Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1703
Views
0
Helpful
3
Replies

ASA WCCP Redirection

Josh Sprang
Level 4
Level 4

‎01-15-2013 11:29 AM - edited ‎03-11-2019 05:47 PM

I have three web content filters (SOPHOS) I need to implement and I am looking for a little guidance with WCCP redirection.  I only need to redirect http/https traffic to the content filters.  From the reading I am doing the ACLs do not support port based redirection.  Is this true?  If so what happens when other traffic such as SMTP or FTP as it gets redirected to the content filter and the filter ignores it?

In this config my content filters are 10.1.1.100, 10.1.1.101, and 10.1.1.102.  ASA inside is 10.1.1.1 and outside is 208.70.80.5.  I want to reditect all http and https traffic

Is this configuration right?

access-list wccp-servers permit ip host 10.1.1.100 any

access-list wccp-servers permit ip host 10.1.1.101 any

access-list wccp-servers permit ip host 10.1.1.102 any

access-list redirected-wccp permit ip any any

*If I want to exclude traffic from being reditected such as websites and mail servers can I put a deny in for those subnets above this line?

<this part sees like it should be tcp any any eq http and tcp any any eq https but I am reading that is not supported>

wccp web-cach group-list wccp-servers redirect-list redirected-wccp

wccp interface inside service 60 redirect in

Another question I have is does the ASA do round robin load balancing to the wccp-servers?  And if so what happens if one or all servers go down?

Any help would be apperciated I am a new to WCCP.

Labels:
0 Helpful
3 Replies 3

Michal Garcarz
Cisco Employee
Cisco Employee

‎01-15-2013 11:47 AM

Hello Josh,

1. Yes, port-specific ACL is not supported. But it is not a big problem. Usually on WCCP server you can configure very specific bypass (Cisco WSA supports that - do not know about Sophos). For bypassed traffic WCCP server will reinject that packet in GRE and send back to ASA which will decapsulate it and send as normal packets.

It's a good design, because you can have very granural bypass policy on WCCP server.

2. Yes, configuration is correct, although it's better to be more specific (not send all traffic to WCCP if there is no need for that).

3. Yes, you can use deny in redirect-list to exclude traffic.

4. WCCP keepalives are being send by WCCP server by default every 10 seconds. If ASA does not see that replies for some time it marks server as dead and uses other ones.

---

Michal

0 Helpful

Josh Sprang
Level 4
Level 4
In response to Michal Garcarz

‎01-15-2013 11:53 AM

Thanks so much for the quick reply.  Can you also please tell me one more thing.  This ASA is a 5520 8.2(5) that can forward up to 375Mb/s of traffic during peak.  The CPU can go up to 80% but usually is between 65%-75%.   Almost all traffic is http https based.  Will implementing WCCP have a negative impact on CPU in this case?  Is it too much for this ASA to handle with these volumes?

Thanks again. 

0 Helpful

Michal Garcarz
Cisco Employee
Cisco Employee
In response to Josh Sprang

‎01-15-2013 12:09 PM

It depends on many factors.

It might have influence because traffic from client is GRE encapsulated, sent to WCCP, then it returns (usually) and is processed again by ASA.

80% of CPU is already pretty high - so there is a risk.

But can not provide you any numbers, i would test it gradually - step by step and monitor CPU and packet drops (overruns on interfaces).

---

Michal

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card