Bi-directional ADN Deployment Using WCCP with Reflect Client IP [Configuration Sample] Ken Fritz (PSS)

Similar documents
Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Blue Coat ProxySG First Steps Transparent Proxy Deployments SGOS 6.7

WCCPv2 and WCCP Enhancements

Secure ACS Database Replication Configuration Example

Configuring Transparent and Proxy Media Redirection Using ACNS Software 4.x

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

CONFIGURATION DU SWITCH

Loading Internet Protocol Security (IPSec) (CDR-882/780/790/990 Cellular Router)

Blue Coat Security First Steps Solution for Streaming Media

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

SSG Configuration Example

Configuring Traffic Interception

Lab 8.5.2: Troubleshooting Enterprise Networks 2

L2TP IPsec Support for NAT and PAT Windows Clients

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

Blue Coat Security First Steps Solution for Streaming Media

Sample Business Ready Branch Configuration Listings

IOS Router : Easy VPN (EzVPN) in Network Extension Mode (NEM) with Split tunnelling Configuration Example

Seattle Cisco Users Group

How to configure MB5000 Serial Port Bridge mode

Policy Based Routing with the Multiple Tracking Options Feature Configuration Example

VPN Connection through Zone based Firewall Router Configuration Example

Configuring IDS TCP Reset Using VMS IDS MC

Configuring a Cisco 827 Router to Support PPPoE Clients, Terminating on a Cisco 6400 UAC

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Fractional DS3. Version: 400. Copyright ImageStream Internet Solutions, Inc., All rights Reserved.

IPsec Anti-Replay Window: Expanding and Disabling

Cisco WAASFE-Wide Area Application Services for Field Engineers. Download Full Version :

Vendor: Riverstone. Exam Code: Exam Name: Riverbed Certified Solutions Associate. Version: Demo

Lab : OSPF Troubleshooting Lab

Cisco IOS Firewall Authentication Proxy

CertifyMe. CertifyMe

co Configuring PIX to Router Dynamic to Static IPSec with

Lab Guide 1 - Basic Configuration and Interface Configuration

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Configuring Web Cache Services By Using WCCP

Device Interface IP Address Subnet Mask Default Gateway

Device Interface IP Address Subnet Mask Default Gateway. Ports Assignment Network

BCCPP Q&As. Blue Coat Certified Proxy Professional. Pass Blue Coat BCCPP Exam with 100% Guarantee

Configuring Redundant Routing on the VPN 3000 Concentrator

Blue Coat Security First Steps Solution for Controlling HTTPS

Blue Coat Security First Steps. Solution for Integrating Authentication using IWA BCAAA

7 Filtering and Firewalling

Configuring a Terminal/Comm Server

INTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4

Deployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network

Blue Coat Security First Steps Solution for Exception Pages

Assigning a Home Address on the Home Agent

Deployment Scenarios for Standalone Content Engines

Default Gateway Fa0/ N/A. Device Interface IP Address Subnet Mask

IPsec Management Configuration Guide Cisco IOS Release 12.4T

Three interface Router without NAT Cisco IOS Firewall Configuration

Configure the ASA for Dual Internal Networks

PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example

Configuring Authentication Proxy

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Cisco Virtual Office: Easy VPN Deployment Guide

Configuring G350 dynamic-cac for branch offices with a Cisco WAN router

Assignment Six: Configure Hot Standby Router Protocol. Brian Dwyer. Morrisville State College

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

ProxySG Virtual Appliance MACH5 Edition Initial Configuration Guide

Lab Establishing and Verifying a Telnet Connection Instructor Version 2500

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Chapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION

Lab Troubleshooting IP Address Issues Instructor Version 2500

IPsec Anti-Replay Window Expanding and Disabling

Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

Migrating to a New ProxySG Appliance. ProxySG 900/9000 to ProxySG S400/500

Lab Configuring Basic RIPv2 (Solution)

Exam Actual. Higher Quality. Better Service! QUESTION & ANSWER

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Basic Router Configuration

FX Series Quick Start Guide - Version 6.0 Rev 1

Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)

Configuring the Eight-Port FXS RJ-21 Module

Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example

Configuring Secure (Router) Mode on the Content Switching Module

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Module 11 Advanced Router Configuration

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Cisco 2621 Gateway-PBX Interoperability: Lucent/Avaya Definity G3si with E1 PRI NET5 Signaling

Abstract. CRK; Reviewed: WCH/MIC 2/24/2003. Solution & Interoperability Test Lab Application Notes 2003 Avaya Inc. All Rights Reserved.

CISCO EXAM QUESTIONS & ANSWERS

How to Configure a Cisco Router Behind a Non-Cisco Cable Modem

Connect the Appliance to a Cisco Cloud Web Security Proxy

RR> RR> RR>en RR# RR# RR# RR# *Oct 2 04:57:03.684: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/2 TDR=0, TRC=0 RR#

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Configuring IOS Server Load Balancing with HTTP Probes in the Dispatched Mode

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

Network Admission Control

Unified Border Element (CUBE) with Cisco Unified Communications Manager (CUCM) Configuration Example

Lab : Challenge OSPF Configuration Lab. Topology Diagram. Addressing Table. Default Gateway. Device Interface IP Address Subnet Mask

QUESTION/SOLUTION SET LAB 4

Basic Router Configuration using SDM

Cisco 2621 Gateway-PBX Interoperability: Lucent/Avaya Definity G3si with T1 PRI Signaling

Lab Student Lab Orientation

Transcription:

Bi-directional ADN Deployment Using WCCP with Reflect Client IP [Configuration Sample] February 17, 2011 Ken Fritz (PSS) Copyright 2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners.

Introduction In this sample configuration, a customer needs to install a ProxySG at their branch and core sites for WAN optimization. Both sites will act as an ADN Concentrator peer and as an ADN Branch peer. This means the ProxySGs will act as a Branch peer to intercept client application traffic for optimization and will also acts as a Concentrator peer to accept the acceleration tunnel connection from the Branch peer. The customer needs to use WCCP redirection access-lists to restrict transparent interception during proof of concept or pilot testing to a limited set of hosts and/or applications. The customer needs to accelerate only HTTP and CIFS traffic bidirectionally between the branch and core locations. Also, the customer needs to reflect the client IP addresses because of NetFlow logging, firewall policies and security requirements. Requirements This document uses the following requirements to meet the customer s needs. - MACH5 ProxySG - SGOS 5.5.x and higher - Fully Transparent ADN (default) - Reflect Client IP (default) - Virtually in-path using WCCP redirection on branch and core routers - WCCP GRE forward/return with HASH settings - WCCP redirection access-list for specific subnets at branch and core - Protocol optimization for only TCP protocols HTTP and CIFS - Bi-directional ADN optimization from branch to core and vice versa - Cisco routers that support WCCP version 2 - Cisco routers that have 3 interfaces

Configuration In this section, you are presented with the information to configure the features described in this document. Network Diagram This document uses the following network setup: Router Configuration: This section uses these configurations: Branch Router Core Router Branch Router: The branch router configuration will require that WCCP redirection access-lists be created so only traffic between 10.78.56.208/29 and 10.78.56.216/29 are redirected by WCCP to ProxySG-Branch. To do this we need to create two access-lists, one for the branch LAN traffic destined to the core LAN and the other for the core LAN traffic destined to the branch LAN. ip access-list extended BC-WCCP-LAN permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7 ip access-list extended BC-WCCP-WAN permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7 After the redirection access-list is created, we need to enable WCCP and associate each service group with the appropriate access-list. The branch router will need four WCCP service groups to define the TCP ports for redirection. The reason for four is to allow bidirectional traffic acceleration from branch to core and core to branch. Service groups 10 and 11 are for the client to server redirection and service groups 20 and 12 are for the return traffic from the server to client redirection.

ip wccp 10 redirect-list BC-WCCP-LAN ip wccp 11 redirect-list BC-WCCP-WAN ip wccp 12 redirect-list BC-WCCP-WAN ip wccp 20 redirect-list BC-WCCP-LAN You will also need to apply IP WCCP [SG#] REDIRECT IN to the LAN and WAN interface on the router. interface FastEthernet0/0 description WAN UPLINK ip address 10.78.56.98 255.255.255.240 ip wccp 11 redirect in ip wccp 12 redirect in interface FastEthernet1/0 description Client/Server LAN ip address 10.78.56.209 255.255.255.248 ip wccp 10 redirect in ip wccp 20 redirect in Core Router: The core router configuration will requires that WCCP redirection access-lists be created so only traffic between 10.78.56.216/29 and 10.78.56.208/29 are redirected by WCCP to ProxySG-Core. To do this we need to create two access-lists, one for the core LAN traffic destined to the branch LAN and the other for the branch LAN traffic destined to the core LAN. ip access-list extended BC-WCCP-LAN permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7 ip access-list extended BC-WCCP-WAN permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7 After the redirection access-list is created, we need to enable WCCP and associate each service group with the appropriate access-lists. The core router will need four WCCP service groups to define the TCP ports for redirection. The reason for four is to allow bidirectional traffic acceleration from core to branch and branch to core. Service groups 10 and 11 are for the client to server redirection and service groups 20 and 12 are for the return traffic from the server to the client. ip wccp 10 redirect-list BC-WCCP-LAN ip wccp 11 redirect-list BC-WCCP-WAN ip wccp 12 redirect-list BC-WCCP-WAN ip wccp 20 redirect-list BC-WCCP-LAN You will also need to apply IP WCCP [SG#] REDIRECT IN to the LAN and WAN interface on the router. interface FastEthernet0/0 description WAN UPLINK ip address 10.78.57.7 255.255.255.240 ip wccp 11 redirect in ip wccp 12 redirect in interface FastEthernet1/0 description CLIENT/SERVER LAN ip address 10.78.56.217 255.255.255.248

ip wccp 10 redirect in ip wccp 20 redirect in ProxySG Configuration: This section uses these configurations: ProxySG-Branch ProxySG-Core ProxySGs at the core and branch should be reset to factory default settings. The configurations of the proxies need to be at the default settings for this configuration to work as described. The only ProxySG settings that will be modified from the default will be IP address, default gateway, DNS, WCCP and Services settings. Serial Console: ProxySG-Branch# restore-defaults factory-defaults ProxySG-Branch WCCP Configuration Overview: Need to create four WCCP service groups: Service group 10 TCP Destination Ports HTTP, CIFS HASH Source IP Service group 11 TCP Destination Ports HTTP, CIFS HASH Source IP Service group 12 TCP Source Ports HTTP, CIFS HASH Destination IP Service group 20 TCP Source Ports HTTP, CIFS HASH Destination IP

ProxySG-Branch WCCP Service Group 10 detail:

ProxySG-Branch WCCP Service Group 11 detail:

ProxySG-Branch WCCP Service Group 12 detail:

ProxySG-Branch WCCP Service Group 20 detail:

ProxySG-Branch Proxy Services: Need to modify the default Proxy Services to accelerate only Internal HTTP and CIFS and Bypass everything else:

ProxySG-Core WCCP Configuration Overview: Need to create four WCCP service groups: Service group 10 TCP Destination Ports HTTP, CIFS HASH Source IP Service group 11 TCP Destination Ports HTTP, CIFS HASH Source IP Service group 12 TCP Source Ports HTTP, CIFS HASH Destination IP Service group 20 TCP Source Ports HTTP, CIFS HASH Destination IP

ProxySG-Core WCCP Service Group 10 detail:

ProxySG-Core WCCP Service Group 11 detail:

ProxySG-Core WCCP Service Group 12 detail:

ProxySG-Core WCCP Service Group 20 detail:

ProxySG-Core Proxy Services: Need to modify the default Proxy Services to accelerate only Internal HTTP and CIFS and Bypass everything else:

ADN Verification (Branch to Core) Have a client PC in the branch make a CIFS connection to a core server and verify that there is an ADN connection from the branch to the core. The branch ProxySG shows a proxied ADN session for CIFS from the client PC (10.78.56.210) to the CIFS server (10.78.56.218). ProxySG-Branch: Now verify on the core ProxySG that there is an ADN inbound connection from the branch. The core ProxySG shows an ADN inbound connection for CIFS from the client PC (10.78.56.210) to the CIFS server (10.78.56.218). ProxySG-Core:

ADN Verification (Core to Branch) Have a client PC in the core make a CIFS connection to a branch server and verify that there is an ADN connection from the core to the branch. The core ProxySG shows a proxied ADN session for CIFS from the client PC (10.78.56.218) to the CIFS server (10.78.56.210). ProxySG-Core: Now verify on the branch ProxySG that there is an ADN inbound connection from the core. The branch ProxySG shows an ADN inbound connection for CIFS from the client PC (10.78.56.218) to the CIFS server (10.78.56.210). ProxySG-Branch:

Full Configurations: This section uses these configurations: Branch Cisco Router Core Cisco Router ProxySG-Branch ProxySG-Core Branch Cisco Router Configuration: version 12.4 service timestamps debug datetime msec service timestamps log datetime localtime show-timezone no service password-encryption hostname BRANCH enable password cisco no aaa new-model ip subnet-zero ip wccp 10 redirect-list BC-WCCP-LAN ip wccp 11 redirect-list BC-WCCP-WAN ip wccp 12 redirect-list BC-WCCP-WAN ip wccp 20 redirect-list BC-WCCP-LAN ip cef interface FastEthernet0/0 description WAN UPLINK ip address 10.78.56.98 255.255.255.240 ip wccp 11 redirect in ip wccp 12 redirect in interface FastEthernet1/0 description Client/Server LAN ip address 10.78.56.209 255.255.255.248 ip wccp 10 redirect in ip wccp 20 redirect in interface FastEthernet2/0 description PROXY-SG LAN ip address 10.78.56.161 255.255.255.248 router ospf 1 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ip classless

ip access-list extended BC-WCCP-LAN permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7 ip access-list extended BC-WCCP-WAN permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7 line con 0 line aux 0 line vty 0 4 login password cisco end

version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname CORE enable password cisco no aaa new-model ip subnet-zero ip wccp 10 redirect-list BC-WCCP-LAN ip wccp 11 redirect-list BC-WCCP-WAN ip wccp 12 redirect-list BC-WCCP-WAN ip wccp 20 redirect-list BC-WCCP-LAN interface FastEthernet0/0 description WAN UPLINK ip address 10.78.57.7 255.255.255.240 ip wccp 11 redirect in ip wccp 12 redirect in interface FastEthernet1/0 description CLIENT/SERVER LAN ip address 10.78.56.217 255.255.255.248 ip wccp 10 redirect in ip wccp 20 redirect in interface FastEthernet2/0 description PROXY-SG LAN ip address 10.78.57.233 255.255.255.248 router ospf 1 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ip classless ip access-list extended BC-WCCP-LAN permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7 ip access-list extended BC-WCCP-WAN permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7 line con 0 line vty 0 4 password root login end Core Cisco Router Configuration:

Branch ProxySG Configuration: Software Configuration URL_Path /cli/show/configuration Title Unit Configuration Version 1.0 - Version: SGOS 5.5.3.1 MACH5 Edition - BEGIN networking interface 0:0 ;mode ip-address 10.78.56.163 255.255.255.248 interface 2:0 ;mode label "WAN" allow-intercept disable interface 2:1 ;mode label "LAN" ip-default-gateway 10.78.56.161 1 100 dns-forwarding ;mode edit primary clear server add server 10.2.2.100 edit alternate clear server - END networking - BEGIN ssl ssl ;mode - END ssl - BEGIN authentication security hashed-enable-password "" security hashed-password "" - END authentication - BEGIN general appliance-name "ProxySG 810 - ProxySG-BRANCH" - END general - BEGIN proxies general ;mode reflect-client-ip enable resource-overflow-action bypass - END proxies - BEGIN application_delivery_network adn ;mode tunnel ;mode reflect-client-ip allow enable

- END application_delivery_network - BEGIN services proxy-services ;mode edit "Internal HTTP" ;mode intercept all 10.0.0.0/8 80 edit "CIFS" ;mode intercept all transparent 139 intercept all transparent 445 - END services - BEGIN networking wccp enable - END networking - BEGIN networking inline wccp-settings end-476840996-inline wccp enable wccp version 2 service-group 10 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.56.161 service-flags ports-defined ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags source-ip-hash end service-group 11 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.56.161 service-flags ports-defined ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags source-ip-hash end service-group 12 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.56.161 service-flags ports-defined service-flags ports-source ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags destination-ip-hash end

service-group 20 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.56.161 service-flags ports-defined service-flags ports-source ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags destination-ip-hash end end-476840996-inline - END networking

Core ProxySG Configuration: Software Configuration URL_Path /cli/show/configuration Title Unit Configuration Version 1.0 - Version: SGOS 5.5.3.1 MACH5 Edition - BEGIN networking interface 0:0 ;mode ip-address 10.78.57.234 255.255.255.248 interface 2:0 ;mode label "WAN" allow-intercept disable interface 2:1 ;mode label "LAN" ip-default-gateway 10.78.57.233 1 100 dns-forwarding ;mode edit primary clear server add server 10.2.2.100 edit alternate clear server - END networking - BEGIN ssl ssl ;mode - END ssl - BEGIN authentication security hashed-enable-password "" security hashed-password "" - END authentication - BEGIN general appliance-name "ProxySG 810 - ProxySG-CORE" - END general - BEGIN proxies general ;mode reflect-client-ip enable resource-overflow-action bypass - END proxies - BEGIN application_delivery_network adn ;mode tunnel ;mode reflect-client-ip allow enable

- END application_delivery_network - BEGIN services proxy-services ;mode edit "Internal HTTP" ;mode intercept all 10.0.0.0/8 80 edit "CIFS" ;mode intercept all transparent 139 intercept all transparent 445 - END services - BEGIN networking wccp enable - END networking - BEGIN networking inline wccp-settings end-476841058-inline wccp enable wccp version 2 service-group 10 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.57.233 service-flags ports-defined ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags source-ip-hash end service-group 11 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.57.233 service-flags ports-defined ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags source-ip-hash end service-group 12 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.57.233 service-flags ports-defined service-flags ports-source ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags destination-ip-hash end

service-group 20 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.57.233 service-flags ports-defined service-flags ports-source ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags destination-ip-hash end end-476841058-inline - END networking

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback