Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Lots of deny statements in the redirect list

The following WAAS Configuration Guide has you configure the long redirect list below for "Network Modules."  Does Cisco recommend we us the same redirect list for WAAS appliances as well?

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/waas/v421/quick/guide/waasqcg.html#wp1432144

ip wccp version 2
ip wccp 61 redirect-list waas-wccp-redirect-list
ip wccp 62 redirect-list waas-wccp-redirect-list
ip access-list extended waas-wccp-redirect-list
remark WAAS WCCP Pilot Redirect list
deny tcp any any eq telnet
deny tcp any any eq 22
deny tcp any any eq 161
deny tcp any any eq 162
deny tcp any any eq 123
deny tcp any any eq bgp
deny tcp any any eq tacacs
deny tcp any any eq 2000
deny tcp any any eq 5060
deny tcp any any eq 1718
deny tcp any any eq 1719
deny tcp any any eq 1720
deny tcp any any eq 554
deny tcp any any eq 1755
deny tcp any eq telnet any
deny tcp any eq 22 any
deny tcp any eq 161 any
deny tcp any eq 162 any
deny tcp any eq 123 any
deny tcp any eq bgp any
deny tcp any eq tacacs any
deny tcp any eq 2000 any
deny tcp any eq 5060 any
deny tcp any eq 1718 any
deny tcp any eq 1719 any
deny tcp any eq 1720 any
deny tcp any eq 554 any
deny tcp any eq 1755 any
permit tcp any any
end

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Lots of deny statements in the redirect list

Todd,

This redirect ACL is configured as part of the 4.2.1 setup utility for Network Modules in Pilot/PoC scenarios.  You will notice that the ports listed are the standard management and control TCP traffic (e.g. bgp, telnet, ssh, etc.), which would not see any benefit from WAAS to begin with.  So, you certainly could apply this redirect ACL in the appliance or network module scenario.  However, depending on your deployment strategy you may want to employ a white list of specific user/server subnets instead and let this traffic be denied via the implicit deny at the end of the ACL.  Basically this is a good starting point for a redirect ACL since it points out well known TCP traffic that would not see any benefit from WAAS so it should not even be redirected.  However, I would not say this is the end all be all redirect ACL for every deployment since every customer network will be different.

Hope this helps,

Mike Korenbaum

Cisco WAAS PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

P.S.  If this answers your question please mark it as such; thanks.

4 REPLIES

Re: Lots of deny statements in the redirect list

Todd,

This redirect ACL is configured as part of the 4.2.1 setup utility for Network Modules in Pilot/PoC scenarios.  You will notice that the ports listed are the standard management and control TCP traffic (e.g. bgp, telnet, ssh, etc.), which would not see any benefit from WAAS to begin with.  So, you certainly could apply this redirect ACL in the appliance or network module scenario.  However, depending on your deployment strategy you may want to employ a white list of specific user/server subnets instead and let this traffic be denied via the implicit deny at the end of the ACL.  Basically this is a good starting point for a redirect ACL since it points out well known TCP traffic that would not see any benefit from WAAS so it should not even be redirected.  However, I would not say this is the end all be all redirect ACL for every deployment since every customer network will be different.

Hope this helps,

Mike Korenbaum

Cisco WAAS PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

P.S.  If this answers your question please mark it as such; thanks.

New Member

Re: Lots of deny statements in the redirect list

Michael,

Good.  So that's sort of what I do except backwards.

I have what I'll call a black list. I put deny statements for my voice and video subnets along with the permit any any at the end.  I think I'll go head and deny all the ports listed in this thread as well.

Thank you,

Tod

Cisco Employee

Re: Lots of deny statements in the redirect list

A short addendum to this post as it causes some confusion for customers:

You don't have to configure a redirection ACL.

Some reasons to exclude traffic from WCCP redirection are:

  • you know some networks are not behind a WAE, so you can exclude them
  • you know some server is doing bad things and want to exclude it from acceleration, for example DC -> DC traffic is signed, so WAAS cannot accelerate it.
  • you want to reduce the latency on some very sensitive traffic that cannot get WAAS accelerated
  • you want to reduce the amount of redirected traffic on a software platform to reduce the general CPU/traffic load

Take into account that the WAAS will only ask to redirect TCP IPv4 traffic, so there is no need to exclude UDP for example.

Please note that on hardware platforms (Catalyst 3750, Catalyst 4500, Catalyst 6500, ASR 1000 or Nexus 7000) the redirection is often accelerated in hardware, so  'free', and the limitation to watch is the amount of TCAM space. Having a complex redirection ACL will eat up that TCAM space very fast so is actually worse.

Of course if you are redirecting too much traffic and this is causing overload on the attached WAAS devices you should consider having a redirection ACL.

Also always check the WCCP platform support white paper for platform specific limitations.

So in short: it depends , many customers take the easy route and don't have one, removing one more component to maintain and check.

Peter

New Member

Re: Lots of deny statements in the redirect list

My main reason for the redirect list is to exclude voip call control traffic.  Per advice from TAC, if you let WAAS process the call control tcp sessions and then WAAS has an issue that breaks the TCP session, then all your phone calls will drop.

1959
Views
0
Helpful
4
Replies
CreatePlease to create content