FlowRedirection Based Transparent Web Cache Redirection?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
We're currently using a Cisco for WCCP Redirection of HTTP traffic to a cache server (ISP)

We have 2x MLAG x670 for our Core that feed into that Cisco, as you can see now we have a point of failure which we don't like and it's EOL, and not 10G)

What i was wondering is cant we just do an ACL (flowredirection?) on both of our MLAG'd core switches to redirect dst-port 80 to go to the Cache Server IP instead of routing directly to the internet.

For instance....
Port 1 customerVLAN (plus others that i dont want to get proxied) (various subnets)
Port 2 wanVLAN (gateway
Port 3 cacheVLAN (cache

create flow-redirect ToProxy
configure flow-redirect ToProxy add nexthop priority 100
configure flow-redirect ToProxy add nexthop priority 200
configure flow-redirect ToProxy health-check ping

entry allhttp {
if {
protocol tcp;
source-address; (whatever our customers subnet is)
destination-port 80; (only for internet hosted websites, not customer served)
} then {
redirect-name ToProxy;
count WebHTTP;

configure access-list allhttp vlan customerVLAN ingress

That way it would use the proxy if it's up but if we have a crash on our cache server it would fallback to the lower priority nexthop (default gateway) until the proxy server is restored?

Would this have a negative impact on our x670's or the routing performance, I don't think it would as from my reading through the manuals the ACL's are done on the ASIC's at linerate? IS their something i should specifically be watching out for? Will we run into issues as with substantial traffic getting redirected/notredirected)
Photo of Chris


  • 492 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of OscarK

OscarK, ESE

  • 7,482 Points 5k badge 2x thumb
You are right, this has no impact as ACL and redircted traffic will be handled by the ASIC at wirespeed.
Photo of Chris


  • 492 Points 250 badge 2x thumb
Wow so basically the configuration above should be able to drop in replace the WCCP from cisco?
Photo of Brunno Lopes

Brunno Lopes

  • 218 Points 100 badge 2x thumb
I guess that it does not replace WCCP because it does not keep user session to proxy (in case you have multiple proxy servers)