Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1680
Views
0
Helpful
1
Replies

Nexus 7K / WCCP issue

sdavids5670
Level 2
Level 2

‎11-13-2012 02:17 PM - edited ‎03-07-2019 10:01 AM

I opened a Cisco TAC case on an issue I was having getting Nexus 7K to work properly with Bluecoat.  The end result of the TAC case was that Cisco stated that it was a previously unidentified bug with the NX-OS.  I search the bug toolkit and found nothing that matched my issue.  There was a workaround but I don't think I can apply it in my topology because I would have to do wccp redirection on an interface that has PBR (I'm pretty sure I read in some WCCP literature that you can't have both on the same interface - if that's NOT the case please let me know).  I've attached a simple diagram of the topology along with configuration snippets from the core VDC.  The gist of the issue is that the traffic loops.  Outbound on VLAN38 the traffic gets redirected to the Bluecoat sitting on VLAN39.  If the Bluecoat doesn't apply policy, the traffic is returned via L2 to the Nexus. Even though VLAN39 has "ip wccp redirect exclude in" applied to the SVI the Nexus appears to ignore this (bug) because when it sends it back out VLAN38 the redirection occurs all over again.  I can see this looping in packet captures.  If the Bluecoat does apply policy, the source IP address of the packet gets changed to the IP address of the Bluecoat and redirection doesn't occur because it no longer matches the ACL associated with WCCP.

The TAC engineer claimed that the configuration I have should work fine.  The TAC engineer mocked it up in his lab and he claimed that he was getting the same result (thus the bug).  But then I got to thinking that this can't be the only environment in the world with a Nexus 7K and a Bluecoat setup in this manner, could it?  So I'm wondering if anybody else out there has a Nexus 7K, a Bluecoat Proxy-SG and a topology like the one I'm dealing with.  If so, does it work fine?

Version information from the core VDC

Software

  BIOS:      version 3.22.0

  kickstart: version 6.0(2)

  system:    version 6.0(2)

  BIOS compile time:       02/20/10

  kickstart image file is: bootflash:///n7000-s1-kickstart.6.0.2.bin

  kickstart compile time:  12/25/2020 12:00:00 [12/22/2011 00:56:22]

  system image file is:    bootflash:///n7000-s1-dk9.6.0.2.bin

  system compile time:     11/15/2011 12:00:00 [12/22/2011 02:46:28]

From what I've read about the Nexus 7K, the topology I have here is the only SUPPORTED topology (client, cache engine and original content server need to be off of separate interfaces).

Labels:
Preview file
63 KB
0 Helpful
1 Reply 1

bchau75
Level 1
Level 1

‎01-30-2013 01:16 PM

HI,

We have a similar topology.  our bluecoat resides in VLAN52 and firewall goes out VLAN100.  We're running 5.2.5 though and it's working as design.  So it may be a bug with the code you're running.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card