Re: WCCP redirect acl... Why isn't it working?

Ven Taylor · ‎04-24-2012

Here's my pertinent DMZ 3750 config:

ip wccp 5 redirect-list BlueCoat_WCCP_Test

ip wccp 10 redirect-list BlueCoat_WCCP

!

interface GigabitEthernet1/0/1

description SDC6506-1T-1 2/3

no switchport

ip address x.x.x.x 255.255.255.0

ip wccp 5 redirect in

ip wccp 10 redirect in

load-interval 30

spanning-tree portfast

!

ip access-list extended BlueCoat_WCCP

permit tcp any any eq www

permit tcp any any eq 443

ip access-list extended BlueCoat_WCCP_Test

permit tcp host y.y.y.y any eq www log

permit tcp host y.y.y.y any eq 443 log

!

Wccp 10 is our default config, but 5 is new. We're using it to test new bluecoat servers for a specific host (y.y.y.y).

When the blucoat team enables wccp on their new server, the expected outcome is that when they browse from the y.y.y.y host, the BlueCoat_WCCP_Test acl will pick it up and push it to wccp 5.

However, we don't see any hits on the BlueCoat_WCCP_Test acl, no wccp 5 redirects, and they see the y.y.y.y browsing being hit on the production BlueCoat server.

My question is this... Is the order of the ACL's making our y.y.y.y traffic get picked up by the first acl (BlueCoat_WCCP) and therefore it never gets to the BlueCoat_WCCP_Test acl? If so, would moving the acl up in the config change the behavior?

thanks!

Ven

Ven Taylor

John Blakley · ‎04-24-2012

Ven,

Deny the host that you're wanting to go to 5 in the acl for BlueCoat_WCCP. The service groups have to match between the ProxySG and you have to have a connection. Do you have that for the 2 groups? The easiest way to test is to put a deny statement for the 2 hosts that you have in the BlueCoat_WCCP acl and then they won't redirect to group 10 (if they even are), but instead redirect to group 5.

HTH,

John

HTH, John *** Please rate all useful posts ***

Ven Taylor · ‎05-01-2012

Update:

We replicated this in our lab and found out a few things.

Deny statements in wccp are a bad thing. It causes wccp to freak out. Cisco says wccp doesn't support deny statements.

However, we did figure out what had to be done.

Removing the "ip wccp 5 redirect in" and "ip wccp 10 redirect in" statements from our vlan interfaces, and then replacing them, caused it to work.

Our best guess is that the wccp 10 relationship with our bluecoat servers wouldn't let go and allow wccp 5 relationship until we removed and replaced them.

Weird huh?

Ven

Ven Taylor

John Blakley · ‎05-01-2012

Ven,

Deny statements in wccp are a bad thing.  It causes wccp to freak out.  Cisco says wccp doesn't support deny statements.

Do you have any documentation to support this? I've never had a problem with deny statements in the past, and generally they're used like PBR in a sense that if you have a specific host you don't want to redirect that's within a range that you are redirecting, it simply bypasses redirection. If you can point me to a document, I may have to rethink the way that I've been doing my redirections as well....

Thanks,

John

HTH, John *** Please rate all useful posts ***

Steven Williams · ‎05-01-2012

Im with John, I would like to see some supported docs on how deny statements in wccp are bad? This is how I run my WCCP in my environment. Anything I need to exclude from the WCCP I write deny statements based on the source.

Mandlenkosi Nkiwane · ‎05-01-2012

We use WCCP in our environment with Bluecoat redirection and on my long extended access list I have deny statements especially for the servers that do not need the bottleneck of Bluecoat when downloading things like service packs.

Essentially using the Deny statements has never given us any issues, and I wonder when Cisco decided that the deny statements are a bad thing for WCCP as it works in our environment?

Ven Taylor · ‎05-04-2012

My apologies. I was misinformed. It's the 3750 + wccp combination that doesn't support deny statements in the acl.

http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html

Ven

Ven Taylor