Dooglave
asked on
Help me get WCCP working between Cisco and Blue Coat
This is in a lab. As you can see it looks like it should be working. It shows that the releationship is established and also that my traffic is hitting the correct Access List. I also tried it with out defining a access list for redirection which the documentation says should redirect all traffic.
So my redirected counter never increases.
My Test website never says that I'm coming from the proxy.
What am I doing wrong here? Please help.
BlueCoat Config:
__________________________ __________ ________
wccp enable
wccp version 2
service-group 10
forwarding-type L2
priority 1
protocol 6
service-flags destination-ip-hash
service-flags ports-defined
ports 80 0 0 0 0 0 0 0
interface 2
home-router 10.5.13.67
end
Cisco Router Info:
__________________________ __________ ________
SF1#show ip wccp 10
Global WCCP information:
Router information:
Router Identifier: 10.5.13.67
Protocol Version: 2.0
Service Identifier: 10
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: WCCP-LIST
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group Access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
__________________________ __________ ________
SF1#show ip wccp 10 view
WCCP Routers Informed of:
10.5.13.67
WCCP Clients Visible:
10.5.13.71
WCCP Clients NOT Visible:
-none-
__________________________ __________ ________
SF1#show ip wccp 10 detail
WCCP Client information:
WCCP Client ID: 10.5.13.71
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Assignment: HASH
Initial Hash Info: 00000000000000000000000000 000000
00000000000000000000000000 000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF
Hash Allotment: 256 (100.00%)
Packets s/w Redirected: 0
Connect Time: 00:14:54
Bypassed Packets
Process: 0
CEF: 0
Errors: 0
__________________________ __________ ________
SF1#show access-lists
Standard IP access list WCCP-CACHES
10 permit 10.5.13.71
Extended IP access list 100
10 permit ip any 224.0.0.0 0.255.255.255
20 deny ip any any
Extended IP access list WCCP-LIST
10 deny ip host 10.5.13.8 any
20 permit ip any any (117 matches)
Extended IP access list mcast
10 permit ip 224.0.0.0 0.255.255.255 224.0.0.0 0.255.255.255
20 deny ip any any
__________________________ __________ ________
SF1#show conf
Using 1947 out of 196600 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname SF1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16384 informational
enable secret 5 $1$6Y4J$cDPIDTalgIAPIk7.IH R1Q0
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
!
!
dot11 syslog
ip source-route
ip wccp 10 redirect-list WCCP-LIST
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name gw.chicken.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.5.13.2 255.255.255.192
duplex auto
speed auto
standby 0 priority 10
standby 0 preempt
standby 10 ip 10.5.13.1
!
interface FastEthernet0/1
ip address 10.5.13.67 255.255.255.224
ip wccp 10 redirect out
duplex auto
speed auto
standby 0 priority 10
standby 0 preempt
standby 20 ip 10.5.13.69
!
router eigrp 65100
network 10.5.13.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list standard WCCP-CACHES
permit 10.5.13.71
!
ip access-list extended WCCP-LIST
deny ip host 10.5.13.8 any
permit ip any any
ip access-list extended mcast
permit ip 224.0.0.0 0.255.255.255 224.0.0.0 0.255.255.255
deny ip any any
!
access-list 100 permit ip any 224.0.0.0 0.255.255.255
access-list 100 deny ip any any
!
!
!
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
exec-timeout 60 0
password 7 04570A04
login
transport preferred none
escape-character 3
line aux 0
line vty 0 4
exec-timeout 60 0
password 7 0507070D
login
transport preferred none
escape-character 3
!
scheduler allocate 20000 1000
end
So my redirected counter never increases.
My Test website never says that I'm coming from the proxy.
What am I doing wrong here? Please help.
BlueCoat Config:
__________________________
wccp enable
wccp version 2
service-group 10
forwarding-type L2
priority 1
protocol 6
service-flags destination-ip-hash
service-flags ports-defined
ports 80 0 0 0 0 0 0 0
interface 2
home-router 10.5.13.67
end
Cisco Router Info:
__________________________
SF1#show ip wccp 10
Global WCCP information:
Router information:
Router Identifier: 10.5.13.67
Protocol Version: 2.0
Service Identifier: 10
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: WCCP-LIST
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group Access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
__________________________
SF1#show ip wccp 10 view
WCCP Routers Informed of:
10.5.13.67
WCCP Clients Visible:
10.5.13.71
WCCP Clients NOT Visible:
-none-
__________________________
SF1#show ip wccp 10 detail
WCCP Client information:
WCCP Client ID: 10.5.13.71
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Assignment: HASH
Initial Hash Info: 00000000000000000000000000
00000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets s/w Redirected: 0
Connect Time: 00:14:54
Bypassed Packets
Process: 0
CEF: 0
Errors: 0
__________________________
SF1#show access-lists
Standard IP access list WCCP-CACHES
10 permit 10.5.13.71
Extended IP access list 100
10 permit ip any 224.0.0.0 0.255.255.255
20 deny ip any any
Extended IP access list WCCP-LIST
10 deny ip host 10.5.13.8 any
20 permit ip any any (117 matches)
Extended IP access list mcast
10 permit ip 224.0.0.0 0.255.255.255 224.0.0.0 0.255.255.255
20 deny ip any any
__________________________
SF1#show conf
Using 1947 out of 196600 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname SF1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16384 informational
enable secret 5 $1$6Y4J$cDPIDTalgIAPIk7.IH
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
!
!
dot11 syslog
ip source-route
ip wccp 10 redirect-list WCCP-LIST
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name gw.chicken.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.5.13.2 255.255.255.192
duplex auto
speed auto
standby 0 priority 10
standby 0 preempt
standby 10 ip 10.5.13.1
!
interface FastEthernet0/1
ip address 10.5.13.67 255.255.255.224
ip wccp 10 redirect out
duplex auto
speed auto
standby 0 priority 10
standby 0 preempt
standby 20 ip 10.5.13.69
!
router eigrp 65100
network 10.5.13.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list standard WCCP-CACHES
permit 10.5.13.71
!
ip access-list extended WCCP-LIST
deny ip host 10.5.13.8 any
permit ip any any
ip access-list extended mcast
permit ip 224.0.0.0 0.255.255.255 224.0.0.0 0.255.255.255
deny ip any any
!
access-list 100 permit ip any 224.0.0.0 0.255.255.255
access-list 100 deny ip any any
!
!
!
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
exec-timeout 60 0
password 7 04570A04
login
transport preferred none
escape-character 3
line aux 0
line vty 0 4
exec-timeout 60 0
password 7 0507070D
login
transport preferred none
escape-character 3
!
scheduler allocate 20000 1000
end
You only need one interface on the Blue Coat. I would use the 10.5.13.8 interface and set the default gateway/route on the blue coat to 10.5.13.1. Since you are using a router that supports GRE forwarding/return, I would use GRE.
On the Blue Coat:
wccp enable
wccp version 2
service-group 10
forwarding-type GRE
priority 1
protocol 6
service-flags destination-ip-hash
service-flags ports-defined
ports 80 0 0 0 0 0 0 0
interface 2 <-----------make sure you change the interface to the 10.5.13.8 interface
home-router 10.5.13.67
end
On the Blue Coat:
wccp enable
wccp version 2
service-group 10
forwarding-type GRE
priority 1
protocol 6
service-flags destination-ip-hash
service-flags ports-defined
ports 80 0 0 0 0 0 0 0
interface 2 <-----------make sure you change the interface to the 10.5.13.8 interface
home-router 10.5.13.67
end
ASKER
Why choose GRE over L2, documentation says L2 has less overhead and we are expecting a lot of traffic. I understand if L2 is problematic. Just curious what you have experienced.
I have used GRE and L2. GRE on ASA and Routers and L2 on 3560's. Yes, L2 has less overhead but you shouldn't notice it with a 2800. GRE is more flexible as the proxy doesn't have to be directly L2 connected to the router. I had to work through a bunch of flaky issues getting L2 to work on a 3560 (doesn't support GRE) yet the GRE setup was always simple and flawless which is the only reason I suggest GRE. Could have been specific to the 3560 and perhaps L2 with a 2800 is a breeze...
ASKER
I think I found the issue but I did not see this in the documentation when I read it. Time to go back and see if I just missed it or not.
For interface FastEthernet0/0
I added: ip wccp 10 redirect in
For interface FastEthernet0/0
I added: ip wccp 10 redirect in
The "ip wccp 10 redirect out" on the Fa0/1 interface accomplishes the same thing.
ASKER
yeah but it wasn't working for me. Driving me crazy.
I did try all of your other suggestions and I still was getting the same results as before. Now I need to figure out why the redirect out wasn't working.
I did try all of your other suggestions and I still was getting the same results as before. Now I need to figure out why the redirect out wasn't working.
Oh, wait, did you actually enable the HTTP proxy service on the Blue Coat? By default, it is set to "bypass".
ASKER
Yes, it's set to intercept
intercept.JPG
intercept.JPG
Did you enable logging on the Blue Coat?
If so, if you go to "statistics" access log and click "tail log", do you see your connection attempt?
Can you post your current running-config from the 2800. Do you have a single blue coat interface now? What is it's default gateway?
If so, if you go to "statistics" access log and click "tail log", do you see your connection attempt?
Can you post your current running-config from the 2800. Do you have a single blue coat interface now? What is it's default gateway?
ASKER
Man I'm all mixed up at the moment trying to get other stuff done in parallel. I think I lied earlier. I removed the "redirect in" and it still works. I changed the interface in the bluecoat config for wccp to 10.5.13.8 and I think that's what made it work. I changed it back it breaks, change it to 10.5.13.8 and it works.
I looked through the docs again and I don't see them specific what the "interface" should be, inbound or outbound. I'm sure they didn't think someone would set it up with two interfaces like we are.
In this case it only works when the interface is set to the outbound. wccp protocol is talking on the other interface, i'll call it inbound.
This is the way I was asked to set it up. I don't recall why. the traffic is going in a loop creating a worm hole in the universe.
10.1.1.9/24 (Windows Client)
|
10.1.1.1/24
(Cisco 831)
10.5.13.15/26
|
10.5.13.2/26 (inbound) <-- default gateway <-- 10.5.13.8/26 (outbound)
(Cisco 2801) ----------(Web Cache)
10.5.13.67/27 (outbound) --> forwards to --> 10.5.13.71/27 (inbound) (wccp protocol communication)
|
10.5.13.65/27
(Cisco 831)
4.1.1.1/24
|
4.1.1.10 (Web Server)
I looked through the docs again and I don't see them specific what the "interface" should be, inbound or outbound. I'm sure they didn't think someone would set it up with two interfaces like we are.
In this case it only works when the interface is set to the outbound. wccp protocol is talking on the other interface, i'll call it inbound.
This is the way I was asked to set it up. I don't recall why. the traffic is going in a loop creating a worm hole in the universe.
10.1.1.9/24 (Windows Client)
|
10.1.1.1/24
(Cisco 831)
10.5.13.15/26
|
10.5.13.2/26 (inbound) <-- default gateway <-- 10.5.13.8/26 (outbound)
(Cisco 2801) ----------(Web Cache)
10.5.13.67/27 (outbound) --> forwards to --> 10.5.13.71/27 (inbound) (wccp protocol communication)
|
10.5.13.65/27
(Cisco 831)
4.1.1.1/24
|
4.1.1.10 (Web Server)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help man. I realize a single interface is best but due to the load we are trying to split the work of the interfaces up a little. I got it to work by configuring the outbound in unicast and both in multicast. We'll see if it blows up or not.
Stay tuned I have a new problem between L2 and GRE, another one against your advice ;)
Stay tuned I have a new problem between L2 and GRE, another one against your advice ;)
ASKER
10.1.1.9/24 (Windows Client)
|
10.1.1.1/24
(Cisco 831)
10.5.13.15/26
|
10.5.13.2/26 10.5.13.8/26
(Cisco 2801) ----------(Web Cache)
10.5.13.67/27 10.5.13.71/27
|
10.5.13.65/27
(Cisco 831)
4.1.1.1/24
|
4.1.1.10 (Web Server)