[c-nsp] Forwarding http traffic to web filtering service

Adrian Chadd adrian at creative.net.au
Wed Jun 20 10:22:18 EDT 2007


On Wed, Jun 20, 2007, Brian wrote:
> We're trying to forward all http traffic to a web filtering service on the
> Internet.  They require the http traffic forwarded to a name and then
> forwarded to port 3128.  I was thinking of creating a route-map and setting
> the next-hop to be the IP address.  How can I also forward this traffic to a
> specific port from my router (or my ASA) so it acts somewhat like a proxy?
> Also, is there a way to point to the name rather than an IP address?

Look at WCCPv2 support. Almost all cisco routers these days support it
in some form or other. (My 827 here at home, for example, doesn't. :)
I believe later ASA (7.x?) supports WCCPv2.

Many web proxies have WCCP/WCCPv2 support. I can help you with Squid, if
thats what it is on port 3128, or you can talk to your vendor.

With WCCPv2, the proxy actually asks the router (nicely!) to join the
service group; so you don't have to hard-code in an IP in the router
(unless you specifically lock it down with an ACL) and you can use
MD5 passwords to further limit joining the service group. You can
(assuming the proxy software supports it) run >1 proxy talking to >1
router. This gives you failover and load balancing/distribution.
(Which is what I guess you want to point it at a name for rather
than an IP address.)

All in all, its a much better alternative to route-map next-hop
forwarding. Although there's apparently a method to do a conditional
next-hop depending on a rtr object (ICMP ping, for example) but the
one setup I wanted to use it for (on the 3560 switch) turned out to
be documented, but then documented as a documentation mistake and
not implemented.



Adrian



More information about the cisco-nsp mailing list