FlowRedirection Based Transparent Web Cache Redirection?


We're currently using a Cisco for WCCP Redirection of HTTP traffic to a cache server (ISP)

We have 2x MLAG x670 for our Core that feed into that Cisco, as you can see now we have a point of failure which we don't like and it's EOL, and not 10G)

What i was wondering is cant we just do an ACL (flowredirection?) on both of our MLAG'd core switches to redirect dst-port 80 to go to the Cache Server IP instead of routing directly to the internet.

For instance....
Port 1 customerVLAN (plus others that i dont want to get proxied) (various subnets)
Port 2 wanVLAN (gateway 10.0.0.1)
Port 3 cacheVLAN (cache 10.0.1.1)

create flow-redirect ToProxy
configure flow-redirect ToProxy add nexthop 10.0.1.1 priority 100
configure flow-redirect ToProxy add nexthop 10.0.0.1 priority 200
configure flow-redirect ToProxy health-check ping

allhttp.pol
entry allhttp {
if {
protocol tcp;
source-address 100.100.100.0/24; (whatever our customers subnet is)
destination-port 80; (only for internet hosted websites, not customer served)
} then {
redirect-name ToProxy;
count WebHTTP;
}

configure access-list allhttp vlan customerVLAN ingress

That way it would use the proxy if it's up but if we have a crash on our cache server it would fallback to the lower priority nexthop (default gateway) until the proxy server is restored?

Would this have a negative impact on our x670's or the routing performance, I don't think it would as from my reading through the manuals the ACL's are done on the ASIC's at linerate? IS their something i should specifically be watching out for? Will we run into issues as with substantial traffic getting redirected/notredirected)

3 replies

Userlevel 6
You are right, this has no impact as ACL and redircted traffic will be handled by the ASIC at wirespeed.
Wow so basically the configuration above should be able to drop in replace the WCCP from cisco?
Userlevel 1
Wow so basically the configuration above should be able to drop in replace the WCCP from cisco?I guess that it does not replace WCCP because it does not keep user session to proxy (in case you have multiple proxy servers)

Reply