[c-nsp] WCCP with Nexus 7K

Stafford Rau srau at rauhaus.org
Tue Nov 8 20:36:01 EST 2011 

Any of you good people out there successfully using WCCP on the Nexus 7K?

I'm working on an Ironport web content filtering deployment, using WCCP
redirection from our core N7Ks. I'm running in to problems using the
"redirect-list" option. Also, I've not been able to get redirection working
when I use an "ip wccp 90 redirect out" on a layer-3 vlan interface, while
it does work when I apply it "in". I'd prefer to apply the redirection
outbound on the one vlan interface that faces our upstream Internet
firewalls, rather than apply it inbound on the multitude of downstream
interfaces, but according to the one TAC engineer with whom I've tried
working, that isn't a supported configuration on NX-OS...

The documentation at Cisco.com for WCCP on NX-OS is also quite incorrect in
at least one section - their example for an acl used with the redirect-list
option features a standard numbered acl, while NX-OS only supports named
extended acls. I suspect they did a cut & paste job for some of the WCCP
documentation from the IOS world without verifying its applicability.

The acl problems I'm encountering are in marking some internal networks as
the source for redirection, while excluding requests to internal (RFC 1918)
networks as the destination. The following works, with an "ip wccp 90
redirect in" on various downstream interfaces. Also note that while it is
not documented, if you include an explicit "deny ip any any" at the end of
the acl, no traffic will be redirected at all. Something to do with the way
the Nexus platforms handles acls.

ip access-list webfilter-nets
  10 deny tcp 10.10.10.5/32 any         ## exclude this source from web
filtering
  20 permit tcp 10.10.10.0/24 any
  30 permit tcp 10.10.20.0/24 any

ip wccp 90 redirect-list webfilter-nets

interface Vlan100
  ip address 10.10.10.1/24
  ip wccp 90 redirect in

However, if I add the following to the acl to exclude traffic destined for
internal web servers:

ip access-list webfilter-nets
  5 deny tcp any 10.0.0.0/8
  10 deny tcp 10.10.10.5/32 any
  20 permit tcp 10.10.10.0/24 any
  30 permit tcp 10.10.20.0/24 any

...then all traffic passes without any redirection. I would guess this is
another quirk involving NX-OS acl handling, but so far the TAC response has
been underwhelming.

Any clues available?

Thanks,
--Stafford

More information about the cisco-nsp mailing list