02-20-2014 05:48 AM - edited 03-07-2019 06:19 PM
Hello,
I am trying to redirect packets to a bluecoat proxy sg using WCCP on a 3750x stack with IP services.
I cant get the packets to redirect.
The bluecoat device is on the same vlan as the client traffic that I am trying to redirect.
It seems that when I apply the redirect on the vlan interface, the Bluecoat can see the traffic though.
(After it is applied, I can no longer access the websites, but the bluecoat device shows some activity)
SDM prefer is enabled.
Here is the config:
SiteA#sh run
Building configuration...
Current configuration : 7699 bytes
!
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SiteA
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$V1w8$6bmKd6oXWk//FH7/BaoFG.
!
username systemsgo privilege 15 secret 5 $1$vu8O$1uMdtS1Gzk12.YT3RObZO1
no aaa new-model
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
!
!
!
ip wccp 90 redirect-list 115 group-list 15
vtp mode transparent
!
track 1 ip sla 1 reachability
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
vlan 10
!
ip ssh version 2
!
!
!
!
!
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
!
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.20.2 255.255.255.252
speed 100
duplex full
!
interface GigabitEthernet1/0/2
no switchport
ip address 192.168.20.9 255.255.255.252
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
!
!
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet2/0/1
description *BlueCoat Proxy*
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet2/0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet2/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet2/1/2
!
interface GigabitEthernet2/1/3
!
interface GigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.10.20.3 255.255.255.0
standby 10 ip 10.10.20.1
standby 10 priority 110
standby 10 preempt
ip wccp 90 redirect in
!
!
router eigrp 1
network 10.10.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.3
redistribute static
!
ip local policy route-map IP_SLA_SiteA
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1
!
ip sla 1
icmp-echo 4.2.2.2 source-ip 192.168.20.9
threshold 300
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
logging esm config
access-list 15 permit 10.10.20.220
access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443
route-map IP_SLA_SiteA permit 10
match ip address 101
set ip next-hop 192.168.20.10
SiteA#
SiteA#show ip wccp 90
Global WCCP information:
Router information:
Router Identifier: 192.168.20.9
Protocol Version: 2.0
Service Identifier: 90
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: 115
Total Packets Denied Redirect: 52389
Total Packets Unassigned: 71
Group access-list: 15
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
SiteA#show ip wccp 90 detail
WCCP Client information:
WCCP Client ID: 10.10.20.220
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 0
Connect Time: 00:19:36
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
---- ------- ------- ------- -------
0000: 0x00000000 0x0000003F 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
----- ------- ------- ------- ------- -----
0000: 0x00000000 0x00000000 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0001: 0x00000000 0x00000001 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0002: 0x00000000 0x00000002 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0003: 0x00000000 0x00000003 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0004: 0x00000000 0x00000004 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0005: 0x00000000 0x00000005 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0006: 0x00000000 0x00000006 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0007: 0x00000000 0x00000007 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0008: 0x00000000 0x00000008 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0009: 0x00000000 0x00000009 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0010: 0x00000000 0x0000000A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0011: 0x00000000 0x0000000B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0012: 0x00000000 0x0000000C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0013: 0x00000000 0x0000000D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0014: 0x00000000 0x0000000E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0015: 0x00000000 0x0000000F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0016: 0x00000000 0x00000010 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0017: 0x00000000 0x00000011 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0018: 0x00000000 0x00000012 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0019: 0x00000000 0x00000013 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0020: 0x00000000 0x00000014 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0021: 0x00000000 0x00000015 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0022: 0x00000000 0x00000016 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0023: 0x00000000 0x00000017 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0024: 0x00000000 0x00000018 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0025: 0x00000000 0x00000019 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0026: 0x00000000 0x0000001A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0027: 0x00000000 0x0000001B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0028: 0x00000000 0x0000001C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0029: 0x00000000 0x0000001D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0030: 0x00000000 0x0000001E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0031: 0x00000000 0x0000001F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0032: 0x00000000 0x00000020 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0033: 0x00000000 0x00000021 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0034: 0x00000000 0x00000022 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0035: 0x00000000 0x00000023 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0036: 0x00000000 0x00000024 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0037: 0x00000000 0x00000025 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0038: 0x00000000 0x00000026 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0039: 0x00000000 0x00000027 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0040: 0x00000000 0x00000028 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0041: 0x00000000 0x00000029 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0042: 0x00000000 0x0000002A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0043: 0x00000000 0x0000002B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0044: 0x00000000 0x0000002C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0045: 0x00000000 0x0000002D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0046: 0x00000000 0x0000002E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0047: 0x00000000 0x0000002F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0048: 0x00000000 0x00000030 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0049: 0x00000000 0x00000031 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0050: 0x00000000 0x00000032 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0051: 0x00000000 0x00000033 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0052: 0x00000000 0x00000034 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0053: 0x00000000 0x00000035 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0054: 0x00000000 0x00000036 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0055: 0x00000000 0x00000037 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0056: 0x00000000 0x00000038 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0057: 0x00000000 0x00000039 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0058: 0x00000000 0x0000003A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0059: 0x00000000 0x0000003B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0060: 0x00000000 0x0000003C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0061: 0x00000000 0x0000003D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0062: 0x00000000 0x0000003E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0063: 0x00000000 0x0000003F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
SiteA#
SiteA#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
SiteA#
02-20-2014 06:05 AM
Hi Kevin
That configuration looks familiar
I haven't done WCCP before but from the 3750 configuration guide on WCCP -
Configure the switch interfaces that are connected to the clients, the application engines, and the server as Layer 3 interfaces (routed ports and switch virtual interfaces [SVIs]). For WCCP packet redirection to work, the servers, application engines, and clients must be on different subnets.
I can't say for sure this is your problem but it sounds like the server needs to be on a different subnet than the clients.
The easy solution is to create a new vlan on your 3750 and put the server into that and then try redirection.
Presumably this is not one of the servers that needs replication across the 3750_1 to 3750_2 interconnect ?
Jon
02-21-2014 09:19 AM
Hi Jon
Actually we are trying to get the WCCP working in all sites, even though the Bluecoat device only exists at the 3750_1 site.
3750_3 doesnt support WCCP since it is IP Base, so not sure how that is going to work for redirecting user traffic.
We did make some changes earlier today and put the bluecoat in its own vlan on 3750_1.
02-21-2014 10:08 AM
Kevin
I don't think you necessarily need to have one locally in the user site. You could simply apply your redirect acl to the L3 routed ports on 3750_1 and 3750_2 that connect back to 3750_3. Then you simply use site1 or site2's devices for web traffic.
That would seem more logical to me than having a third one locally unless you are concerned about caching issues and are trying to cut down on unnnessary web traffic across the uplink(s).
By the way, have you fully implemented and tested the new design and are you still having those throughput issues you were having ?
Jon
02-21-2014 11:49 PM
Hi Jon,
There are no more throughput issues.
Everything is working well. Thanks so much!
As for the WCCP,
I put the redirect acl on the L3 ports that connect back to 3750_3, but it is still not catching the traffic from the user vlan 20 on 3750_3. (We did however get it working for the server vlan in Site1 and Site2)
I'm not sure what you meant when you said:
Then you simply use site1 or site2's devices for web traffic.
Do I need to change the gateway for the users vlan in Site 3750_3 to something else?
Right now it is pointing to 10.20.20.1 on the 3750_3.
Below is what I have so far on the 3750_3.
I tried to force the traffic via PBR to the BlueCoat device, but that didnt seem to work either.
UserSite(config)#do sh run
Building configuration...
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname UserSite
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
switch 1 provision ws-c3750x-48p
switch 2 provision ws-c3750x-48p
system mtu routing 1500
ip routing
!
!
vtp mode transparent
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
vlan 10
!
vlan 20
name clients
!
!
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
!
interface GigabitEthernet1/0/47
description *CERTES-MGMT-MAIN*
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/48
description *MAN-LINE-TO-DC-MAIN*
no switchport
ip address 192.168.20.1 255.255.255.252
speed 100
duplex full
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface GigabitEthernet2/0/47
description *CERTES-MGMT-DR*
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet2/0/48
description *MAN-LINE-TO-DC-DR*
no switchport
ip address 192.168.20.5 255.255.255.252
speed 100
duplex full
!
interface GigabitEthernet2/1/1
!
interface GigabitEthernet2/1/2
!
interface GigabitEthernet2/1/3
!
interface GigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface Vlan1
ip address 192.168.10.254 255.255.255.0
!
interface Vlan20
ip address 10.20.20.1 255.255.255.0
ip helper-address 10.10.20.30
!
!
router eigrp 1
network 10.20.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.7
offset-list 10 in 100 GigabitEthernet2/0/48
eigrp stub connected summary
!
ip local policy route-map PBR_Proxy
ip classless
ip http server
ip http secure-server
!
ip access-list extended Traffic2Proxy
permit tcp 10.20.20.0 0.0.0.255 eq www any
permit tcp 10.20.20.0 0.0.0.255 eq 443 any
!
ip sla enable reaction-alerts
route-map PBR_Proxy permit 10
match ip address Traffic2Proxy
set ip next-hop 192.168.50.220
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login local
line vty 0 4
exec-timeout 30 0
privilege level 15
logging synchronous
login local
length 0
transport input telnet ssh
line vty 5 15
exec-timeout 30 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
end
02-22-2014 03:14 AM
Kevin
No, you definitely do not want to change the default gateway for the users and you couldn't anyway as the links are L3 routed links.
You have this in the config -
ip local policy route-map PBR_Proxy
that is for traffic generated by the router itself. It is needed like this on 3750_1 because the IP SLA ping is being generated by the switch itself. For user traffic you need to apply it to the vlan 20 SVI eg.
no ip local policy route-map PBR_Proxy
int vlan 20
ip policy route-map PBR
your PBR acl is also needs modifying ie. you have -
ip access-list extended Traffic2Proxy
permit tcp 10.20.20.0 0.0.0.255 eq www any
permit tcp 10.20.20.0 0.0.0.255 eq 443 any
but it should be -
ip access-list extended Traffic2Proxy
permit tcp 10.20.20.0 0.0.0.255 any eq www
permit tcp 10.20.20.0 0.0.0.255 any eq 443
all that said though, if 3750_3 is running IP Base then it doesn't support PBR so i'm not sure it will work. You need IP Services and then you need to enable the SDM routing template.
I think you should be able to apply it on the 3750_1 L3 port connecting to 3750_3. If you used the same acl as you have posted here that is probably why it wasn't working. So it may be worth trying again.
Finally if everything is working as it should be (with the exception of WCCP at the moment) can i update the previous thread so others can see it all worked ?
Jon
02-22-2014 04:17 AM
Hi Jon,
Yes please update the other thread.
Also, you are correct. I implemented the changes you said above, but still it didnt work.
Here is what I have on 3750_1 (as you can see, I added more vlans)
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SiteA
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
!
!
!
ip wccp 90 redirect-list 115
vtp mode transparent
!
track 1 ip sla 1 reachability
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
vlan 10,30,35,40
!
ip ssh version 2
!
!
!
!
!
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
!
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.20.2 255.255.255.252
ip wccp 90 redirect in
speed 100
duplex full
interface Vlan1
ip address 192.168.50.1 255.255.255.0
!
interface Vlan10
ip address 10.10.20.3 255.255.255.0
ip wccp 90 redirect in
standby 10 ip 10.10.20.1
standby 10 priority 110
standby 10 preempt
!
interface Vlan30
ip address 10.10.30.1 255.255.255.0
!
interface Vlan35
ip address 10.10.35.1 255.255.255.0
!
interface Vlan40
ip address 10.10.40.1 255.255.255.0
!
!
router eigrp 1
network 10.10.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.3
redistribute static
!
ip local policy route-map IP_SLA_SiteA
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1
!
ip access-list extended testing
permit tcp host 10.10.20.123 any eq www
!
ip sla 1
icmp-echo 4.2.2.2 source-ip 192.168.20.9
threshold 300
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
logging esm config
access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2
access-list 115 deny ip host 192.168.50.220 any
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443
route-map IP_SLA_SiteA permit 10
match ip address 101
set ip next-hop 192.168.20.10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide