Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
2
Helpful
5
Replies

SDA fabric Configuration with WCCP

melsharkawy
Level 1
Level 1

‎03-13-2023 04:45 PM

Hi,

I have an SDA fabric implementation and the customer decided to deploy a transparent proxy using WCCP. He request to configure the network to force the user traffic (currently wireless (fabric mode), next is wired) to the proxy IP which is part for the DC.

I have multiple VNs inside the fabric, and each VN terminated on the fusion in a seperate VRF and the DC subnets in separate VRF.

I need to know what is the possible solutions for this scenario as I couldn't find anything on the internet or Cisco document about this requirement.

Labels:
0 Helpful
5 Replies 5

andy!doesnt!like!uucp
Spotlight
Spotlight

‎03-14-2023 02:15 AM

Hello
TECCRS-2812 (ciscolive.com) page 283 navigates to

Move some Policy enforcement
point(s) outside the SD-Access fabric.
For example, PBR, WCCP can be
applied external to the fabric.

So, evaluate ability to deploy it on the Fusion, otherwise introduce intermediate box for WCCP purpose 

sding2006
Level 1
Level 1
In response to andy!doesnt!like!uucp

‎03-18-2023 08:01 AM - edited ‎03-18-2023 08:03 AM

We actually deployed core proxy/cache box with ITD at data center.

My follow up question related to SD-Access site is whether a feature similar to ACI policy based redirect is requested or in works for SD-Access?  We have site proxy/caching box with WCCP too and are thinking about how this would work if we were to move to SDA site. 

Given that SDA has new features like Pub/Sub, L2VNI, plus incremental features like L3/L2 border node, policy extended node and extended node etc. I would say WCCP/PBR like policy redirection would be a great addition. Beside, IOS-XE did have SGT based PBR support already. 

If this is too hard to implement on SDA, any detailed technical explanation would be greatly appreciated. 

0 Helpful

melsharkawy
Level 1
Level 1

‎03-14-2023 02:26 AM

Hi Andy,

In the below link

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/eBook-SD-Access-for-Industry-Verticals-From-Design-to-Migration.pdf

It mentioned in page 237 that this should be applied on "the egress interface of the fabric border node".

So, I am confused how to apply it in this way!

0 Helpful

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to melsharkawy

‎03-14-2023 02:50 AM

this states that u can configure WCCP on the BN with 'packet redirection on an outbound interface that is configured by using the "ip wccp redirect out" interface configuration command' - essentially egress interface toward Fusion where VXLAN encapsulation is absent. Otherwise u configure "ip wccp redirect in" on Fusion's interface toward BN (again, on the same interconnect where VXLAN encapsulation is not applied anymore to the user's flow).

melsharkawy
Level 1
Level 1
In response to andy!doesnt!like!uucp

‎03-14-2023 03:21 AM

Thanks Andy, I will try then post the result.

Appreciated.

0 Helpful
Customers Also Viewed These Support Documents