cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
715
Views
0
Helpful
2
Replies

Two Ironports - One Router - Guest and Public

mlouis
Level 1
Level 1

I have a customer who currently has 2 ironports deployed for filtering production traffic. They would like to add a 3rd ironport to filter their guest network traffic only. However, today the guest traffic passes through the same device the production traffic does and the WCCP redirection is applied commonly between the two groups. What's the best way to seperate this?

See attachment below.

1. Today all traffic is being redirected using a redirect out command on the northbound interface towards the internet firewall

2. WCCP service groups in use today are web-cache and service group 70 for HTTPs traffic

Possible Solutions:

1. Route guest traffic through a different WCCP device, router or firewall and do redirection to 3rd engine from there

2. Possibly use a redirect group list and custom service group on the inbound direction of the wireless guest interfaces

My concern is that if I apply inbound redirection to the wireless guest interfaces today I would be sending the traffic to the same WSA that are being used for production today since the engines are registering to a single service group - web-cache or group 70 - that is globally defined on the router.

Is there a way to define a custom WCCP group or a good way to filter web-cache redirects applied to specific interfaces to use specific WSA interfaces

Example

Web-Cache Group 1 - use WSA Group 1 (production) - redirects to 1/2nd WSA applied outbound redirection on the uplink to the internet and filtered not to redirect guest traffic

Web-Cache Group 2 - use WSA Group 2 (guest) redirects to 3rd WSA (guest only) and is applied on the inbound direction on the guest WLAN interfaces and then exclude them from redirection on the outbound redirected link?

Can this be done easily or do i need to find a way to policy route guest traffic to the 3rd Ironport on the Guest WLAN interfaces?

Thanks in Advance

Mike

2 Replies 2

Mike,

You can do it on the same northbound router inerface. I did something similar on an ASA when I was participating in the last WSA beta. I had one subnet of users going through the Beta box and the rest of the company going through the production box.

It comes down to the ACLs that you apply to the WCCP and the order. I'm not where I can dig up my config at the moment, give me a couple of hours and I'll post something here.

Sent from Cisco Technical Support iPad App

Grrr... I can't seem to find the actual configs, but here's the gist:

So, we should be able to achieve the desired behavior using the below steps:

  • •1. WCCP 90 on production WSA and WCCP 91 on Beta WSA
  • •2. Service ID 90 on ASA uses access list 1 – Access list 1 references production users’ IP address
  • •3. Service ID 91 on ASA uses access list 2 – Access list 2 references IP addresses of users passing through Beta appliance

The one twist I had using the ASA was that they access lists couldn't have any overlap.  If they did, the rules that it hit first applied...

Ken

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: