We're currently using a Cisco for WCCP Redirection of HTTP traffic to a cache server (ISP)
We have 2x MLAG x670 for our Core that feed into that Cisco, as you can see now we have a point of failure which we don't like and it's EOL, and not 10G)
What i was wondering is cant we just do an ACL (flowredirection?) on both of our MLAG'd core switches to redirect dst-port 80 to go to the Cache Server IP instead of routing directly to the internet.
For instance....
Port 1 customerVLAN (plus others that i dont want to get proxied) (various subnets)
Port 2 wanVLAN (gateway 10.0.0.1)
Port 3 cacheVLAN (cache 10.0.1.1)
create flow-redirect ToProxy
configure flow-redirect ToProxy add nexthop 10.0.1.1 priority 100
configure flow-redirect ToProxy add nexthop 10.0.0.1 priority 200
configure flow-redirect ToProxy health-check ping
allhttp.pol
entry allhttp {
if {
protocol tcp;
source-address 100.100.100.0/24; (whatever our customers subnet is)
destination-port 80; (only for internet hosted websites, not customer served)
} then {
redirect-name ToProxy;
count WebHTTP;
}
configure access-list allhttp vlan customerVLAN ingress
That way it would use the proxy if it's up but if we have a crash on our cache server it would fallback to the lower priority nexthop (default gateway) until the proxy server is restored?
Would this have a negative impact on our x670's or the routing performance, I don't think it would as from my reading through the manuals the ACL's are done on the ASIC's at linerate? IS their something i should specifically be watching out for? Will we run into issues as with substantial traffic getting redirected/notredirected)
