The only traffic I want to match for redirection at this time is from my test network, 10.255.52.0/24. I want all other traffic to be forwarded and not redirected to the web content filters. Pretty sure that's what this should do as the redirect-list acl:

ip access-list webfilter-nets

  10 permit ip 10.255.52.0/24 any

  20 deny ip any any

ip wccp 90 redirect-list webfilter-nets

If that's the case (I missed that you just trying one network), then yep, that looks right...

You may still need to issue the  "ip wccp 90 redirect in"

I'm not familiar with the Nexus box, but here's the full config on my ASA...

wccp 90 redirect-list WCCP_Redirect

wccp interface inside 90 redirect in

You might have to "restart" wccp for your ACL to take effect.

     interface Vlan512

     no ip wccp 90 redirect in

     ip wccp 90 redirect in

And sometimes you have to kick the proxy on the WSA...

SSH to the WSA

enter diagnostic

enter proxy

enter kick

That should get it to renegotiate the WCCP.

HTH,

Ken

Travis,

Do you need the reverse path statements within the ACL? We are deploying websense as well and have seen issues with GRE going through the ASA. I'm looking at configuring wccp through our 7010's with a V5K.

Hi Peter,

I would recommend using the 7K's vs. the ASA and you must change from GRE to L2 if you do.. Make sure you are also running 5.2(3a) or later on the 7010's (there were some bugs in previous versions.

You do need the reverse ACL's if you are using IP Spoofing within WebSense - so here is a little snippet of some configuration I used.. I'm sure the 7010's are your core routing engines - and you most likely have a vlan that routes to your firewalls or Internet routers etc.. for us it's vlan 16 and note that in the vlan 16 int config we are using the "WS_Reverse acl" All other vlans that client computers sit on will get the "WS_Redirect" ACL..

Every environment is different but for us we have a lot of different networks and it was easier/less work for me to deny the traffic we don't want to redirect through websense and permit the traffic/networks we do...

10.2.70.205 & 10.2.20.155 are the WebSense V10K IP's...

feature wccp

IP access list WS_REDIRECT

        10 deny ip any 10.2.70.205/32

        20 deny ip any 10.2.20.155/32

         ...

        600 permit ip any any

IP access list WS_REVERSE

        10 deny ip any 10.2.70.205/32

        20 deny ip any 10.2.20.155/32

         ...

        600 permit ip any any

ip wccp 1 redirect-list WS_REDIRECT

ip wccp 20 redirect-list WS_REVERSE

ip wccp 70 redirect-list WS_REDIRECT

ip wccp 90 redirect-list WS_REVERSE

interface Vlan16

  ip wccp 20 redirect in

  ip wccp 90 redirect in

interface Vlan100

  ip wccp 1 redirect in

  ip wccp 70 redirect in

Let me know if you have any more questions.

Travis Stroebele

Also wanted to share with you - which I don't think a lot of people know about...

There is some wacky formula that is used on the Nexus w/WCCP and it really matters when you are making ACL changes.. like it matters to the point that you could cause a huge CPU spike on the nexus's without changing a value on the WebSense appliance. Not sure what WebSense appliance you are using but on the V10000 type appliances if you login to the content gateway manager -> click on the Configure tab -> Networking -> WCCP -> This is where you configure your WCCP Service Groups.. under each service group there is an Advanced Settings option you will want to go in there and make sure you are using MASK with a value of 0x1 (If this is your only WCCP device on your network) if you have more that one WCCP device you should change your mask value.. say you have 2 you want 0x2.. the default is 0x1741 if I remember correctly.. and that wacky formula I told you about uses this value so the lower the value the less impact it will have on the CPU on your Nexus switches when making WCCP changes..

BTW - it took a lot of TAC Engineers as well as WebSense support calls to figure this out..

Hope this helps!!!

Travis.

Travis,

This is great information. I have a follow up call with TAC today regarding what impact this puts on the 7010's. We have 2 7Ks with the VPC peer link. I've setup WCCP withiin websene with both 7K SVIs that the appliance sits on. In our case, our server VLAN = 10.1.150.x/24 with Core 1 = 10.1.150.253 & Core 2 10.1.150.252.

I did notice that the default MASK value is set to 0x1741. Since we are using two routers, should I change to 0x2? We are running on version 5.2(1) of Nexus. I'll look into performing an upgrade during some downtime.

Thanks again for the information.

Peter

If you only have one websense appliance then 0x1 will do.. but say down the road you add another websense appliance you will want to change that MASK value.. Cisco TAC hopefully can fill you in on that.. but I wouldn't worry about that for now.. just know you want to change 0x1741 to 0x1 if you only are doing WCCP to one websense appliance.

Travis.

Thanks for all of the helpful information. In regards to websense, how has your experience been? We've had the product almost 2 months now and it seems like certain sites do not play well with the proxy. Amazon Cloud has been a huge pain for us. A lot of TCP resets sent from Amazon and Websense can't figure it out. I wanted to be 100% that our Cisco setup was configured correctly. We see the same behavior going through the ASA with GRE and Nexus with L2.

Peter

Peter - no problem on the info..

You know I can say for the most part WebSense works pretty well, but there are quite a few sites that don't like the whole WCCP rediretion deal.. I'm not 100% sure if that's WCCP or a WebSense problem though..

For the sites we have had issues with, we create deny acl's or even ARM bypass rules for a workaround.. after we first implemented it, there were a few sites that had problems and then as time goes on there is less and less we have to worry about "white-listing" if you will.

Hope all goes well with your install - Good luck man!!!

Travis Stroebele

Hi Travis,

I hope you could help me please! I have a problem with a implementation of IP Spoofing on V5K appliance of Websense. We are using a Cisco Router 2800 as wccp device, obviously we are using GRE and this is our config in the router:

ip access-list extended http_out

10 deny ip host 10.0.80.2 any

20 permit ip 10.0.73.0 0.0.0.255 any

30 permit ip 10.0.74.0 0.0.0.255 any

ip access-list extended http_in

10 deny ip any host 10.0.80.2  ---->  IP V5K (Proxy interface)

20 permit ip any 10.0.73.0 0.0.0.255

30 permit ip any 10.0.74.0 0.0.0.255

ip wccp 0 redirect-list http_out

ip wccp 70 redirect-list http_out

ip wccp 20 redirect-list http_in

ip wccp 90 redirect-list http_in

interface GigabitEthernet0/0

no ip proxy-arp

ip wccp 0 redirect in

ip wccp 70 redirect in

ip flow ingress

duplex full

service-policy input pa10_lan

!

interface GigabitEthernet0/1

ip address 10.0.80.1 255.255.255.240

ip wccp 20 redirect in

ip wccp 90 redirect in

duplex auto

speed auto

!

When we enable IP spoofing on Websense WCG the browsing get down.

Thanks for your support.

regards

Hi Misael,

Deploying IronPort with IP Spoofing can be complicated. How many WSAs do you have on the network?

Did you run a packet capture on the IronPort and confirm that the return path is working fine?

I would recommend submitting a ticket for this issue.

Kind Regards

Jaki

Hi there, 

I have a Cisco Catalyst with following config and "http" traffic sporadically fails to be redirected to Proxy gateway. What to your think the issue is?

ip wccp 0 redirect-list USERS-HTTP group-list FP-PROXY
ip wccp 70 redirect-list USERS-HTTPS group-list FP-PROXY

ip access-list standard FP-PROXY
10 permit 10.222.122.x3
20 permit 10.222.122.x2
30 permit 10.222.122.x4
40 permit 10.222.122.x1

interface Vlan97
ip address 10.111.0.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip wccp 0 redirect in
ip wccp 70 redirect in

I even took a sniffer trace on this device and did not observe "http" hitting the outgoing port as intended, 

Could you please offer some help? 

THank you