09-18-2014 08:58 AM
Hi
İ have 2 different Nexus working diffrent NX-OS (6.0(4) & 6.2(6) ) with different line card (F2 & F2E ) and different Sup (Sup 1 & Sup 2 ) but share the same problem. Sup 2 devices work with VPC Sup 1 device Standalone this is the only difference
I try to configure WCCP on device your redirect http & https Traffic to Websense. i create following lines in boot nexus
Feature wccp
ip wccp 1 redirect-list WS_REDIRECT
ip wccp 5 redirect-list WS_REDIRECT
ip wccp 70 redirect-list WS_REDIRECT
ip access-list WS_REDIRECT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp
interface vlan 7
ip wccp 1 redirect in
ip wccp 5 redirect in
ip wccp 70 redirect in
This redirects all the traffic even deny list.
No bug reported in but tool kit
Could you please help me.
09-18-2014 11:09 PM
Okay, Its weird you have multiple WCCP groups,
Considering you are only using one ACL, just simple use one WCCP Group ID
Also, here is a sample config:
Let's say you want to redirect traffic from VLAN 10,11 and 12 to WCCP
and your WCCP device is at VLAN20
#conf t
#ip wccp version 2 -DEFAULT: ver1
#ip wccp 90
#ip wccp 90 password wccp123 -THIS IS OPTIONAL! Place a password on your WCCP instance.
#interface vlan 10
#ip wccp 90 redirect in
#interface vlan 11
#ip wccp 90 redirect in
#interface vlan 12
#ip wccp 90 redirect in
#interface vlan 20
#ip wccp redirect exclude in -avoid optimization loops
Your WCCP device will be in VLAN 20, and I recommend dedicating that VLAN to WCCP devices:
Configure your WCCP device(Websense) and define the Service group ID, in this example, its wccp 90 and of course the IP of VLAN 20
By default, all traffic in interfaces configured with "wccp 90 in" will forward traffic to the WCCP device
09-18-2014 11:09 PM
Oh yeah, to add on that, the use of the ACL is to define what subnet/traffic/ports will be forwarded to WCCP.
Since we want to optimize all types of traffic then we do not need to configure ACL. Still, if you want, then configure the ACL as you have, through you do not need to have multiple WCCP group IDs,
10-02-2014 12:29 AM
Both,
On a Nexus 7K it's the line cards that are important, so please be aware of the following table :
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/unicast/configuration/guide/l3_cli_nxos/wccp.html#pgfId-1311595
describing valid combinations with respect to ingress/egress & WCCP module.
Also please be aware that "redirect exclude in" is not allowed on a N7K SVI (for some F2/F2E combination), but anyway there is no usage of it, while only running "redirect in" (... abd "redirect-out" isn't supported on N7K either.
But just use one redirect on an interface, as suggested,
Best regards
Finn Poulsen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide