10-13-2011 03:05 PM
We're in the process of deploying Ironport web content filters on our network with wccp redirection from a pair of Nexus 7010s running NX-OS 5.1. Web redirection is working current for a test vlan using wccp redirection on the layer 3 vlan interface:
interface Vlan512
ip address 10.255.52.3/24
ip wccp 90 redirect in
However, I'd like to apply the redirection globally, and use a redirect list to determine which networks get redirected and which don't. When I remove the redirect statements from the interface, and use the following config instead, no redirection takes place for my test web client on 10.255.52.0.
The config examples at Cisco.com show standard numbered acls for the redirect-list, though NX-OS does not have those available. Do I have an incorrect extended acl, or perhaps am I not understanding the global redirect-list option?
ip access-list webfilter-nets
10 permit ip 10.255.52.0/24 any
20 deny ip any any
ip wccp 90 redirect-list webfilter-nets
Thanks in advance for any replies.
10-13-2011 03:59 PM
I think you have your ACL permit/deny backwards.
On a Cisco ASA, you permit the traffic you're sending to the WSA, and you deny traffic you don't want to send to the WSA. And you can get a little fancy with it...
For example, here's mine for my prod box:
access-list WCCP_Redirect extended deny ip any object-group insideboxen !don't send traffic for inside web servers
access-list WCCP_Redirect extended deny ip host 172.16.15.16 any !don't send traffic from my beta WSA to prod WSA
access-list WCCP_Redirect extended permit ip any any !send everything else
10-14-2011 09:11 AM
The only traffic I want to match for redirection at this time is from my test network, 10.255.52.0/24. I want all other traffic to be forwarded and not redirected to the web content filters. Pretty sure that's what this should do as the redirect-list acl:
ip access-list webfilter-nets
10 permit ip 10.255.52.0/24 any
20 deny ip any any
ip wccp 90 redirect-list webfilter-nets
10-14-2011 10:40 AM
If that's the case (I missed that you just trying one network), then yep, that looks right...
You may still need to issue the "ip wccp 90 redirect in"
I'm not familiar with the Nexus box, but here's the full config on my ASA...
wccp 90 redirect-list WCCP_Redirect
wccp interface inside 90 redirect in
You might have to "restart" wccp for your ACL to take effect.
interface Vlan512
no ip wccp 90 redirect in
ip wccp 90 redirect in
And sometimes you have to kick the proxy on the WSA...
SSH to the WSA
enter diagnostic
enter proxy
enter kick
That should get it to renegotiate the WCCP.
HTH,
Ken
01-11-2012 09:18 AM
Stafford - did you get your question figured out yet?
Here is how it's setup here.. we have two Nexus 7010's using a V10000 from WebSense..
feature wccp
ip wccp 1 redirect-list WS_REDIRECT (we are using 1 on the V10K for port 80)
ip wccp 20 redirect-list WS_REVERSE (20 is for the reverse path - websense calls this IP Spoofing)
ip wccp 70 redirect-list WS_REDIRECT (70 is for https)
ip wccp 90 redirect-list WS_REVERSE (90 is for https reverse path)
ip access-list WS_REDIRECT
10 deny ip 10.2.70.205/32 any
20 deny ip 10.2.20.155/32 any
30 permit ip 10.2.110.0/23 any (This makes the 10.2.110.0/23 network to be redirected to the websense appliance)
ip access-list WS_REVERSE
10 deny ip any 10.2.70.205/32
20 deny ip any 10.2.20.155/32
30 permit ip any 10.2.110.0/23
interface Vlan110
ip wccp 1 redirect in
ip wccp 70 redirect in
interface Vlan16
ip wccp 20 redirect in
ip wccp 90 redirect in
Hope this helps!
Travis Stroebele
06-26-2012 11:57 AM
Travis,
Do you need the reverse path statements within the ACL? We are deploying websense as well and have seen issues with GRE going through the ASA. I'm looking at configuring wccp through our 7010's with a V5K.
06-27-2012 07:23 AM
Hi Peter,
I would recommend using the 7K's vs. the ASA and you must change from GRE to L2 if you do.. Make sure you are also running 5.2(3a) or later on the 7010's (there were some bugs in previous versions.
You do need the reverse ACL's if you are using IP Spoofing within WebSense - so here is a little snippet of some configuration I used.. I'm sure the 7010's are your core routing engines - and you most likely have a vlan that routes to your firewalls or Internet routers etc.. for us it's vlan 16 and note that in the vlan 16 int config we are using the "WS_Reverse acl" All other vlans that client computers sit on will get the "WS_Redirect" ACL..
Every environment is different but for us we have a lot of different networks and it was easier/less work for me to deny the traffic we don't want to redirect through websense and permit the traffic/networks we do...
10.2.70.205 & 10.2.20.155 are the WebSense V10K IP's...
feature wccp
IP access list WS_REDIRECT
10 deny ip any 10.2.70.205/32
20 deny ip any 10.2.20.155/32
...
600 permit ip any any
IP access list WS_REVERSE
10 deny ip any 10.2.70.205/32
20 deny ip any 10.2.20.155/32
...
600 permit ip any any
ip wccp 1 redirect-list WS_REDIRECT
ip wccp 20 redirect-list WS_REVERSE
ip wccp 70 redirect-list WS_REDIRECT
ip wccp 90 redirect-list WS_REVERSE
interface Vlan16
ip wccp 20 redirect in
ip wccp 90 redirect in
interface Vlan100
ip wccp 1 redirect in
ip wccp 70 redirect in
Let me know if you have any more questions.
Travis Stroebele
06-27-2012 07:33 AM
Also wanted to share with you - which I don't think a lot of people know about...
There is some wacky formula that is used on the Nexus w/WCCP and it really matters when you are making ACL changes.. like it matters to the point that you could cause a huge CPU spike on the nexus's without changing a value on the WebSense appliance. Not sure what WebSense appliance you are using but on the V10000 type appliances if you login to the content gateway manager -> click on the Configure tab -> Networking -> WCCP -> This is where you configure your WCCP Service Groups.. under each service group there is an Advanced Settings option you will want to go in there and make sure you are using MASK with a value of 0x1 (If this is your only WCCP device on your network) if you have more that one WCCP device you should change your mask value.. say you have 2 you want 0x2.. the default is 0x1741 if I remember correctly.. and that wacky formula I told you about uses this value so the lower the value the less impact it will have on the CPU on your Nexus switches when making WCCP changes..
BTW - it took a lot of TAC Engineers as well as WebSense support calls to figure this out..
Hope this helps!!!
Travis.
06-27-2012 08:01 AM
Travis,
This is great information. I have a follow up call with TAC today regarding what impact this puts on the 7010's. We have 2 7Ks with the VPC peer link. I've setup WCCP withiin websene with both 7K SVIs that the appliance sits on. In our case, our server VLAN = 10.1.150.x/24 with Core 1 = 10.1.150.253 & Core 2 10.1.150.252.
I did notice that the default MASK value is set to 0x1741. Since we are using two routers, should I change to 0x2? We are running on version 5.2(1) of Nexus. I'll look into performing an upgrade during some downtime.
Thanks again for the information.
Peter
06-27-2012 08:50 AM
If you only have one websense appliance then 0x1 will do.. but say down the road you add another websense appliance you will want to change that MASK value.. Cisco TAC hopefully can fill you in on that.. but I wouldn't worry about that for now.. just know you want to change 0x1741 to 0x1 if you only are doing WCCP to one websense appliance.
Travis.
06-28-2012 05:48 AM
Thanks for all of the helpful information. In regards to websense, how has your experience been? We've had the product almost 2 months now and it seems like certain sites do not play well with the proxy. Amazon Cloud has been a huge pain for us. A lot of TCP resets sent from Amazon and Websense can't figure it out. I wanted to be 100% that our Cisco setup was configured correctly. We see the same behavior going through the ASA with GRE and Nexus with L2.
Peter
06-28-2012 06:23 AM
Peter - no problem on the info..
You know I can say for the most part WebSense works pretty well, but there are quite a few sites that don't like the whole WCCP rediretion deal.. I'm not 100% sure if that's WCCP or a WebSense problem though..
For the sites we have had issues with, we create deny acl's or even ARM bypass rules for a workaround.. after we first implemented it, there were a few sites that had problems and then as time goes on there is less and less we have to worry about "white-listing" if you will.
Hope all goes well with your install - Good luck man!!!
Travis Stroebele
07-06-2012 10:24 AM
Hi Travis,
I hope you could help me please! I have a problem with a implementation of IP Spoofing on V5K appliance of Websense. We are using a Cisco Router 2800 as wccp device, obviously we are using GRE and this is our config in the router:
ip access-list extended http_out
10 deny ip host 10.0.80.2 any
20 permit ip 10.0.73.0 0.0.0.255 any
30 permit ip 10.0.74.0 0.0.0.255 any
ip access-list extended http_in
10 deny ip any host 10.0.80.2 ----> IP V5K (Proxy interface)
20 permit ip any 10.0.73.0 0.0.0.255
30 permit ip any 10.0.74.0 0.0.0.255
ip wccp 0 redirect-list http_out
ip wccp 70 redirect-list http_out
ip wccp 20 redirect-list http_in
ip wccp 90 redirect-list http_in
interface GigabitEthernet0/0
no ip proxy-arp
ip wccp 0 redirect in
ip wccp 70 redirect in
ip flow ingress
duplex full
service-policy input pa10_lan
!
interface GigabitEthernet0/1
ip address 10.0.80.1 255.255.255.240
ip wccp 20 redirect in
ip wccp 90 redirect in
duplex auto
speed auto
!
When we enable IP spoofing on Websense WCG the browsing get down.
Thanks for your support.
regards
07-08-2012 05:21 PM
Hi Misael,
Deploying IronPort with IP Spoofing can be complicated. How many WSAs do you have on the network?
Did you run a packet capture on the IronPort and confirm that the return path is working fine?
I would recommend submitting a ticket for this issue.
Kind Regards
Jaki
08-24-2021 12:32 PM
Hi there,
I have a Cisco Catalyst with following config and "http" traffic sporadically fails to be redirected to Proxy gateway. What to your think the issue is?
ip wccp 0 redirect-list USERS-HTTP group-list FP-PROXY
ip wccp 70 redirect-list USERS-HTTPS group-list FP-PROXY
ip access-list standard FP-PROXY
10 permit 10.222.122.x3
20 permit 10.222.122.x2
30 permit 10.222.122.x4
40 permit 10.222.122.x1
interface Vlan97
ip address 10.111.0.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip wccp 0 redirect in
ip wccp 70 redirect in
I even took a sniffer trace on this device and did not observe "http" hitting the outgoing port as intended,
Could you please offer some help?
THank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide