cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2355
Views
4
Helpful
6
Replies

WCCP ACL on Catalyst 3750

carljohan.ekman
Level 1
Level 1

Hi

I have a stack of 3750s with IP Services and 2 WAAS appliances connected to the stack. I am running wccp in the stack and redirecting traffic to the WAAS appliances using a redirect acl. I read in the command guide for the 3750 that ONLY permit entries are supported. I have a appox 20 vlans and there are local traffic flowing between some of them.

My questions is if I can`t use deny entries in the redirect acl in the switch, how can I stop the local traffic between the vlans getting redirected unnecessarly. The local traffic will be redirected to the WAAS appliance and then just go bypass and go back to the switch stack or does WCCP handle this in someway so only the first packets for each session gets redirected?

BR

CJ Ekman

6 Replies 6

ahskhan
Cisco Employee
Cisco Employee

Hi Carl,

You need to create a WCCP Redirect ACL, with permit entries from the

Subnets / Hosts you need to optimized, I would also add destination Subnet /

hosts in that ACL. Rest of the traffic will be explicit deny and hence no

other Vlan traffic will go to WAAS. Hope this helps. Thanks.

Ahsan

Hi Ahskhan

But if I have 500+ sites with between 5-30 vlans on each site, that ACL will be rather long and trying to handle and keeping it up-to-date on all these WAAS appliances will be impossible.

Isn`t there any other way to do it?

BR

CJ Ekman

Depends on you network / ip design.

If you have allocated enough networks per site / block than you can desig your acl in a way that you not permit the local subnets.

Here can scripting and ipam help you..

Hey CJ,

Option 1: another option you might consider is intercepting closer to the WAN edge, if that's an available option for you.

Again, like Patrick mentioned it depends on your network / IP design but if you intercept closer to the WAN edge you should be able to avoid engineering a redirect ACL altogether.

Option 2: depending on the 3750 platform and code upgrade options, some of the latest 3750 IOS versions include support for deny entries for WCCP redirect ACLs. Check out these release notes (look at the very last bullet point in this list):

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/release/notes/OL24338.html#wp1009434

Hope this helps!

-Chet

Hi Chet

do you know if the feature will be implemented for the older 3750s ?

Option 1: From my experience it has problems with asymetric routing. Whem you use GRE / GRE Return ist ok.

-Patrick

Hey Patrick,

I'm not sure if they will be supported on the 3750s, as opposed to 3750-X, 3750-E, or 3750Gs. Might be a good question for a switch forum?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: