[c-nsp] WCCP with Nexus 7K

Mike Loether mike at azloether.com
Tue Nov 8 21:36:08 EST 2011


I believe there is an issue with redirecting on SVIs that also have ip helper address configured. Something to do with the ip helper acts as an ACL with a deny any any at the causing the ip wccp redirect to never be evaluated. 

Mike

Sent from my iPhone

On Nov 8, 2011, at 5:36 PM, Stafford Rau <srau at rauhaus.org> wrote:

> Any of you good people out there successfully using WCCP on the Nexus 7K?
> 
> I'm working on an Ironport web content filtering deployment, using WCCP
> redirection from our core N7Ks. I'm running in to problems using the
> "redirect-list" option. Also, I've not been able to get redirection working
> when I use an "ip wccp 90 redirect out" on a layer-3 vlan interface, while
> it does work when I apply it "in". I'd prefer to apply the redirection
> outbound on the one vlan interface that faces our upstream Internet
> firewalls, rather than apply it inbound on the multitude of downstream
> interfaces, but according to the one TAC engineer with whom I've tried
> working, that isn't a supported configuration on NX-OS...
> 
> The documentation at Cisco.com for WCCP on NX-OS is also quite incorrect in
> at least one section - their example for an acl used with the redirect-list
> option features a standard numbered acl, while NX-OS only supports named
> extended acls. I suspect they did a cut & paste job for some of the WCCP
> documentation from the IOS world without verifying its applicability.
> 
> The acl problems I'm encountering are in marking some internal networks as
> the source for redirection, while excluding requests to internal (RFC 1918)
> networks as the destination. The following works, with an "ip wccp 90
> redirect in" on various downstream interfaces. Also note that while it is
> not documented, if you include an explicit "deny ip any any" at the end of
> the acl, no traffic will be redirected at all. Something to do with the way
> the Nexus platforms handles acls.
> 
> ip access-list webfilter-nets
>  10 deny tcp 10.10.10.5/32 any         ## exclude this source from web
> filtering
>  20 permit tcp 10.10.10.0/24 any
>  30 permit tcp 10.10.20.0/24 any
> 
> ip wccp 90 redirect-list webfilter-nets
> 
> interface Vlan100
>  ip address 10.10.10.1/24
>  ip wccp 90 redirect in
> 
> However, if I add the following to the acl to exclude traffic destined for
> internal web servers:
> 
> ip access-list webfilter-nets
>  5 deny tcp any 10.0.0.0/8
>  10 deny tcp 10.10.10.5/32 any
>  20 permit tcp 10.10.10.0/24 any
>  30 permit tcp 10.10.20.0/24 any
> 
> ...then all traffic passes without any redirection. I would guess this is
> another quirk involving NX-OS acl handling, but so far the TAC response has
> been underwhelming.
> 
> Any clues available?
> 
> Thanks,
> --Stafford
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list