Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

WCCP Vlan redirection


I have an Ironport set up with my 6500 through WCCP.

It seems to be working ok, but I have a question.

Right now, I'm only redirecting a specific VLAN (let's say 40).

I can filter the traffic ok, but I'm seeing the it's also redirecting traffic inter vlan (from VLAN 100 to 40, for example).

Is there a way to exclude this traffic?

Thanks in advance for any help.

Cisco Employee

WCCP Vlan redirection


basically the router decides what to redirect. Within your e.g. access-list you can define what to redirect (and what not). Would you mind to include your wccp config parts?


Community Member

WCCP Vlan redirection

This is the access-list I'm using.

Each line corresponds to a different VLAN.

Extended IP access list IRONPORT

    10 permit tcp any (8 matches)

    20 permit tcp any (3 matches)

    30 permit tcp any

    40 permit tcp any

    50 permit tcp any

    60 permit tcp any

    70 permit tcp any

    80 permit tcp any

    90 permit tcp any

Then I have a "ip wccp redirect in" in each VLAN I want to inspect traffic.

Is it best to just have this line on the interface connected to the router that leaves our LAN?

We have a MPLS network from our provider, that connects to remote sites.

Can I exclude this sites from inspection with "deny" commands on the access-list?

Re: WCCP Vlan redirection

Yes, it would be best to put that on the port going to the router, though in that case, you want that traffic redirected on egress from the port, instead of ingress.

Yes, you can exclude traffic by using deny statements in the access list. In fact, if you move the redirect to the port, you'll want one to exclude traffic from the WSA from being redirected to itself.


Cisco Employee

Re: WCCP Vlan redirection

As the router is always the source for the redirection, I would suggest to exclude the according IP addresses from being redirected in the fist place (access-list modified to deny for the particular traffic).

Another way is to use the proxy bypass list which will make advantage of the WCCPv2 protocol to return the SYN packet to the router to indicate to bypass the entire session afterward directly at the router (this is all implemented inside wccp, so nothing to configure further). This solutions is probably more convenient to maintain, however creates a little overhead as the initial SYN packet has to go back and forth to the WSA proxy.

I would advice to only use IP addresses on the Proxy Bypass list as it will be anyway only used to build an IP access-list.

In your case you would have to exclude each other's vlan subnets to assure its being router directly.


CreatePlease to create content