03-13-2023 04:45 PM
Hi,
I have an SDA fabric implementation and the customer decided to deploy a transparent proxy using WCCP. He request to configure the network to force the user traffic (currently wireless (fabric mode), next is wired) to the proxy IP which is part for the DC.
I have multiple VNs inside the fabric, and each VN terminated on the fusion in a seperate VRF and the DC subnets in separate VRF.
I need to know what is the possible solutions for this scenario as I couldn't find anything on the internet or Cisco document about this requirement.
03-14-2023 02:15 AM
Hello
TECCRS-2812 (ciscolive.com) page 283 navigates to
Move some Policy enforcement
point(s) outside the SD-Access fabric.
For example, PBR, WCCP can be
applied external to the fabric.
So, evaluate ability to deploy it on the Fusion, otherwise introduce intermediate box for WCCP purpose
03-18-2023 08:01 AM - edited 03-18-2023 08:03 AM
We actually deployed core proxy/cache box with ITD at data center.
My follow up question related to SD-Access site is whether a feature similar to ACI policy based redirect is requested or in works for SD-Access? We have site proxy/caching box with WCCP too and are thinking about how this would work if we were to move to SDA site.
Given that SDA has new features like Pub/Sub, L2VNI, plus incremental features like L3/L2 border node, policy extended node and extended node etc. I would say WCCP/PBR like policy redirection would be a great addition. Beside, IOS-XE did have SGT based PBR support already.
If this is too hard to implement on SDA, any detailed technical explanation would be greatly appreciated.
03-14-2023 02:26 AM
Hi Andy,
In the below link
It mentioned in page 237 that this should be applied on "the egress interface of the fabric border node".
So, I am confused how to apply it in this way!
03-14-2023 02:50 AM
this states that u can configure WCCP on the BN with 'packet redirection on an outbound interface that is configured by using the "ip wccp redirect out" interface configuration command' - essentially egress interface toward Fusion where VXLAN encapsulation is absent. Otherwise u configure "ip wccp redirect in" on Fusion's interface toward BN (again, on the same interconnect where VXLAN encapsulation is not applied anymore to the user's flow).
03-14-2023 03:21 AM
Thanks Andy, I will try then post the result.
Appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide