Hello all,
We are trying to implement WCCP to redirect traffic to a URL Filtering device and we want to do the redirect prior to the traffic getting to the ASA. Therefore, we can’t use the URL redirect on the ASA.
Our issue is this – we have two core switches (6513) with the same VLAN’s configured on both, but they have different switches and servers attached to each using different interface configurations – so they are NOT identical (i.e., not candidates for Active/Standby configuration).
Both switches connect to a single interconnect switch which then connects to ASA firewalls (Active/Standby).
The outbound traffic from each core switch is on the same VLAN. We attempted to do a “WCCP redirect in” using a VLAN IP address on the interconnect switch, but it seems the packets never got to the L3 level and traffic was never redirected. Without further confusing the issue, here are the important parts of each config of the Cisco devices:
Core Switch 1 (6513):
interface GigabitEthernet1/9
description to Interconnect switch - Interface Gi 1/0/27
switchport
switchport access vlan 1
switchport mode access
no ip address
interface Vlan1
ip address 192.168.1.252 255.255.255.0
standby 1 ip 192.168.1.254
standby 1 preempt
router eigrp 801
redistribute static
network 192.168.0.0 0.0.255.255
!
ip route 0.0.0.0 0.0.0.0 192.168.2.251 (address of the inside interface of the ASA)
Core Switch 2 (6513)
interface GigabitEthernet1/16
description to Interconnect switch - Interface Gi 1/0/25
switchport
switchport access vlan 1
switchport mode access
no ip address
interface Vlan1
ip address 192.168.1.253 255.255.255.0
standby 1 ip 192.168.1.254 (same standby address as other core switch so we can use a single route and gateway statement)
standby 1 preempt
router eigrp 801
redistribute static
network 192.168.0.0 0.0.255.255
!
ip route 0.0.0.0 0.0.0.0 192.168.2.251 (address of the inside interface of the ASA)
Interconnect Switch (3750)
ip wccp 0
ip wccp 70
interface GigabitEthernet1/0/1
description to Web Cache device for WCCP redirected traffic (at 192.168.1.213)
switchport mode access
interface GigabitEthernet1/0/25
description from Core Switch 2 interface Gi1/16
switchport
ip wccp 0 redirect in
ip wccp 70 redirect in
!
interface GigabitEthernet1/0/26
description to Primary Firewall Inside interface
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/27
description to Core Switch 1 interface Gi1/9
switchport
ip wccp 0 redirect in
ip wccp 70 redirect in
!
interface GigabitEthernet1/0/28
description to Standby Firewall Inside interface
switchport trunk encapsulation dot1q
interface Vlan1
ip address 192.168.1.249 255.255.255.0
ip default-gateway 192.168.1.254
ASA Firewall (ASA 5520)
interface GigabitEthernet1/0
nameif inside
ip address 192.168.2.251 255.255.255.0 standby 192.168.2.250
route inside 192.168.1.0 255.255.255.0 192.168.1.254 1
Using this configuration, WCCP is enabled and recognizes the url filter device as a valid web cache when doing a “show ip wccp”. Traffic is successfully accessing internet sites. However, no packets are ever redirected – WCCP packet count always remains at zero and no HTTP or HTTPS traffic ever gets to the URL Filter/Web-cache device. It seems that the packets never get to L3 so WCCP never kicks in.
A few things we can try to do are:
1. Try to enable WCCP on the inside interface of the ASA (but we need to ensure that LAN usernames are still identifiable)
2. Do a “ip wccp 0 redirect out” on the outbound interface of each core switch (although it’s recommended by Cisco experts to NOT do redirect out’s due to CEF overhead issues)
It seems that all examples I see from Cisco deal with a single switch attached to a single router (or layer 3 switch) attached to a single firewall. Any suggestions on how to connect two disparate switches to a single interconnect switch and get WCCP redirect IN’s working on the interconnect switch? Or any other suggestions besides the two I posted above to get the this to work?
Thanks for any and all assistance the community can provide!
