Cisco ACE Module with Bluecoat Cache Proxy, Transparent and spoofing client IP

Ibrahim Alsharif · ‎04-03-2011

Hello Dears,

I'm trying to implement Cache loadbalancing through Cisco ACE Module.

I have 2 Bluecoat cache proxies, when i do configure transparent proxy without spoofing client IP, everything work properly, but when I enable spoofing client IP (reflect client IP address), clients are not able to access internet, although they are going to cache servers, I can see their sessions.

I'm afraid that I have a problem in the returned traffic PBR.

can anyone help please.

Thanks

Andrew Nam · ‎04-04-2011

Hi Ibrahim

I ahve reviewed the config. The ACE config is all god but I do see some issue with the switch side. If you are doing ip spoofing, then "match ip address" in pbr should be the client ip address. However, what you did is ip address between the ACE and MSFC. Try to configure the test client ip address into the below access-list.

msfc---vlan 265---ACE--vlan 264----CE farm

.....

interface vlan 265
description Interface_With_MSFC_SUBS_2_INTERNET
ip address 168.168.1.52 255.255.255.248
access-group input PERMIT_ALL
service-policy input L3L4_PM
no shutdown

ip route 0.0.0.0 0.0.0.0 168.168.1.50

.....

....
ip access-list extended HSDPA_2_CACHE
permit tcp 168.168.0.0 0.0.255.255 any eq www <<<-- wrong

ip access-list extended Internet_2_CACHE
permit tcp any eq www 168.168.0.0 0.0.255.255 <<<---wrong

interface Vlan 265
description Interface_With_ACE
ip address 168.168.1.50 255.255.255.248

route-map INTERNET_2_HSDPA permit 10
description "PBR for Response HTTP Traffic"
match ip address Internet_2_CACHE
set ip next-hop 168.168.1.52
!
route-map HSDPA_2_INTERNET permit 10
match ip address HSDPA_2_CACHE
set ip next-hop 168.168.1.52

....

regards

Andrew