leblanc
asked on
moving wccp
See attached for the Before and After network diagram.
I have wccp running, the Internet, and a Websnese connected to my 3750-core. The traffic for all vlans were directed to the Websnese appropriately.
I then moved the Websense and the Internet to the 3560. I also enabled wccp. But it only directs traffic for the wireless VLAN.
Any thoughts on why wccp does not working properly will be greatly apprciated.
Thanks
net-diagram.jpg
I have wccp running, the Internet, and a Websnese connected to my 3750-core. The traffic for all vlans were directed to the Websnese appropriately.
I then moved the Websense and the Internet to the 3560. I also enabled wccp. But it only directs traffic for the wireless VLAN.
Any thoughts on why wccp does not working properly will be greatly apprciated.
Thanks
net-diagram.jpg
ASKER
yes all vlans have the redirecton in statement. I took the code from the working existing wccp on the 3750.
Is the setup on the 3650 identical to that of the 3750?
the path from the 3650 to the websense might be running into an ACL.
the path from the 3650 to the websense might be running into an ACL.
ASKER
They are not identical. But I moved the same wccp config from the 3750 to the 3560.
What do you mean by "the path from the 3650 to the websense might be running into an ACL. "? Thx
What do you mean by "the path from the 3650 to the websense might be running into an ACL. "? Thx
You may have a restriction on the 3650 such that it can not reach the websense servers IP.
i.e. the IP for websense on the 3750 was 172.16.12.13
you changed the IP for websense to 172.18.16.34
the 3750 can reach this segment.
You then copied the same configuration to the 3650, but it can not have a network path to 172.18.16.34
traceroute/ping from the 3650 to 172.18.16.34.
You may have an Access list where the websense server is and it allowed the access from the management IP of the 3750 but there is no rule that allowed the 3650 access.
i.e. the IP for websense on the 3750 was 172.16.12.13
you changed the IP for websense to 172.18.16.34
the 3750 can reach this segment.
You then copied the same configuration to the 3650, but it can not have a network path to 172.18.16.34
traceroute/ping from the 3650 to 172.18.16.34.
You may have an Access list where the websense server is and it allowed the access from the management IP of the 3750 but there is no rule that allowed the 3650 access.
ASKER
Below are the configs that are relevant to our discussion. They are the "before" wccp config. For the "after" wccp config, I just took all the wccp code from the 3750 and moved it to the 3560.
3750-core before wccp move:
...
!
ip routing
ip wccp 0 redirect-list TRAFFIC_REDIRECT group-list 10
!
ip dhcp pool wireless-users
network 10.10.100.0 255.255.255.0
default-router 10.10.100.1
!
vlan 10
name USERS
!
vlan 19
name MANAGEMENT_VLAN
!
vlan 100
name WIRELESS_USERS
!
interface GigabitEthernet1/0/1
description TO 3560
switchport trunk encapsulation dot1q
switchport mode trunk
!
...
!
interface GigabitEthernet1/0/8
description UPLINK TO fw
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
description TO WEBSENSE PORT1
switchport access vlan 10
!
...
!
interface Vlan1
shutdown
!
interface Vlan10
ip address 10.10.1.1 255.255.255.0
ip wccp 0 redirect in
!
interface Vlan19
description MANAGEMENT VLAN
ip address 10.10.19.1 255.255.255.0
ip wccp 0 redirect in
!
interface Vlan100
ip address 10.10.100.1 255.255.255.0
ip wccp 0 redirect in
!
ip access-list extended TRAFFIC_REDIRECT
deny ip host 10.10.1.17 any >>> THIS IS THE PORT 1 OF THE WEBSENSE
deny ip any 10.10.0.0 0.0.255.255
permit ip 10.10.0.0 0.0.255.255 any
!
access-list 10 permit 10.10.1.17
!
ip route 0.0.0.0 0.0.0.0 10.10.1.40
...
end
--------------------------
3560 before wccp move:
...
!
ip routing
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
!
...
!
interface GigabitEthernet0/23
description TO WIRELESS CONTROLLER
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet0/24
description TO 3750-core
switchport trunk encapsulation dot1q
switchport mode trunk
!
...
!
interface Vlan1
shutdown
!
interface Vlan10
ip address 10.10.1.18 255.255.255.0
!
interface Vlan19
ip address 10.10.19.18 255.255.255.0
!
interface Vlan100
ip address 10.10.100.2 255.255.255.0
no ip route-cache cef
no ip route-cache
!
ip route 0.0.0.0 0.0.0.0 10.10.1.40
!
...
end
3750-core before wccp move:
...
!
ip routing
ip wccp 0 redirect-list TRAFFIC_REDIRECT group-list 10
!
ip dhcp pool wireless-users
network 10.10.100.0 255.255.255.0
default-router 10.10.100.1
!
vlan 10
name USERS
!
vlan 19
name MANAGEMENT_VLAN
!
vlan 100
name WIRELESS_USERS
!
interface GigabitEthernet1/0/1
description TO 3560
switchport trunk encapsulation dot1q
switchport mode trunk
!
...
!
interface GigabitEthernet1/0/8
description UPLINK TO fw
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
description TO WEBSENSE PORT1
switchport access vlan 10
!
...
!
interface Vlan1
shutdown
!
interface Vlan10
ip address 10.10.1.1 255.255.255.0
ip wccp 0 redirect in
!
interface Vlan19
description MANAGEMENT VLAN
ip address 10.10.19.1 255.255.255.0
ip wccp 0 redirect in
!
interface Vlan100
ip address 10.10.100.1 255.255.255.0
ip wccp 0 redirect in
!
ip access-list extended TRAFFIC_REDIRECT
deny ip host 10.10.1.17 any >>> THIS IS THE PORT 1 OF THE WEBSENSE
deny ip any 10.10.0.0 0.0.255.255
permit ip 10.10.0.0 0.0.255.255 any
!
access-list 10 permit 10.10.1.17
!
ip route 0.0.0.0 0.0.0.0 10.10.1.40
...
end
--------------------------
3560 before wccp move:
...
!
ip routing
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
!
...
!
interface GigabitEthernet0/23
description TO WIRELESS CONTROLLER
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet0/24
description TO 3750-core
switchport trunk encapsulation dot1q
switchport mode trunk
!
...
!
interface Vlan1
shutdown
!
interface Vlan10
ip address 10.10.1.18 255.255.255.0
!
interface Vlan19
ip address 10.10.19.18 255.255.255.0
!
interface Vlan100
ip address 10.10.100.2 255.255.255.0
no ip route-cache cef
no ip route-cache
!
ip route 0.0.0.0 0.0.0.0 10.10.1.40
!
...
end
Where is the after on 3650
ip access-list extended TRAFFIC_REDIRECT
deny ip host 10.10.1.17 any >>> THIS IS THE PORT 1 OF THE WEBSENSE
deny ip any 10.10.0.0 0.0.255.255
permit ip 10.10.0.0 0.0.255.255 any
access-list 10 permit 10.10.1.17
3750
Has wccp in each VLAN.
ip access-list extended TRAFFIC_REDIRECT
deny ip host 10.10.1.17 any >>> THIS IS THE PORT 1 OF THE WEBSENSE
deny ip any 10.10.0.0 0.0.255.255
permit ip 10.10.0.0 0.0.255.255 any
access-list 10 permit 10.10.1.17
3750
Has wccp in each VLAN.
ASKER
Like I said, for the "after" 3560, just add:
ip access-list extended TRAFFIC_REDIRECT
deny ip host 10.10.1.17 any >>> THIS IS THE PORT 1 OF THE WEBSENSE
deny ip any 10.10.0.0 0.0.255.255
permit ip 10.10.0.0 0.0.255.255 any
access-list 10 permit 10.10.1.17
and
add ip wccp 0 redirect in for each vlan.
ip access-list extended TRAFFIC_REDIRECT
deny ip host 10.10.1.17 any >>> THIS IS THE PORT 1 OF THE WEBSENSE
deny ip any 10.10.0.0 0.0.255.255
permit ip 10.10.0.0 0.0.255.255 any
access-list 10 permit 10.10.1.17
and
add ip wccp 0 redirect in for each vlan.
Did you also make configuration changes to the websense setup? to include the 3650 as a wccp client?
I think wccp on the websense side needs info on the router IP which is currently pointing to the 3750?
I think wccp on the websense side needs info on the router IP which is currently pointing to the 3750?
ASKER
Yes. wccp is working on the 3560 for vlan 100 but not for vlan 10.
Look at your VLAN definition on the 3650 after the change
Look at your VLAN100 definition.
Look at your VLAN100 definition.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes the default gateway has changed to 10.10.1.18 on the Websense.
yes there is a trunk between the 3560 and the 3750. I will try your recommendation by configuring wccp on both the 3560 and the 3750.
yes there is a trunk between the 3560 and the 3750. I will try your recommendation by configuring wccp on both the 3560 and the 3750.
Check the various location with wccp status/neighbor.
Wccp when it is unable to establish a connection allows all traffic out.