[c-nsp] WCCP with Nexus 7K
Stafford Rau
srau at rauhaus.org
Tue Nov 8 20:36:01 EST 2011
Any of you good people out there successfully using WCCP on the Nexus 7K?
I'm working on an Ironport web content filtering deployment, using WCCP
redirection from our core N7Ks. I'm running in to problems using the
"redirect-list" option. Also, I've not been able to get redirection working
when I use an "ip wccp 90 redirect out" on a layer-3 vlan interface, while
it does work when I apply it "in". I'd prefer to apply the redirection
outbound on the one vlan interface that faces our upstream Internet
firewalls, rather than apply it inbound on the multitude of downstream
interfaces, but according to the one TAC engineer with whom I've tried
working, that isn't a supported configuration on NX-OS...
The documentation at Cisco.com for WCCP on NX-OS is also quite incorrect in
at least one section - their example for an acl used with the redirect-list
option features a standard numbered acl, while NX-OS only supports named
extended acls. I suspect they did a cut & paste job for some of the WCCP
documentation from the IOS world without verifying its applicability.
The acl problems I'm encountering are in marking some internal networks as
the source for redirection, while excluding requests to internal (RFC 1918)
networks as the destination. The following works, with an "ip wccp 90
redirect in" on various downstream interfaces. Also note that while it is
not documented, if you include an explicit "deny ip any any" at the end of
the acl, no traffic will be redirected at all. Something to do with the way
the Nexus platforms handles acls.
ip access-list webfilter-nets
10 deny tcp 10.10.10.5/32 any ## exclude this source from web
filtering
20 permit tcp 10.10.10.0/24 any
30 permit tcp 10.10.20.0/24 any
ip wccp 90 redirect-list webfilter-nets
interface Vlan100
ip address 10.10.10.1/24
ip wccp 90 redirect in
However, if I add the following to the acl to exclude traffic destined for
internal web servers:
ip access-list webfilter-nets
5 deny tcp any 10.0.0.0/8
10 deny tcp 10.10.10.5/32 any
20 permit tcp 10.10.10.0/24 any
30 permit tcp 10.10.20.0/24 any
...then all traffic passes without any redirection. I would guess this is
another quirk involving NX-OS acl handling, but so far the TAC response has
been underwhelming.
Any clues available?
Thanks,
--Stafford
More information about the cisco-nsp
mailing list