: 0x00000000 0x00000026 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0039: 0x00000000 0x00000027 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0040: 0x00000000 0x00000028 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0041: 0x00000000 0x00000029 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0042: 0x00000000 0x0000002A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0043: 0x00000000 0x0000002B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0044: 0x00000000 0x0000002C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0045: 0x00000000 0x0000002D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0046: 0x00000000 0x0000002E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0047: 0x00000000 0x0000002F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0048: 0x00000000 0x00000030 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0049: 0x00000000 0x00000031 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0050: 0x00000000 0x00000032 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0051: 0x00000000 0x00000033 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0052: 0x00000000 0x00000034 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0053: 0x00000000 0x00000035 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0054: 0x00000000 0x00000036 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0055: 0x00000000 0x00000037 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0056: 0x00000000 0x00000038 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0057: 0x00000000 0x00000039 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0058: 0x00000000 0x0000003A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0059: 0x00000000 0x0000003B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0060: 0x00000000 0x0000003C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0061: 0x00000000 0x0000003D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0062: 0x00000000 0x0000003E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

0063: 0x00000000 0x0000003F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)

SiteA#

SiteA#sh sdm prefer

The current template is "desktop routing" template.

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 3K

number of IPv4 IGMP groups + multicast routes: 1K

number of IPv4 unicast routes: 11K

number of directly-connected IPv4 hosts: 3K

number of indirect IPv4 routes: 8K

number of IPv4 policy based routing aces: 0.5K

number of IPv4/MAC qos aces: 0.5K

number of IPv4/MAC security aces: 1K

SiteA#

Jon Marshall · ‎02-20-2014

Hi Kevin

That configuration looks familiar

I haven't done WCCP before but from the 3750 configuration guide on WCCP -

Configure the switch interfaces that are connected to the clients, the application engines, and the server as Layer 3 interfaces (routed ports and switch virtual interfaces [SVIs]). For WCCP packet redirection to work, the servers, application engines, and clients must be on different subnets.

I can't say for sure this is your problem but it sounds like the server needs to be on a different subnet than the clients.

The easy solution is to create a new vlan on your 3750 and put the server into that and then try redirection.

Presumably this is not one of the servers that needs replication across the 3750_1 to 3750_2 interconnect ?

Jon

support systemsGo · ‎02-21-2014

Hi Jon

Actually we are trying to get the WCCP working in all sites, even though the Bluecoat device only exists at the 3750_1 site.

3750_3 doesnt support WCCP since it is IP Base, so not sure how that is going to work for redirecting user traffic.

We did make some changes earlier today and put the bluecoat in its own vlan on 3750_1.

Jon Marshall · ‎02-21-2014

Kevin

I don't think you necessarily need to have one locally in the user site. You could simply apply your redirect acl to the L3 routed ports on 3750_1 and 3750_2 that connect back to 3750_3. Then you simply use site1 or site2's devices for web traffic.

That would seem more logical to me than having a third one locally unless you are concerned about caching issues and are trying to cut down on unnnessary web traffic across the uplink(s).

By the way, have you fully implemented and tested the new design and are you still having those throughput issues you were having ?

Jon

support systemsGo · ‎02-21-2014

Hi Jon,

There are no more throughput issues.

Everything is working well. Thanks so much!

As for the WCCP,

I put the redirect acl on the L3 ports that connect back to 3750_3, but it is still not catching the traffic from the user vlan 20 on 3750_3. (We did however get it working for the server vlan in Site1 and Site2)

I'm not sure what you meant when you said:

Then you simply use site1 or site2's devices for web traffic.

Do I need to change the gateway for the users vlan in Site 3750_3 to something else?

Right now it is pointing to 10.20.20.1 on the 3750_3.

Below is what I have so far on the 3750_3.

I tried to force the traffic via PBR to the BlueCoat device, but that didnt seem to work either.

UserSite(config)#do sh run

Building configuration...

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname UserSite

!

boot-start-marker

boot-end-marker

!

no aaa new-model

switch 1 provision ws-c3750x-48p

switch 2 provision ws-c3750x-48p

system mtu routing 1500

ip routing

!

vtp mode transparent

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 10

!

vlan 20

name clients

!

interface FastEthernet0

no ip address

no ip route-cache cef

no ip route-cache

no ip mroute-cache

!

interface GigabitEthernet1/0/47

description *CERTES-MGMT-MAIN*

switchport access vlan 20

switchport mode access

!

interface GigabitEthernet1/0/48

description *MAN-LINE-TO-DC-MAIN*

no switchport

ip address 192.168.20.1 255.255.255.252

speed 100

duplex full

!

interface GigabitEthernet1/1/1

!

interface GigabitEthernet1/1/2

!

interface GigabitEthernet1/1/3

!

interface GigabitEthernet1/1/4

!

interface TenGigabitEthernet1/1/1

!

interface TenGigabitEthernet1/1/2

!

interface GigabitEthernet2/0/47

description *CERTES-MGMT-DR*

switchport access vlan 20

switchport mode access

!

interface GigabitEthernet2/0/48

description *MAN-LINE-TO-DC-DR*

no switchport

ip address 192.168.20.5 255.255.255.252

speed 100

duplex full

!

interface GigabitEthernet2/1/1

!

interface GigabitEthernet2/1/2

!

interface GigabitEthernet2/1/3

!

interface GigabitEthernet2/1/4

!

interface TenGigabitEthernet2/1/1

!

interface TenGigabitEthernet2/1/2

!

interface Vlan1

ip address 192.168.10.254 255.255.255.0

!

interface Vlan20

ip address 10.20.20.1 255.255.255.0

ip helper-address 10.10.20.30

!

router eigrp 1

network 10.20.20.0 0.0.0.255

network 192.168.10.0

network 192.168.20.0 0.0.0.7

offset-list 10 in 100 GigabitEthernet2/0/48

eigrp stub connected summary

!

ip local policy route-map PBR_Proxy

ip classless

ip http server

ip http secure-server

!

ip access-list extended Traffic2Proxy

permit tcp 10.20.20.0 0.0.0.255 eq www any

permit tcp 10.20.20.0 0.0.0.255 eq 443 any

!

ip sla enable reaction-alerts

route-map PBR_Proxy permit 10

match ip address Traffic2Proxy

set ip next-hop 192.168.50.220

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

login local

line vty 0 4

exec-timeout 30 0

privilege level 15

logging synchronous

login local

length 0

transport input telnet ssh

line vty 5 15

exec-timeout 30 0

privilege level 15

logging synchronous

login local

transport input telnet ssh

!

end

Jon Marshall · ‎02-22-2014

Kevin

No, you definitely do not want to change the default gateway for the users and you couldn't anyway as the links are L3 routed links.

You have this in the config -

ip local policy route-map PBR_Proxy

that is for traffic generated by the router itself. It is needed like this on 3750_1 because the IP SLA ping is being generated by the switch itself. For user traffic you need to apply it to the vlan 20 SVI eg.

no ip local policy route-map PBR_Proxy

int vlan 20

ip policy route-map PBR

your PBR acl is also needs modifying ie. you have -

ip access-list extended Traffic2Proxy

permit tcp 10.20.20.0 0.0.0.255 eq www any

permit tcp 10.20.20.0 0.0.0.255 eq 443 any

but it should be -

ip access-list extended Traffic2Proxy

permit tcp 10.20.20.0 0.0.0.255 any eq www

permit tcp 10.20.20.0 0.0.0.255 any eq 443

all that said though, if 3750_3 is running IP Base then it doesn't support PBR so i'm not sure it will work. You need IP Services and then you need to enable the SDM routing template.

I think you should be able to apply it on the 3750_1 L3 port connecting to 3750_3. If you used the same acl as you have posted here that is probably why it wasn't working. So it may be worth trying again.

Finally if everything is working as it should be (with the exception of WCCP at the moment) can i update the previous thread so others can see it all worked ?

Jon

support systemsGo · ‎02-22-2014

Hi Jon,

Yes please update the other thread.

Also, you are correct. I implemented the changes you said above, but still it didnt work.

Here is what I have on 3750_1 (as you can see, I added more vlans)

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SiteA

!

boot-start-marker

boot-end-marker

!

no aaa new-model

switch 1 provision ws-c3750x-24

switch 2 provision ws-c3750x-24

system mtu routing 1500

ip routing

!

ip wccp 90 redirect-list 115

vtp mode transparent

!

track 1 ip sla 1 reachability

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 10,30,35,40

!

ip ssh version 2

!

interface Port-channel1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0

no ip address

no ip route-cache cef

no ip route-cache

!

interface GigabitEthernet1/0/1

no switchport

ip address 192.168.20.2 255.255.255.252

ip wccp 90 redirect in

speed 100

duplex full

interface Vlan1

ip address 192.168.50.1 255.255.255.0

!

interface Vlan10

ip address 10.10.20.3 255.255.255.0

ip wccp 90 redirect in

standby 10 ip 10.10.20.1

standby 10 priority 110

standby 10 preempt

!

interface Vlan30

ip address 10.10.30.1 255.255.255.0

!

interface Vlan35

ip address 10.10.35.1 255.255.255.0

!

interface Vlan40

ip address 10.10.40.1 255.255.255.0

!

router eigrp 1

network 10.10.20.0 0.0.0.255

network 192.168.10.0

network 192.168.20.0 0.0.0.3

redistribute static

!

ip local policy route-map IP_SLA_SiteA

!

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1

!

ip access-list extended testing

permit tcp host 10.10.20.123 any eq www

!

ip sla 1

icmp-echo 4.2.2.2 source-ip 192.168.20.9

threshold 300

frequency 15

ip sla schedule 1 life forever start-time now

ip sla enable reaction-alerts

logging esm config

access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2

access-list 115 deny ip host 192.168.50.220 any

access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www

access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443

access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443

access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www

access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www

access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443

route-map IP_SLA_SiteA permit 10

match ip address 101

set ip next-hop 192.168.20.10