Cisco Cisco Web Security Appliance S190 Guía Del Usuario
Chapter 25 Configuring Network Settings
Configuring Transparent Redirection
25-20
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
choose L2 when the router is directly connected to the appliance and you
want the performance improvement provided by the L2 method. You can only
use the L2 method with WCCP routers that support L2 forwarding.
want the performance improvement provided by the L2 method. You can only
use the L2 method with WCCP routers that support L2 forwarding.
•
Generic Routing Encapsulation (GRE). This method redirects traffic at
layer 3 by encapsulating the IP packet with a GRE header and a redirect
header. This method redirects traffic at the router software level, which can
impact performance. You might want to choose GRE when the appliance is
not directly connected to the router.
layer 3 by encapsulating the IP packet with a GRE header and a redirect
header. This method redirects traffic at the router software level, which can
impact performance. You might want to choose GRE when the appliance is
not directly connected to the router.
You can also configure a WCCP service to allow either the L2 or GRE methods.
When a WCCP service allows both L2 and GRE, the appliance uses the method
that the router says it supports. If both the router and appliance support L2 and
GRE, the appliance uses L2.
When a WCCP service allows both L2 and GRE, the appliance uses the method
that the router says it supports. If both the router and appliance support L2 and
GRE, the appliance uses L2.
Note
If the router is not directly connected to the appliance, you must choose GRE.
IP Spoofing when Using WCCP
You can configure the Web Proxy to do IP spoofing. When enabled, requests
originating from a client retain the client’s source address and appear to originate
from the client instead of the Web Proxy.
originating from a client retain the client’s source address and appear to originate
from the client instead of the Web Proxy.
When you enable IP spoofing, you must create two WCCP services. One WCCP
service must redirect traffic based on the destination port, and another based on
the source port for the return path. The service based on the destination port can
be the standard web-cache service. However, you must still create at least one
dynamic service.
service must redirect traffic based on the destination port, and another based on
the source port for the return path. The service based on the destination port can
be the standard web-cache service. However, you must still create at least one
dynamic service.
The two WCCP services you define for IP spoofing must have the same values for
the following settings:
the following settings:
•
Port numbers
•
Router IP addresses
•
Router security and password
Note
IronPort suggests using a service ID number from 90 to 97 for the WCCP service
used for the return path (based on the source port).
used for the return path (based on the source port).