cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3879
Views
0
Helpful
3
Replies

ip wccp redirect-list acl

hbbilgin2010
Level 1
Level 1

Hi

İ have 2 different Nexus working diffrent NX-OS (6.0(4) & 6.2(6) )  with different line card (F2  & F2E ) and different Sup (Sup 1 & Sup 2 ) but share the same problem. Sup 2 devices work with VPC Sup 1 device Standalone this is the only difference

 I try to configure WCCP on device your redirect http & https Traffic  to Websense. i create following lines  in boot nexus

 

 

Feature wccp

ip wccp 1 redirect-list WS_REDIRECT
ip wccp 5 redirect-list WS_REDIRECT
ip wccp 70 redirect-list WS_REDIRECT


ip access-list  WS_REDIRECT
 deny  ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq ftp

interface vlan 7
ip wccp 1 redirect in
ip wccp 5 redirect in
ip wccp 70 redirect in

 

 

This redirects all the traffic even deny list.

No bug reported in but tool kit

 

Could you please help me.

3 Replies 3

LJ Gabrillo
Level 5
Level 5

Okay, Its weird you have multiple WCCP groups, 
Considering you are only using one ACL, just simple use one WCCP Group ID

 

Also, here is a sample config:

 

Let's say you want to redirect traffic from VLAN 10,11 and 12 to WCCP

and your WCCP device is at VLAN20

 

#conf t

#ip wccp version 2            -DEFAULT: ver1
#ip wccp 90 
#ip wccp 90 password wccp123    -THIS IS OPTIONAL! Place a password on your WCCP instance.


#interface vlan 10
  #ip wccp 90 redirect in

#interface vlan 11
​  #ip wccp 90 redirect in

#interface vlan 12
​  #ip wccp 90 redirect in

 

#interface vlan 20
  #ip wccp redirect exclude in     -avoid optimization loops
 

Your WCCP device will be in VLAN 20, and I recommend dedicating that VLAN to WCCP devices:
Configure your WCCP device(Websense) and define the Service group ID, in this example, its wccp 90 and of course the IP of VLAN 20

By default, all traffic in interfaces configured with "wccp 90 in" will forward traffic to the WCCP device

Oh yeah, to add on that, the use of the ACL is to define what subnet/traffic/ports will be forwarded to WCCP.

Since we want to optimize all types of traffic then we do not need to configure ACL. Still, if you want, then configure the ACL as you have, through you do not need to have multiple WCCP group IDs,

Both,

On a Nexus 7K it's the line cards that are important, so please be aware of the following table :

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/unicast/configuration/guide/l3_cli_nxos/wccp.html#pgfId-1311595

describing valid combinations with respect to ingress/egress & WCCP module.

Also please be aware that "redirect exclude in" is not allowed on a N7K SVI (for some F2/F2E combination), but anyway there is no usage of it, while only running "redirect in" (... abd "redirect-out" isn't supported on N7K either.

But just use one redirect on an interface, as suggested,

 

Best regards

Finn Poulsen

Review Cisco Networking for a $25 gift card