05-31-2011 01:53 PM - edited 03-06-2019 05:17 PM
Hello all,
We are trying to implement WCCP to redirect traffic to a URL Filtering device and we want to do the redirect prior to the traffic getting to the ASA. Therefore, we can’t use the URL redirect on the ASA.
Our issue is this – we have two core switches (6513) with the same VLAN’s configured on both, but they have different switches and servers attached to each using different interface configurations – so they are NOT identical (i.e., not candidates for Active/Standby configuration).
Both switches connect to a single interconnect switch which then connects to ASA firewalls (Active/Standby).
The outbound traffic from each core switch is on the same VLAN. We attempted to do a “WCCP redirect in” using a VLAN IP address on the interconnect switch, but it seems the packets never got to the L3 level and traffic was never redirected. Without further confusing the issue, here are the important parts of each config of the Cisco devices:
Core Switch 1 (6513):
interface GigabitEthernet1/9
description to Interconnect switch - Interface Gi 1/0/27
switchport
switchport access vlan 1
switchport mode access
no ip address
interface Vlan1
ip address 192.168.1.252 255.255.255.0
standby 1 ip 192.168.1.254
standby 1 preempt
router eigrp 801
redistribute static
network 192.168.0.0 0.0.255.255
!
ip route 0.0.0.0 0.0.0.0 192.168.2.251 (address of the inside interface of the ASA)
Core Switch 2 (6513)
interface GigabitEthernet1/16
description to Interconnect switch - Interface Gi 1/0/25
switchport
switchport access vlan 1
switchport mode access
no ip address
interface Vlan1
ip address 192.168.1.253 255.255.255.0
standby 1 ip 192.168.1.254 (same standby address as other core switch so we can use a single route and gateway statement)
standby 1 preempt
router eigrp 801
redistribute static
network 192.168.0.0 0.0.255.255
!
ip route 0.0.0.0 0.0.0.0 192.168.2.251 (address of the inside interface of the ASA)
Interconnect Switch (3750)
ip wccp 0
ip wccp 70
interface GigabitEthernet1/0/1
description to Web Cache device for WCCP redirected traffic (at 192.168.1.213)
switchport mode access
interface GigabitEthernet1/0/25
description from Core Switch 2 interface Gi1/16
switchport
ip wccp 0 redirect in
ip wccp 70 redirect in
!
interface GigabitEthernet1/0/26
description to Primary Firewall Inside interface
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/27
description to Core Switch 1 interface Gi1/9
switchport
ip wccp 0 redirect in
ip wccp 70 redirect in
!
interface GigabitEthernet1/0/28
description to Standby Firewall Inside interface
switchport trunk encapsulation dot1q
interface Vlan1
ip address 192.168.1.249 255.255.255.0
ip default-gateway 192.168.1.254
ASA Firewall (ASA 5520)
interface GigabitEthernet1/0
nameif inside
ip address 192.168.2.251 255.255.255.0 standby 192.168.2.250
route inside 192.168.1.0 255.255.255.0 192.168.1.254 1
Using this configuration, WCCP is enabled and recognizes the url filter device as a valid web cache when doing a “show ip wccp”. Traffic is successfully accessing internet sites. However, no packets are ever redirected – WCCP packet count always remains at zero and no HTTP or HTTPS traffic ever gets to the URL Filter/Web-cache device. It seems that the packets never get to L3 so WCCP never kicks in.
A few things we can try to do are:
1. Try to enable WCCP on the inside interface of the ASA (but we need to ensure that LAN usernames are still identifiable)
2. Do a “ip wccp 0 redirect out” on the outbound interface of each core switch (although it’s recommended by Cisco experts to NOT do redirect out’s due to CEF overhead issues)
It seems that all examples I see from Cisco deal with a single switch attached to a single router (or layer 3 switch) attached to a single firewall. Any suggestions on how to connect two disparate switches to a single interconnect switch and get WCCP redirect IN’s working on the interconnect switch? Or any other suggestions besides the two I posted above to get the this to work?
Thanks for any and all assistance the community can provide!
05-31-2011 02:00 PM
You can't apply 'wccp redirect in' on the Vlans facing the user/servers at the 6500s?
05-31-2011 02:15 PM
That is a great question.
We have many different VLAN's relating to different physical locations and/or security VLAN's inbound on both 6500's. There would be about 40 or 50 "redirect In's" assigned to each of the inbound interfaces on both 6500's.
I am new at WCCP and learning via the school of hard knocks and incorrect configurations, so I don't know the answer to this: would that be something that would be considered best practice?
Due to needing to configure this on many (but not all) interfaces on both 6500's, the configuration maintenance would be high, but I will definitely add that to the list of possibilities. Our team is viewing the answers and we are discussing all possibilities.
Thank you Edison!
05-31-2011 07:25 PM
I don't see a problem with the number of 'wccp' you would have. It's handled in hardware and it poses no CPU issue.
Treat this configuration the same as the 'ip helper-address' for DHCP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide