cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8137
Views
0
Helpful
13
Replies
Highlighted
Beginner

wccp redirect-list on Nexus/nx-os

We're in the process of deploying Ironport web content filters on our network with wccp redirection from a pair of Nexus 7010s running NX-OS 5.1. Web redirection is working current for a test vlan using wccp redirection on the layer 3 vlan interface:

interface Vlan512

  ip address 10.255.52.3/24

  ip wccp 90 redirect in

However, I'd like to apply the redirection globally, and use a redirect list to determine which networks get redirected and which don't. When I remove the redirect statements from the interface, and use the following config instead, no redirection takes place for my test web client on 10.255.52.0.

The config examples at Cisco.com show standard numbered acls for the redirect-list, though NX-OS does not have those available. Do I have an incorrect extended acl, or perhaps am I not understanding the global redirect-list option?

ip access-list webfilter-nets

  10 permit ip 10.255.52.0/24 any

  20 deny ip any any

ip wccp 90 redirect-list webfilter-nets

Thanks in advance for any replies.

Everyone's tags (4)
13 REPLIES 13
Highlighted
Engager

wccp redirect-list on Nexus/nx-os

I think you have your ACL permit/deny backwards.

On a Cisco ASA, you permit the traffic you're sending to the WSA, and you deny traffic you don't want to send to the WSA.  And you can get a little fancy with it...

For example, here's mine for my prod box:

access-list WCCP_Redirect extended deny ip any object-group insideboxen  !don't send traffic for inside web servers

access-list WCCP_Redirect extended deny ip host 172.16.15.16 any     !don't send traffic from my beta WSA to prod WSA

access-list WCCP_Redirect extended permit ip any any   !send everything else

Highlighted
Beginner

Re: wccp redirect-list on Nexus/nx-os

The only traffic I want to match for redirection at this time is from my test network, 10.255.52.0/24. I want all other traffic to be forwarded and not redirected to the web content filters. Pretty sure that's what this should do as the redirect-list acl:

ip access-list webfilter-nets

  10 permit ip 10.255.52.0/24 any

  20 deny ip any any

ip wccp 90 redirect-list webfilter-nets

Highlighted
Engager

wccp redirect-list on Nexus/nx-os

If that's the case (I missed that you just trying one network), then yep, that looks right...

You may still need to issue the  "ip wccp 90 redirect in"

I'm not familiar with the Nexus box, but here's the full config on my ASA...

wccp 90 redirect-list WCCP_Redirect

wccp interface inside 90 redirect in

You might have to "restart" wccp for your ACL to take effect.

     interface Vlan512

     no ip wccp 90 redirect in

     ip wccp 90 redirect in

And sometimes you have to kick the proxy on the WSA...

SSH to the WSA

enter diagnostic

enter proxy

enter kick

That should get it to renegotiate the WCCP.

HTH,

Ken

Highlighted

wccp redirect-list on Nexus/nx-os

Stafford - did you get your question figured out yet?

Here is how it's setup here.. we have two Nexus 7010's using a V10000 from WebSense..

feature wccp

ip wccp 1 redirect-list WS_REDIRECT      (we are using 1 on the V10K for port 80)

ip wccp 20 redirect-list WS_REVERSE    (20 is for the reverse path - websense calls this IP Spoofing)

ip wccp 70 redirect-list WS_REDIRECT    (70 is for https)

ip wccp 90 redirect-list WS_REVERSE    (90 is for https reverse path)

ip access-list WS_REDIRECT

  10 deny ip 10.2.70.205/32 any

  20 deny ip 10.2.20.155/32 any

  30 permit ip 10.2.110.0/23 any   (This makes the 10.2.110.0/23 network to be redirected to the websense appliance)

ip access-list WS_REVERSE

  10 deny ip any 10.2.70.205/32

  20 deny ip any 10.2.20.155/32

  30 permit ip any 10.2.110.0/23

interface Vlan110

  ip wccp 1 redirect in

  ip wccp 70 redirect in

interface Vlan16

  ip wccp 20 redirect in

  ip wccp 90 redirect in

Hope this helps!

Travis Stroebele

Highlighted
Beginner

wccp redirect-list on Nexus/nx-os

Travis,

Do you need the reverse path statements within the ACL? We are deploying websense as well and have seen issues with GRE going through the ASA. I'm looking at configuring wccp through our 7010's with a V5K.

Highlighted

wccp redirect-list on Nexus/nx-os

Hi Peter,

I would recommend using the 7K's vs. the ASA and you must change from GRE to L2 if you do.. Make sure you are also running 5.2(3a) or later on the 7010's (there were some bugs in previous versions.

You do need the reverse ACL's if you are using IP Spoofing within WebSense - so here is a little snippet of some configuration I used.. I'm sure the 7010's are your core routing engines - and you most likely have a vlan that routes to your firewalls or Internet routers etc.. for us it's vlan 16 and note that in the vlan 16 int config we are using the "WS_Reverse acl" All other vlans that client computers sit on will get the "WS_Redirect" ACL..

Every environment is different but for us we have a lot of different networks and it was easier/less work for me to deny the traffic we don't want to redirect through websense and permit the traffic/networks we do...

10.2.70.205 & 10.2.20.155 are the WebSense V10K IP's...

feature wccp

IP access list WS_REDIRECT

        10 deny ip any 10.2.70.205/32

        20 deny ip any 10.2.20.155/32

         ...

        600 permit ip any any

IP access list WS_REVERSE

        10 deny ip any 10.2.70.205/32

        20 deny ip any 10.2.20.155/32

         ...

        600 permit ip any any

ip wccp 1 redirect-list WS_REDIRECT

ip wccp 20 redirect-list WS_REVERSE

ip wccp 70 redirect-list WS_REDIRECT

ip wccp 90 redirect-list WS_REVERSE

interface Vlan16

  ip wccp 20 redirect in

  ip wccp 90 redirect in

interface Vlan100

  ip wccp 1 redirect in

  ip wccp 70 redirect in

Let me know if you have any more questions.

Travis Stroebele

Highlighted

wccp redirect-list on Nexus/nx-os

Also wanted to share with you - which I don't think a lot of people know about...

There is some wacky formula that is used on the Nexus w/WCCP and it really matters when you are making ACL changes.. like it matters to the point that you could cause a huge CPU spike on the nexus's without changing a value on the WebSense appliance. Not sure what WebSense appliance you are using but on the V10000 type appliances if you login to the content gateway manager -> click on the Configure tab -> Networking -> WCCP -> This is where you configure your WCCP Service Groups.. under each service group there is an Advanced Settings option you will want to go in there and make sure you are using MASK with a value of 0x1 (If this is your only WCCP device on your network) if you have more that one WCCP device you should change your mask value.. say you have 2 you want 0x2.. the default is 0x1741 if I remember correctly.. and that wacky formula I told you about uses this value so the lower the value the less impact it will have on the CPU on your Nexus switches when making WCCP changes..

BTW - it took a lot of TAC Engineers as well as WebSense support calls to figure this out..

Hope this helps!!!

Travis.

Highlighted
Beginner

wccp redirect-list on Nexus/nx-os

Travis,

This is great information. I have a follow up call with TAC today regarding what impact this puts on the 7010's. We have 2 7Ks with the VPC peer link. I've setup WCCP withiin websene with both 7K SVIs that the appliance sits on. In our case, our server VLAN = 10.1.150.x/24 with Core 1 = 10.1.150.253 & Core 2 10.1.150.252.

I did notice that the default MASK value is set to 0x1741. Since we are using two routers, should I change to 0x2? We are running on version 5.2(1) of Nexus. I'll look into performing an upgrade during some downtime.

Thanks again for the information.

Peter

Highlighted

wccp redirect-list on Nexus/nx-os

If you only have one websense appliance then 0x1 will do.. but say down the road you add another websense appliance you will want to change that MASK value.. Cisco TAC hopefully can fill you in on that.. but I wouldn't worry about that for now.. just know you want to change 0x1741 to 0x1 if you only are doing WCCP to one websense appliance.

Travis.

Highlighted
Beginner

wccp redirect-list on Nexus/nx-os

Thanks for all of the helpful information. In regards to websense, how has your experience been? We've had the product almost 2 months now and it seems like certain sites do not play well with the proxy. Amazon Cloud has been a huge pain for us. A lot of TCP resets sent from Amazon and Websense can't figure it out. I wanted to be 100% that our Cisco setup was configured correctly. We see the same behavior going through the ASA with GRE and Nexus with L2.

Peter

Highlighted

wccp redirect-list on Nexus/nx-os

Peter - no problem on the info..

You know I can say for the most part WebSense works pretty well, but there are quite a few sites that don't like the whole WCCP rediretion deal.. I'm not 100% sure if that's WCCP or a WebSense problem though..

For the sites we have had issues with, we create deny acl's or even ARM bypass rules for a workaround.. after we first implemented it, there were a few sites that had problems and then as time goes on there is less and less we have to worry about "white-listing" if you will.

Hope all goes well with your install - Good luck man!!!

Travis Stroebele

Highlighted
Beginner

wccp redirect-list on Nexus/nx-os

Hi Travis,

I hope you could help me please! I have a problem with a implementation of IP Spoofing on V5K appliance of Websense. We are using a Cisco Router 2800 as wccp device, obviously we are using GRE and this is our config in the router:

ip access-list extended http_out

10 deny ip host 10.0.80.2 any

20 permit ip 10.0.73.0 0.0.0.255 any

30 permit ip 10.0.74.0 0.0.0.255 any

ip access-list extended http_in

10 deny ip any host 10.0.80.2  ---->  IP V5K (Proxy interface)

20 permit ip any 10.0.73.0 0.0.0.255

30 permit ip any 10.0.74.0 0.0.0.255

ip wccp 0 redirect-list http_out

ip wccp 70 redirect-list http_out

ip wccp 20 redirect-list http_in

ip wccp 90 redirect-list http_in

interface GigabitEthernet0/0

no ip proxy-arp

ip wccp 0 redirect in

ip wccp 70 redirect in

ip flow ingress

duplex full

service-policy input pa10_lan

!

interface GigabitEthernet0/1

ip address 10.0.80.1 255.255.255.240

ip wccp 20 redirect in

ip wccp 90 redirect in

duplex auto

speed auto

!

When we enable IP spoofing on Websense WCG the browsing get down.

Thanks for your support.

regards

Highlighted
Cisco Employee

wccp redirect-list on Nexus/nx-os

Hi Misael,

Deploying IronPort with IP Spoofing can be complicated. How many WSAs do you have on the network?

Did you run a packet capture on the IronPort and confirm that the return path is working fine?

I would recommend submitting a ticket for this issue.

Kind Regards

Jaki