10-26-2010 06:43 AM
The following WAAS Configuration Guide has you configure the long redirect list below for "Network Modules." Does Cisco recommend we us the same redirect list for WAAS appliances as well?
ip wccp version 2
ip wccp 61 redirect-list waas-wccp-redirect-list
ip wccp 62 redirect-list waas-wccp-redirect-list
ip access-list extended waas-wccp-redirect-list
remark WAAS WCCP Pilot Redirect list
deny tcp any any eq telnet
deny tcp any any eq 22
deny tcp any any eq 161
deny tcp any any eq 162
deny tcp any any eq 123
deny tcp any any eq bgp
deny tcp any any eq tacacs
deny tcp any any eq 2000
deny tcp any any eq 5060
deny tcp any any eq 1718
deny tcp any any eq 1719
deny tcp any any eq 1720
deny tcp any any eq 554
deny tcp any any eq 1755
deny tcp any eq telnet any
deny tcp any eq 22 any
deny tcp any eq 161 any
deny tcp any eq 162 any
deny tcp any eq 123 any
deny tcp any eq bgp any
deny tcp any eq tacacs any
deny tcp any eq 2000 any
deny tcp any eq 5060 any
deny tcp any eq 1718 any
deny tcp any eq 1719 any
deny tcp any eq 1720 any
deny tcp any eq 554 any
deny tcp any eq 1755 any
permit tcp any any
end
Solved! Go to Solution.
10-26-2010 06:57 AM
Todd,
This redirect ACL is configured as part of the 4.2.1 setup utility for Network Modules in Pilot/PoC scenarios. You will notice that the ports listed are the standard management and control TCP traffic (e.g. bgp, telnet, ssh, etc.), which would not see any benefit from WAAS to begin with. So, you certainly could apply this redirect ACL in the appliance or network module scenario. However, depending on your deployment strategy you may want to employ a white list of specific user/server subnets instead and let this traffic be denied via the implicit deny at the end of the ACL. Basically this is a good starting point for a redirect ACL since it points out well known TCP traffic that would not see any benefit from WAAS so it should not even be redirected. However, I would not say this is the end all be all redirect ACL for every deployment since every customer network will be different.
Hope this helps,
Mike Korenbaum
Cisco WAAS PDI Help Desk
http://www.cisco.com/go/pdihelpdesk
P.S. If this answers your question please mark it as such; thanks.
10-26-2010 06:57 AM
Todd,
This redirect ACL is configured as part of the 4.2.1 setup utility for Network Modules in Pilot/PoC scenarios. You will notice that the ports listed are the standard management and control TCP traffic (e.g. bgp, telnet, ssh, etc.), which would not see any benefit from WAAS to begin with. So, you certainly could apply this redirect ACL in the appliance or network module scenario. However, depending on your deployment strategy you may want to employ a white list of specific user/server subnets instead and let this traffic be denied via the implicit deny at the end of the ACL. Basically this is a good starting point for a redirect ACL since it points out well known TCP traffic that would not see any benefit from WAAS so it should not even be redirected. However, I would not say this is the end all be all redirect ACL for every deployment since every customer network will be different.
Hope this helps,
Mike Korenbaum
Cisco WAAS PDI Help Desk
http://www.cisco.com/go/pdihelpdesk
P.S. If this answers your question please mark it as such; thanks.
10-26-2010 08:24 AM
Michael,
Good. So that's sort of what I do except backwards.
I have what I'll call a black list. I put deny statements for my voice and video subnets along with the permit any any at the end. I think I'll go head and deny all the ports listed in this thread as well.
Thank you,
Tod
01-26-2011 12:12 AM
A short addendum to this post as it causes some confusion for customers:
You don't have to configure a redirection ACL.
Some reasons to exclude traffic from WCCP redirection are:
Take into account that the WAAS will only ask to redirect TCP IPv4 traffic, so there is no need to exclude UDP for example.
Please note that on hardware platforms (Catalyst 3750, Catalyst 4500, Catalyst 6500, ASR 1000 or Nexus 7000) the redirection is often accelerated in hardware, so 'free', and the limitation to watch is the amount of TCAM space. Having a complex redirection ACL will eat up that TCAM space very fast so is actually worse.
Of course if you are redirecting too much traffic and this is causing overload on the attached WAAS devices you should consider having a redirection ACL.
Also always check the WCCP platform support white paper for platform specific limitations.
So in short: it depends , many customers take the easy route and don't have one, removing one more component to maintain and check.
Peter
01-26-2011 06:27 PM
My main reason for the redirect list is to exclude voip call control traffic. Per advice from TAC, if you let WAAS process the call control tcp sessions and then WAAS has an issue that breaks the TCP session, then all your phone calls will drop.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide