Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1461
Views
0
Helpful
3
Replies

Basic Configuration - Web Tracking

M4VM4VM4V
Level 1
Level 1

‎10-18-2011 01:29 AM

I have installed and configured an Ironport S160 as an L4 Traffic Monitor using a mirrored port on the 3750 switch. However the only traffic it is monitoring are Malware sites.

We need to use it for URL tracking/Blocking and Caching. We don't have an WCCP router (we have an ASA, but its not being used on this DSL connection.

So I guess I need to configure "Web proxy with L4 Switch"

M1 is connected to the management network and I can log in, configure and update the Ironport.

I have connected P1 to another 3750 switch port on the same VLAN as the DSL router. 3750 is 10.98.8.1, IronPort is 10.98.8.2 and DSL router is 10.98.8.254.

The Ironport P1 Default Gateway is set to 10.98.8.254.

Please let me know how to get it configured as a "Transparent Proxy"

Help would be appreciated!!!

Thanks!

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎10-20-2011 04:44 PM

Kyle,

On a 3750, I think you can do WCCP if you have the right software load on it.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/prod_qas09186a00801b0971.html

There are limitations to the 3750...  it only does L2 redirection (no GRE) and assignment must be mask. 

and you have to have SDM set to prefer routing....

sdm prefer routing     

Then turn on WCCP for dynamic service group 90 (so you can set what ports you need on the WSA)

Switch(config)# ip wccp 90 group-list 15

Create an ACL to keep traffic to internal servers from being redirected to your WSA

Switch(config)# access-list 15 deny any 10.90.0.0 255.255.0.0       <--add whatever networks you need.

Switch(config)# access-list 15 permit any any

Assuming the VLAN you have the WSA and the DSL router on is 301

Switch(config)# interface vlan 301

Switch(config-if)# ip wccp 90 redirect in

This will catch inbound traffic to the VLAN an hand it to the WSA, assuming it doesn't match the ACL.   If the WSA is down, it routes it as normal...

Here's the docs I pulled that from (near the bottom for doing a vlan instead of a port...)

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_58_se/configuration/guide/swwccp.html#wp1031033

The WSA should negotiate the L2 vs GRE & mask vs. hash issues...

Hope that helps.

Ken

0 Helpful

M4VM4VM4V
Level 1
Level 1
In response to Ken Stieers

‎11-29-2011 10:42 PM

OK, Frst I had to upgrade the IOS on the 3750.

I enabled SDM prefer routing on the 3750 and rebooted.

I configured the ironport for transparent redirection using the default "web-cache service 0 for port 80" and added the router IP.

I created a matching "web-cache" service on the 3750 with a "group-list" acl of permit any as I don't need to exclude any clients that are destined for that vlan by issuing the commands below

access-list 15 permit any

ip wccp web-cache group-list 15

interface vlan 600

ip wccp web-cache redirect in

Anyway, it doesn't work..

I get this:


Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Service Group Clients:     0
        Number of Service Group Routers:     0
        Total Packets s/w Redirected:        0
          Process:                           0
          CEF:                               0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   15
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

Switch#

Any ideas of what I am doing wrong???

0 Helpful

Ken Stieers
VIP
VIP
In response to M4VM4VM4V

‎12-01-2011 06:26 PM

You need to use a redirect-list, not group-list. 

ip wccp web-cache redirect-list 15

Redirect-list is "what clients get redirected via wccp" 

Group-list is "what web cache's can connect to the wccp and get traffic redirected to them"

Here's the doc from the Ironport KB.

http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1307&p_created=1233703725&p_sid=U1UGTxKk&p_accessibility=0&p_redirect=0&p_srch=1&p_lva=1654&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MzksMzkmcF9wcm9...

0 Helpful
Customers Also Viewed These Support Documents