09-28-2010 06:27 AM - edited 03-06-2019 01:13 PM
Hello,
simple question. I want to use WCCP for web caching/filtring on my Cisco 4510R-E. Problem is, this switch is only layer 2...all routing is done via Checkpoint firewalls connected to this switch.
My question is : does my switch needs to be the gateway/router to use WCCP or it can work only on layer 2 ?
I've read a lot of doc but I never found this anwser.
Thank you
Solved! Go to Solution.
09-28-2010 07:42 AM
Yes, this is a layer 3 feature. WCCP uses IP redirection to achieve transparent redirecting to a proxy server.
One way you could accomplish this, if you really want to keep the majority of routing in your checkpoint firewalls is to create an external transport network on the outside of the firewalls and add one hop through a layer 3 interface on the 4510 before handoff to your ISP. You would have to either have your proxy server outside the firewall (probably not the best idea) or allow special access back in for proxy hits. Of course this complicates your configuration because you need to follow certain conventions to share a device between security contexts like that securely.
My personal preference would be to let the ckeckpoint devices focus on firewalling and bring routing back into the 4510, but this may not be a good fit for your scenario.
09-28-2010 07:42 AM
Yes, this is a layer 3 feature. WCCP uses IP redirection to achieve transparent redirecting to a proxy server.
One way you could accomplish this, if you really want to keep the majority of routing in your checkpoint firewalls is to create an external transport network on the outside of the firewalls and add one hop through a layer 3 interface on the 4510 before handoff to your ISP. You would have to either have your proxy server outside the firewall (probably not the best idea) or allow special access back in for proxy hits. Of course this complicates your configuration because you need to follow certain conventions to share a device between security contexts like that securely.
My personal preference would be to let the ckeckpoint devices focus on firewalling and bring routing back into the 4510, but this may not be a good fit for your scenario.
09-28-2010 08:05 AM
thank you for anwser !!!
I'll look into this
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide