FAQ

How to setup bidirectional ADN deployment using WCCP with reflect client IP

FAQ ID:    FAQ1266
Version:    3.0
Status:    Published
Published date:    02/15/2011
Updated:    03/28/2011
 

Answer

Bi-directional ADN Deployment Using WCCP with Reflect Client IP (Sample Configuration)
 
Introduction
In this sample configuration, a customer needs to install a ProxySG at their branch and core sites for WAN optimization. Both sites will act as an ADN Concentrator peer and as an ADN Branch peer. This means the ProxySGs will act as a Branch peer to intercept client application traffic for optimization and will also acts as a Concentrator peer to accept the acceleration tunnel connection from the Branch peer. The customer needs to use WCCP redirection access-lists to restrict transparent interception during proof of concept or pilot testing to a limited set of hosts and/or applications. The customer needs to accelerate only HTTP and CIFS traffic bi-directionally between the branch and core locations. Also, the customer needs to reflect the client IP addresses because of NetFlow logging, firewall policies and security requirements.
 

Requirements

This document uses the following requirements to meet the customer’s needs.

- MACH 5 ProxySG
 
- SGOS 5.5.x and higher
 
- Fully Transparent ADN (default)
 
- Reflect Client IP (default)
 
- Virtually in-path using WCCP redirection on branch and core routers
 
- WCCP GRE forward/return with HASH assignment settings
 
- WCCP redirection access-list for specific subnets at branch and core
 
- Protocol optimization for only TCP protocols HTTP and CIFS
 
- Bi-directional ADN optimization from branch to core and vice versa
 
- Cisco routers that support WCCP version 2
 
- Cisco routers that have 3 interfaces
 
 Configuration
In this section, you are presented with the information to configure the features described in this document.
Network Diagram
This document uses the following network setup:
   
Router Configuration:
This section uses these configurations:
  • Branch Router
  • Core Router
 Branch Router:
The branch router configuration will require that WCCP redirection access-lists be created so only traffic between 10.78.56.208/29 and 10.78.56.216/29 are redirected by WCCP to ProxySG-Branch. To do this we need to create two access-lists, one for the branch LAN traffic destined to the core LAN and the other for the core LAN traffic destined to the branch LAN.
ip access-list extended BC-WCCP-LAN
 permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7
ip access-list extended BC-WCCP-WAN
 permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7
 
After the redirection access-list is created, we need to enable WCCP and associate each service group with the appropriate access-list. The branch router will need four WCCP service groups to define the TCP ports for redirection. The reason for four is to allow bidirectional traffic acceleration from branch to core and core to branch. Service groups 10 and 11 are for the client to server redirection and service groups 20 and 12 are for the return traffic from the server to client redirection.
 
ip wccp 10 redirect-list BC-WCCP-LAN
ip wccp 11 redirect-list BC-WCCP-WAN
ip wccp 12 redirect-list BC-WCCP-WAN
ip wccp 20 redirect-list BC-WCCP-LAN
 
You will also need to apply IP WCCP [SG#] REDIRECT IN to the LAN and WAN interface on the router.
 
interface FastEthernet0/0
 description WAN UPLINK
 ip address 10.78.56.98 255.255.255.240
 ip wccp 11 redirect in
 ip wccp 12 redirect in
 !
interface FastEthernet1/0
 description Client/Server LAN
 ip address 10.78.56.209 255.255.255.248
 ip wccp 10 redirect in
 ip wccp 20 redirect in
 
 
Core Router:
 
The core router configuration will requires that WCCP redirection access-lists be created so only traffic between 10.78.56.216/29 and 10.78.56.208/29 are redirected by WCCP to ProxySG-Core. To do this we need to create two access-lists, one for the core LAN traffic destined to the branch LAN and the other for the branch LAN traffic destined to the core LAN.
ip access-list extended BC-WCCP-LAN
 permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7
ip access-list extended BC-WCCP-WAN
 permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7
 
After the redirection access-list is created, we need to enable WCCP and associate each service group with the appropriate access-lists. The core router will need four WCCP service groups to define the TCP ports for redirection. The reason for four is to allow bidirectional traffic acceleration from core to branch and branch to core. Service groups 10 and 11 are for the client to server redirection and service groups 20 and 12 are for the return traffic from the server to the client.
 
ip wccp 10 redirect-list BC-WCCP-LAN
ip wccp 11 redirect-list BC-WCCP-WAN
ip wccp 12 redirect-list BC-WCCP-WAN
ip wccp 20 redirect-list BC-WCCP-LAN
 
You will also need to apply IP WCCP [SG#] REDIRECT IN to the LAN and WAN interface on the router.
 
interface FastEthernet0/0
 description WAN UPLINK
 ip address 10.78.57.7 255.255.255.240
 ip wccp 11 redirect in
 ip wccp 12 redirect in
!
interface FastEthernet1/0
 description CLIENT/SERVER LAN
 ip address 10.78.56.217 255.255.255.248
 ip wccp 10 redirect in
 ip wccp 20 redirect in
  
ProxySG Configuration:
This section uses these configurations:
  • ProxySG-Branch
  • ProxySG-Core
ProxySGs at the core and branch should be reset to factory default settings. The configurations of the proxies need to be at the default settings for this configuration to work as described. The only ProxySG settings that will be modified from the default will be IP address, default gateway, DNS, WCCP and Services settings.
 
ProxySG-Branch WCCP Configuration Overview:
Need to create four WCCP service groups:
Service group 10 – TCP Destination Ports HTTP, CIFS – HASH Source IP
Service group 11 – TCP Destination Ports HTTP, CIFS – HASH Source IP
Service group 12 – TCP Source Ports HTTP, CIFS – HASH Destination IP
Service group 20 – TCP Source Ports HTTP, CIFS – HASH Destination IP
  
 
ProxySG-Branch WCCP Service Group 10 detail:
  
 
 ProxySG-Branch WCCP Service Group 11 detail:
 
 
  ProxySG-Branch WCCP Service Group 12 detail:
 
  
ProxySG-Branch WCCP Service Group 20 detail:
 
  
ProxySG-Branch Proxy Services:
Need to modify the default Proxy Services to accelerate only Internal HTTP and CIFS and Bypass everything else:
 
 
 
ProxySG-Core WCCP Configuration Overview:
Need to create four WCCP service groups:
Service group 10 – TCP Destination Ports HTTP, CIFS – HASH Source IP
Service group 11 – TCP Destination Ports HTTP, CIFS – HASH Source IP
Service group 12 – TCP Source Ports HTTP, CIFS – HASH Destination IP
Service group 20 – TCP Source Ports HTTP, CIFS – HASH Destination IP
 
  
ProxySG-Core WCCP Service Group 10 detail:
 
 
 ProxySG-Core WCCP Service Group 11 detail:
 
 
ProxySG-Core WCCP Service Group 12 detail:
 
  
ProxySG-Core WCCP Service Group 20 detail:
 
ProxySG-Core Proxy Services:
Need to modify the default Proxy Services to accelerate only Internal HTTP and CIFS and Bypass everything else:
 
  
ADN Verification (Branch to Core)
Have a client PC in the branch make a CIFS connection to a core server and verify that there is an ADN connection from the branch to the core. The branch ProxySG shows a proxied ADN session for CIFS from the client PC (10.78.56.210) to the CIFS server (10.78.56.218).
ProxySG-Branch:
 
 
Now verify on the core ProxySG that there is an ADN inbound connection from the branch. The core ProxySG shows an ADN inbound connection for CIFS from the client PC (10.78.56.210) to the CIFS server (10.78.56.218).
ProxySG-Core:
 
 
 
ADN Verification (Core to Branch)
Have a client PC in the core make a CIFS connection to a branch server and verify that there is an ADN connection from the core to the branch. The core ProxySG shows a proxied ADN session for CIFS from the client PC (10.78.56.218) to the CIFS server (10.78.56.210).
ProxySG-Core:
 
 
Now verify on the branch ProxySG that there is an ADN inbound connection from the core. The branch ProxySG shows an ADN inbound connection for CIFS from the client PC (10.78.56.218) to the CIFS server (10.78.56.210).
ProxySG-Branch:
 
 
 
Full Configurations:
This section uses these configurations:
  • Branch Cisco Router
  • Core Cisco Router
  • ProxySG-Branch
  • ProxySG-Core
 
Branch Cisco Router Configuration:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
no service password-encryption
!
hostname BRANCH
!
enable password cisco
!
no aaa new-model
ip subnet-zero
ip wccp 10 redirect-list BC-WCCP-LAN
ip wccp 11 redirect-list BC-WCCP-WAN
ip wccp 12 redirect-list BC-WCCP-WAN
ip wccp 20 redirect-list BC-WCCP-LAN
ip cef
!
interface FastEthernet0/0
 description WAN UPLINK
 ip address 10.78.56.98 255.255.255.240
 ip wccp 11 redirect in
 ip wccp 12 redirect in
 !
interface FastEthernet1/0
 description Client/Server LAN
 ip address 10.78.56.209 255.255.255.248
 ip wccp 10 redirect in
 ip wccp 20 redirect in
 !
interface FastEthernet2/0
 description PROXY-SG LAN
 ip address 10.78.56.161 255.255.255.248
 
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.255.255.255 area 0
!
ip classless
!
ip access-list extended BC-WCCP-LAN
 permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7
ip access-list extended BC-WCCP-WAN
 permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7
!
line con 0
line aux 0
line vty 0 4
 login
 password cisco
!
end
  
Core Cisco Router Configuration:
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CORE
!
enable password cisco
!
no aaa new-model
ip subnet-zero
ip wccp 10 redirect-list BC-WCCP-LAN
ip wccp 11 redirect-list BC-WCCP-WAN
ip wccp 12 redirect-list BC-WCCP-WAN
ip wccp 20 redirect-list BC-WCCP-LAN
!
interface FastEthernet0/0
 description WAN UPLINK
 ip address 10.78.57.7 255.255.255.240
 ip wccp 11 redirect in
 ip wccp 12 redirect in
!
interface FastEthernet1/0
 description CLIENT/SERVER LAN
 ip address 10.78.56.217 255.255.255.248
 ip wccp 10 redirect in
 ip wccp 20 redirect in
!
interface FastEthernet2/0
 description PROXY-SG LAN
 ip address 10.78.57.233 255.255.255.248
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.255.255.255 area 0
!
ip classless
!
ip access-list extended BC-WCCP-LAN
 permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7
ip access-list extended BC-WCCP-WAN
 permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7
!
line con 0
line vty 0 4
 password root
 login
!
end
 
Branch ProxySG Configuration:
Software Configuration
URL_Path /cli/show/configuration
Title Unit Configuration
Version 1.0
 
!- Version: SGOS 5.5.3.1 MACH5 Edition
!- BEGIN networking
interface 0:0 ;mode
ip-address 10.78.56.163 255.255.255.248
exit
interface 2:0 ;mode
label "WAN"
allow-intercept disable
exit
interface 2:1 ;mode
label "LAN"
exit
ip-default-gateway 10.78.56.161 1 100
dns-forwarding ;mode
edit primary
clear server
add server 10.2.2.100
exit
edit alternate
clear server
exit
exit
!- END networking
!- BEGIN ssl
ssl ;mode
exit
!- END ssl
!- BEGIN authentication
security hashed-enable-password ""
security hashed-password ""
!- END authentication
!- BEGIN general
appliance-name "ProxySG 810 - ProxySG-BRANCH"
!- END general
!- BEGIN proxies
general ;mode
reflect-client-ip enable
resource-overflow-action bypass
exit
!- END proxies
!- BEGIN application_delivery_network
adn ;mode
tunnel ;mode
reflect-client-ip allow
exit
enable
exit
!- END application_delivery_network
!- BEGIN services
proxy-services ;mode
edit "Internal HTTP" ;mode
intercept all 10.0.0.0/8 80
exit
edit "CIFS" ;mode
intercept all transparent 139
intercept all transparent 445
exit
exit
!- END services
!- BEGIN networking
wccp enable
!- END networking
!- BEGIN networking
inline wccp-settings end-476840996-inline
wccp enable
wccp version 2
 
service-group 10
forwarding-type GRE
protocol 6
interface 0:0
home-router 10.78.56.161
service-flags ports-defined
ports 80 139 445 0 0 0 0 0
assignment-type hash
service-flags source-ip-hash
end
 
service-group 11
forwarding-type GRE
protocol 6
interface 0:0
home-router 10.78.56.161
service-flags ports-defined
ports 80 139 445 0 0 0 0 0
assignment-type hash
service-flags source-ip-hash
end
 
service-group 12
forwarding-type GRE
protocol 6
interface 0:0
home-router 10.78.56.161
service-flags ports-defined
service-flags ports-source
ports 80 139 445 0 0 0 0 0
assignment-type hash
service-flags destination-ip-hash
end
 
service-group 20
forwarding-type GRE
protocol 6
interface 0:0
home-router 10.78.56.161
service-flags ports-defined
service-flags ports-source
ports 80 139 445 0 0 0 0 0
assignment-type hash
service-flags destination-ip-hash
end
 
end-476840996-inline
!- END networking
  
Core ProxySG Configuration:
Software Configuration
URL_Path /cli/show/configuration
Title Unit Configuration
Version 1.0
 
!- Version: SGOS 5.5.3.1 MACH5 Edition
!- BEGIN networking
interface 0:0 ;mode
ip-address 10.78.57.234 255.255.255.248
exit
interface 2:0 ;mode
label "WAN"
allow-intercept disable
exit
interface 2:1 ;mode
label "LAN"
exit
ip-default-gateway 10.78.57.233 1 100
dns-forwarding ;mode
edit primary
clear server
add server 10.2.2.100
exit
edit alternate
clear server
exit
exit
!- END networking
!- BEGIN ssl
ssl ;mode
exit
!- END ssl
!- BEGIN authentication
security hashed-enable-password ""
security hashed-password ""
!- END authentication
!- BEGIN general
appliance-name "ProxySG 810 - ProxySG-CORE"
!- END general
!- BEGIN proxies
general ;mode
reflect-client-ip enable
resource-overflow-action bypass
exit
!- END proxies
!- BEGIN application_delivery_network
adn ;mode
tunnel ;mode
reflect-client-ip allow
exit
enable
exit
!- END application_delivery_network
!- BEGIN services
proxy-services ;mode
edit "Internal HTTP" ;mode
intercept all 10.0.0.0/8 80
exit
edit "CIFS" ;mode
intercept all transparent 139
intercept all transparent 445
exit
exit
!- END services
!- BEGIN networking
wccp enable
!- END networking
!- BEGIN networking
inline wccp-settings end-476841058-inline
wccp enable
wccp version 2
 
service-group 10
forwarding-type GRE
protocol 6
interface 0:0
home-router 10.78.57.233
service-flags ports-defined
ports 80 139 445 0 0 0 0 0
assignment-type hash
service-flags source-ip-hash
end
 
service-group 11
forwarding-type GRE
protocol 6
interface 0:0
home-router 10.78.57.233
service-flags ports-defined
ports 80 139 445 0 0 0 0 0
assignment-type hash
service-flags source-ip-hash
end
 
service-group 12
forwarding-type GRE
protocol 6
interface 0:0
home-router 10.78.57.233
service-flags ports-defined
service-flags ports-source
ports 80 139 445 0 0 0 0 0
assignment-type hash
service-flags destination-ip-hash
end
 
service-group 20
forwarding-type GRE
protocol 6
interface 0:0
home-router 10.78.57.233
service-flags ports-defined
service-flags ports-source
ports 80 139 445 0 0 0 0 0
assignment-type hash
service-flags destination-ip-hash
end
 
end-476841058-inline
!- END networking

 

Attachment

Bidirectional ADN Deployment Using WCCP with Reflect Client IP.pdf
2MB • 6 minute(s) @ 56k, < 1 minute @ broadband



Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question