Solved: Re: WCCP and access lists

roger perkin · ‎05-23-2011

We have a 3750 switch as a WAN switch and the MPLS network comes into the switch on port 24

interface GigabitEthernet1/0/24
description MPLS Router
no switchport
ip address *****
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp 0 redirect in
ip wccp 70 redirect in

ip wccp 0
ip wccp 70 redirect-list wccp-redirect group-list WebSense-Appliances

ip access-list extended wccp-redirect
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit tcp any any eq www
permit tcp any any eq 443

Questions:

1. Is the wccp 0 a mis config and can be removed?

As I understand it the ip access-l wccp direct

Is telling the WAN switch to not redirect any traffic from 10.0.0.0 destined for 10.0.0.0 (Internal Traffic?)

All other traffic i.e internet based traffic on 80/443 to redirect to the Websense box.

2. I want to bypass a subnet from being redirected to websense so can I just add a line at the top of the access list? Or will this cancel anything out?

ip access-list extended wccp-redirect
deny ip 10.180.0.0 0.0.255.255 any

deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit tcp any any eq www
permit tcp any any eq 443

Thanks

Roger

Fabrizio Pedracini · ‎05-26-2011

Hi Roger,

Question 1... WCCP service 0 is web-cache, so it intercepts tcp port 80, while service 70 is normally tcp 443. You can double check this on your websense device where the WCCP services are defined. Check also "show ip wccp det" on the router.

You might want to apply the same redirect list to WCCP service 0 since I believe this is the one used to redirect tcp port 80 traffic (as I said check that the websense and the router are actually talking with both WCCP services)

For question 2... you can add a line at the top of the wccp redirect list in order to prevent a specific subnet from being redirected. To do that check the access-list entries sequence numbers with "show ip access-list wccp-redirect" then configure your deny entry at the top (using a lower seq-number):

example:

config)# ip access-list extended wccp-redirect

conf-acl)# 1 deny ip 10.180.0.0 0.0.255.255 any

hope this is helpful,

Fabrizio

View solution in original post

Fabrizio Pedracini · ‎05-26-2011

Hi Roger,

Question 1... WCCP service 0 is web-cache, so it intercepts tcp port 80, while service 70 is normally tcp 443. You can double check this on your websense device where the WCCP services are defined. Check also "show ip wccp det" on the router.

You might want to apply the same redirect list to WCCP service 0 since I believe this is the one used to redirect tcp port 80 traffic (as I said check that the websense and the router are actually talking with both WCCP services)

For question 2... you can add a line at the top of the wccp redirect list in order to prevent a specific subnet from being redirected. To do that check the access-list entries sequence numbers with "show ip access-list wccp-redirect" then configure your deny entry at the top (using a lower seq-number):

example:

config)# ip access-list extended wccp-redirect

conf-acl)# 1 deny ip 10.180.0.0 0.0.255.255 any

hope this is helpful,

Fabrizio

roger perkin · ‎05-27-2011

Fabrizio,

I had figured this yesterday when I saw the ip wccp 0 line in the config, which looked to me like it was not used, so I removed it.

Which said wccp is disabled now, so I looked into this further and discovered ip wccp 0 was for http.

I have implemented the deny and it is now working a treat

Extended IP access list wccp-redirect-block
    7 deny ip 10.180.0.0 0.0.255.255 10.251.0.0 0.0.255.255 (7064 matches)
    10 deny ip 10.184.0.0 0.0.255.255 10.251.0.0 0.0.255.255
    12 deny ip 10.183.0.0 0.0.255.255 10.251.0.0 0.0.255.255 (730 matches)
    20 permit tcp any any eq www

Interestingly I am not getting hits on the 20 permit line, but assuming this might be being done in hardware.

Anyway it is working

thanks

Roger