From c4d55bf9e33728a1f903850959092eddf3aba2a4 Mon Sep 17 00:00:00 2001 From: Omar Santos Date: Mon, 18 Dec 2023 14:13:46 -0500 Subject: [PATCH] Create wccp_and_pbr_to_wsa.md --- SCOR/wccp_and_pbr_to_wsa.md | 60 +++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 SCOR/wccp_and_pbr_to_wsa.md diff --git a/SCOR/wccp_and_pbr_to_wsa.md b/SCOR/wccp_and_pbr_to_wsa.md new file mode 100644 index 0000000..9569b6d --- /dev/null +++ b/SCOR/wccp_and_pbr_to_wsa.md @@ -0,0 +1,60 @@ +# Configuring WCCP or Policy-Based Routing to Send Traffic to WSA + +## Configuring WCCP on a Cisco Switch +Let’s take a look on how to configure WCCP on a Cisco switch to redirect traffic to the Cisco Secure Web Appliance. + +1. Configure an access control list (ACL) to match the web traffic. + +``` +ip access-list extended WEB-TRAFFIC + permit tcp 10.1.1.0 0.0.0.255 any eq www + permit tcp 10.1.2.0 0.0.0.255 any eq www + permit tcp 10.1.1.0 0.0.0.255 any eq 443 + permit tcp 10.1.2.0 0.0.0.255 any eq 443 +``` + +2. Configure another ACL to define where to send the traffic (that is, the Cisco Secure Web Appliance’s IP address). + +``` +ip access-list standard WSA + permit 10.1.3.3 +``` + +3. Create the WCCP lists. +``` +ip wccp web-cache redirect-list HTTP-TRAFFIC group-list WSA +ip wccp 10 redirect-list FTP-TRAFFIC group-list WSA +ip wccp 20 redirect-list HTTPS-TRAFFIC group-list WSA +``` + +4. Configure the WCCP redirection of traffic on the source interface. +``` +interface vlan88 + ip wccp web-cache redirect in + ip wccp 10 redirect in + ip wccp 20 redirect in +``` + + + +## Traffic Redirection with Policy-Based Routing +You can also configure PBR on a Cisco router to redirect web traffic to the Cisco Secure Web Appliance. + +Configuring PBR can affect the router’s performance if enabled in software (without hardware acceleration). You should review the respective router documentation to determine any impact. + +- First, a PBR policy is configured in a Cisco router that matches traffic from two source subnets (10.1.1.0/24 and 10.1.1.2.0/24). +- The web traffic is received on interface VLAN 88. +- The traffic is sent to the Cisco Secure Web Appliance configured with IP address 10.1.2.3. + +``` +access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 80 +access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 80 +access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 443 +access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 443 +! +route-map WebRedirect permit 10 + match ip address 101 + set ip next-hop 10.1.3.3 +interface vlan88 + ip policy route-map WebRedirect +```