Bi-directional ADN Deployment Using WCCP with Reflect Client IP [Configuration Sample] February 17, 2011 Ken Fritz (PSS) Copyright 2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners.
Introduction In this sample configuration, a customer needs to install a ProxySG at their branch and core sites for WAN optimization. Both sites will act as an ADN Concentrator peer and as an ADN Branch peer. This means the ProxySGs will act as a Branch peer to intercept client application traffic for optimization and will also acts as a Concentrator peer to accept the acceleration tunnel connection from the Branch peer. The customer needs to use WCCP redirection access-lists to restrict transparent interception during proof of concept or pilot testing to a limited set of hosts and/or applications. The customer needs to accelerate only HTTP and CIFS traffic bidirectionally between the branch and core locations. Also, the customer needs to reflect the client IP addresses because of NetFlow logging, firewall policies and security requirements. Requirements This document uses the following requirements to meet the customer s needs. - MACH5 ProxySG - SGOS 5.5.x and higher - Fully Transparent ADN (default) - Reflect Client IP (default) - Virtually in-path using WCCP redirection on branch and core routers - WCCP GRE forward/return with HASH settings - WCCP redirection access-list for specific subnets at branch and core - Protocol optimization for only TCP protocols HTTP and CIFS - Bi-directional ADN optimization from branch to core and vice versa - Cisco routers that support WCCP version 2 - Cisco routers that have 3 interfaces
Configuration In this section, you are presented with the information to configure the features described in this document. Network Diagram This document uses the following network setup: Router Configuration: This section uses these configurations: Branch Router Core Router Branch Router: The branch router configuration will require that WCCP redirection access-lists be created so only traffic between 10.78.56.208/29 and 10.78.56.216/29 are redirected by WCCP to ProxySG-Branch. To do this we need to create two access-lists, one for the branch LAN traffic destined to the core LAN and the other for the core LAN traffic destined to the branch LAN. ip access-list extended BC-WCCP-LAN permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7 ip access-list extended BC-WCCP-WAN permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7 After the redirection access-list is created, we need to enable WCCP and associate each service group with the appropriate access-list. The branch router will need four WCCP service groups to define the TCP ports for redirection. The reason for four is to allow bidirectional traffic acceleration from branch to core and core to branch. Service groups 10 and 11 are for the client to server redirection and service groups 20 and 12 are for the return traffic from the server to client redirection.
ip wccp 10 redirect-list BC-WCCP-LAN ip wccp 11 redirect-list BC-WCCP-WAN ip wccp 12 redirect-list BC-WCCP-WAN ip wccp 20 redirect-list BC-WCCP-LAN You will also need to apply IP WCCP [SG#] REDIRECT IN to the LAN and WAN interface on the router. interface FastEthernet0/0 description WAN UPLINK ip address 10.78.56.98 255.255.255.240 ip wccp 11 redirect in ip wccp 12 redirect in interface FastEthernet1/0 description Client/Server LAN ip address 10.78.56.209 255.255.255.248 ip wccp 10 redirect in ip wccp 20 redirect in Core Router: The core router configuration will requires that WCCP redirection access-lists be created so only traffic between 10.78.56.216/29 and 10.78.56.208/29 are redirected by WCCP to ProxySG-Core. To do this we need to create two access-lists, one for the core LAN traffic destined to the branch LAN and the other for the branch LAN traffic destined to the core LAN. ip access-list extended BC-WCCP-LAN permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7 ip access-list extended BC-WCCP-WAN permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7 After the redirection access-list is created, we need to enable WCCP and associate each service group with the appropriate access-lists. The core router will need four WCCP service groups to define the TCP ports for redirection. The reason for four is to allow bidirectional traffic acceleration from core to branch and branch to core. Service groups 10 and 11 are for the client to server redirection and service groups 20 and 12 are for the return traffic from the server to the client. ip wccp 10 redirect-list BC-WCCP-LAN ip wccp 11 redirect-list BC-WCCP-WAN ip wccp 12 redirect-list BC-WCCP-WAN ip wccp 20 redirect-list BC-WCCP-LAN You will also need to apply IP WCCP [SG#] REDIRECT IN to the LAN and WAN interface on the router. interface FastEthernet0/0 description WAN UPLINK ip address 10.78.57.7 255.255.255.240 ip wccp 11 redirect in ip wccp 12 redirect in interface FastEthernet1/0 description CLIENT/SERVER LAN ip address 10.78.56.217 255.255.255.248
ip wccp 10 redirect in ip wccp 20 redirect in ProxySG Configuration: This section uses these configurations: ProxySG-Branch ProxySG-Core ProxySGs at the core and branch should be reset to factory default settings. The configurations of the proxies need to be at the default settings for this configuration to work as described. The only ProxySG settings that will be modified from the default will be IP address, default gateway, DNS, WCCP and Services settings. Serial Console: ProxySG-Branch# restore-defaults factory-defaults ProxySG-Branch WCCP Configuration Overview: Need to create four WCCP service groups: Service group 10 TCP Destination Ports HTTP, CIFS HASH Source IP Service group 11 TCP Destination Ports HTTP, CIFS HASH Source IP Service group 12 TCP Source Ports HTTP, CIFS HASH Destination IP Service group 20 TCP Source Ports HTTP, CIFS HASH Destination IP
ProxySG-Branch WCCP Service Group 10 detail:
ProxySG-Branch WCCP Service Group 11 detail:
ProxySG-Branch WCCP Service Group 12 detail:
ProxySG-Branch WCCP Service Group 20 detail:
ProxySG-Branch Proxy Services: Need to modify the default Proxy Services to accelerate only Internal HTTP and CIFS and Bypass everything else:
ProxySG-Core WCCP Configuration Overview: Need to create four WCCP service groups: Service group 10 TCP Destination Ports HTTP, CIFS HASH Source IP Service group 11 TCP Destination Ports HTTP, CIFS HASH Source IP Service group 12 TCP Source Ports HTTP, CIFS HASH Destination IP Service group 20 TCP Source Ports HTTP, CIFS HASH Destination IP
ProxySG-Core WCCP Service Group 10 detail:
ProxySG-Core WCCP Service Group 11 detail:
ProxySG-Core WCCP Service Group 12 detail:
ProxySG-Core WCCP Service Group 20 detail:
ProxySG-Core Proxy Services: Need to modify the default Proxy Services to accelerate only Internal HTTP and CIFS and Bypass everything else:
ADN Verification (Branch to Core) Have a client PC in the branch make a CIFS connection to a core server and verify that there is an ADN connection from the branch to the core. The branch ProxySG shows a proxied ADN session for CIFS from the client PC (10.78.56.210) to the CIFS server (10.78.56.218). ProxySG-Branch: Now verify on the core ProxySG that there is an ADN inbound connection from the branch. The core ProxySG shows an ADN inbound connection for CIFS from the client PC (10.78.56.210) to the CIFS server (10.78.56.218). ProxySG-Core:
ADN Verification (Core to Branch) Have a client PC in the core make a CIFS connection to a branch server and verify that there is an ADN connection from the core to the branch. The core ProxySG shows a proxied ADN session for CIFS from the client PC (10.78.56.218) to the CIFS server (10.78.56.210). ProxySG-Core: Now verify on the branch ProxySG that there is an ADN inbound connection from the core. The branch ProxySG shows an ADN inbound connection for CIFS from the client PC (10.78.56.218) to the CIFS server (10.78.56.210). ProxySG-Branch:
Full Configurations: This section uses these configurations: Branch Cisco Router Core Cisco Router ProxySG-Branch ProxySG-Core Branch Cisco Router Configuration: version 12.4 service timestamps debug datetime msec service timestamps log datetime localtime show-timezone no service password-encryption hostname BRANCH enable password cisco no aaa new-model ip subnet-zero ip wccp 10 redirect-list BC-WCCP-LAN ip wccp 11 redirect-list BC-WCCP-WAN ip wccp 12 redirect-list BC-WCCP-WAN ip wccp 20 redirect-list BC-WCCP-LAN ip cef interface FastEthernet0/0 description WAN UPLINK ip address 10.78.56.98 255.255.255.240 ip wccp 11 redirect in ip wccp 12 redirect in interface FastEthernet1/0 description Client/Server LAN ip address 10.78.56.209 255.255.255.248 ip wccp 10 redirect in ip wccp 20 redirect in interface FastEthernet2/0 description PROXY-SG LAN ip address 10.78.56.161 255.255.255.248 router ospf 1 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ip classless
ip access-list extended BC-WCCP-LAN permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7 ip access-list extended BC-WCCP-WAN permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7 line con 0 line aux 0 line vty 0 4 login password cisco end
version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname CORE enable password cisco no aaa new-model ip subnet-zero ip wccp 10 redirect-list BC-WCCP-LAN ip wccp 11 redirect-list BC-WCCP-WAN ip wccp 12 redirect-list BC-WCCP-WAN ip wccp 20 redirect-list BC-WCCP-LAN interface FastEthernet0/0 description WAN UPLINK ip address 10.78.57.7 255.255.255.240 ip wccp 11 redirect in ip wccp 12 redirect in interface FastEthernet1/0 description CLIENT/SERVER LAN ip address 10.78.56.217 255.255.255.248 ip wccp 10 redirect in ip wccp 20 redirect in interface FastEthernet2/0 description PROXY-SG LAN ip address 10.78.57.233 255.255.255.248 router ospf 1 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ip classless ip access-list extended BC-WCCP-LAN permit ip 10.78.56.216 0.0.0.7 10.78.56.208 0.0.0.7 ip access-list extended BC-WCCP-WAN permit ip 10.78.56.208 0.0.0.7 10.78.56.216 0.0.0.7 line con 0 line vty 0 4 password root login end Core Cisco Router Configuration:
Branch ProxySG Configuration: Software Configuration URL_Path /cli/show/configuration Title Unit Configuration Version 1.0 - Version: SGOS 5.5.3.1 MACH5 Edition - BEGIN networking interface 0:0 ;mode ip-address 10.78.56.163 255.255.255.248 interface 2:0 ;mode label "WAN" allow-intercept disable interface 2:1 ;mode label "LAN" ip-default-gateway 10.78.56.161 1 100 dns-forwarding ;mode edit primary clear server add server 10.2.2.100 edit alternate clear server - END networking - BEGIN ssl ssl ;mode - END ssl - BEGIN authentication security hashed-enable-password "" security hashed-password "" - END authentication - BEGIN general appliance-name "ProxySG 810 - ProxySG-BRANCH" - END general - BEGIN proxies general ;mode reflect-client-ip enable resource-overflow-action bypass - END proxies - BEGIN application_delivery_network adn ;mode tunnel ;mode reflect-client-ip allow enable
- END application_delivery_network - BEGIN services proxy-services ;mode edit "Internal HTTP" ;mode intercept all 10.0.0.0/8 80 edit "CIFS" ;mode intercept all transparent 139 intercept all transparent 445 - END services - BEGIN networking wccp enable - END networking - BEGIN networking inline wccp-settings end-476840996-inline wccp enable wccp version 2 service-group 10 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.56.161 service-flags ports-defined ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags source-ip-hash end service-group 11 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.56.161 service-flags ports-defined ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags source-ip-hash end service-group 12 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.56.161 service-flags ports-defined service-flags ports-source ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags destination-ip-hash end
service-group 20 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.56.161 service-flags ports-defined service-flags ports-source ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags destination-ip-hash end end-476840996-inline - END networking
Core ProxySG Configuration: Software Configuration URL_Path /cli/show/configuration Title Unit Configuration Version 1.0 - Version: SGOS 5.5.3.1 MACH5 Edition - BEGIN networking interface 0:0 ;mode ip-address 10.78.57.234 255.255.255.248 interface 2:0 ;mode label "WAN" allow-intercept disable interface 2:1 ;mode label "LAN" ip-default-gateway 10.78.57.233 1 100 dns-forwarding ;mode edit primary clear server add server 10.2.2.100 edit alternate clear server - END networking - BEGIN ssl ssl ;mode - END ssl - BEGIN authentication security hashed-enable-password "" security hashed-password "" - END authentication - BEGIN general appliance-name "ProxySG 810 - ProxySG-CORE" - END general - BEGIN proxies general ;mode reflect-client-ip enable resource-overflow-action bypass - END proxies - BEGIN application_delivery_network adn ;mode tunnel ;mode reflect-client-ip allow enable
- END application_delivery_network - BEGIN services proxy-services ;mode edit "Internal HTTP" ;mode intercept all 10.0.0.0/8 80 edit "CIFS" ;mode intercept all transparent 139 intercept all transparent 445 - END services - BEGIN networking wccp enable - END networking - BEGIN networking inline wccp-settings end-476841058-inline wccp enable wccp version 2 service-group 10 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.57.233 service-flags ports-defined ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags source-ip-hash end service-group 11 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.57.233 service-flags ports-defined ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags source-ip-hash end service-group 12 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.57.233 service-flags ports-defined service-flags ports-source ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags destination-ip-hash end
service-group 20 forwarding-type GRE protocol 6 interface 0:0 home-router 10.78.57.233 service-flags ports-defined service-flags ports-source ports 80 139 445 0 0 0 0 0 assignment-type hash service-flags destination-ip-hash end end-476841058-inline - END networking