Branch IPSEC VPN Site with WCCP setup for vWAAS - Overthinking this

joneschw1 · ‎10-03-2012

OK, I have a fairly large WAAS environment so I'm kicking myself for overthinking this. I have a particular branch that has an 881 router that terminates an IPSEC connection back to my main location. I have a vWAAS at this branch site, so I'm going WCCP. I got the license upgrade to enable to the WCCP feature set. Now Im confused on the WCCP setup. There is only 1 VLAN at the branch. I have the WAAS setup to do WCCP GRE.

Question is: Would I do the redirect 61,62 on the VLAN1 internface? I think I would, but Im used to dropping the 62 on the serial interface of my MPLS. I.E.:

int vlan1

ip wccp 62 redirect in

ip wccp 61 redirect in

HERE IS THE CURRENT CONFIG

ip wccp 61 redirect-list branch-waas

ip wccp 62 redirect-list branch-waas

interface Vlan1

description Branch Data VLAN

ip address 10.22.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

crypto ipsec client ezvpn Corporate-client inside

ip access-list extended branch-waas

remark WCCP Redirect ACL

deny tcp any any eq telnet

deny tcp any any eq 22

permit ip any any

Natalie Ramirez · ‎10-04-2012

wccp 62 is to intercept the WAN traffic, but if you put it on the LAN side, you have to catch the traffic on its way out:

ip wccp 62 redirect out

There is no need to deny telnet and ssh, those both have policies in WAAS for passthrough. Also, I prefer to put my WAAS device on its own VLAN. However, if it is going to be on VLAN 1, your access list will need:

ip access-list extended branch-waas

remark WCCP Redirect ACL

deny ip any host (WAAS IP)

deny ip host (WAAS IP) any

permit ip any any

To make sure you do not loop WCCP traffic.

Just edited to change from TCP to IP in access list.