Cisco Cisco Web Security Appliance S160 Guía Del Usuario
W O R K I N G W I T H T H E F O R W A R D I N G A N D R E T U R N M E T H O D
C H A P T E R 2 1 : C O N F I G U R I N G N E T W O R K S E T T I N G S
477
Working with the Forwarding and Return Method
WCCP defines the forwarding method as the method by which redirected packets are
transported from the router to the web proxy. Conversely, the return method redirects packets
from the web proxy to the router.
transported from the router to the web proxy. Conversely, the return method redirects packets
from the web proxy to the router.
You configure the forwarding and return methods for a WCCP service in the Forwarding
Method and Return Method fields under the Advanced section when you create or edit a
WCCP service.
Method and Return Method fields under the Advanced section when you create or edit a
WCCP service.
You can configure WCCP services to use either of the following methods:
• Layer 2 (L2). This method redirects traffic at layer 2 by replacing the packet’s destination
MAC address with the MAC address of the target web proxy. This method requires that the
target web proxy be directly connected to the router at layer 2. WCCP routers only allow
L2 negotiation when the appliance is directly connected to the router at layer 2. The L2
method redirects traffic at the router hardware level, and typically has better performance
than Generic Routing Encapsulation (GRE). You might want to choose L2 when the router
is directly connected to the appliance and you want the performance improvement
provided by the L2 method. You can only use the L2 method with WCCP routers that
support L2 forwarding.
target web proxy be directly connected to the router at layer 2. WCCP routers only allow
L2 negotiation when the appliance is directly connected to the router at layer 2. The L2
method redirects traffic at the router hardware level, and typically has better performance
than Generic Routing Encapsulation (GRE). You might want to choose L2 when the router
is directly connected to the appliance and you want the performance improvement
provided by the L2 method. You can only use the L2 method with WCCP routers that
support L2 forwarding.
• Generic Routing Encapsulation (GRE). This method redirects traffic at layer 3 by
encapsulating the IP packet with a GRE header and a redirect header. This method
redirects traffic at the router software level, which can impact performance. You might
want to choose GRE when the appliance is not directly connected to the router.
redirects traffic at the router software level, which can impact performance. You might
want to choose GRE when the appliance is not directly connected to the router.
You can also configure a WCCP service to allow either the L2 or GRE methods. When a
WCCP service allows both L2 and GRE, the appliance uses the method that the router says it
supports. If both the router and appliance support L2 and GRE, the appliance uses L2.
WCCP service allows both L2 and GRE, the appliance uses the method that the router says it
supports. If both the router and appliance support L2 and GRE, the appliance uses L2.
Note — If the router is not directly connected to the appliance, you must choose GRE.
IP Spoofing when Using WCCP
You can configure the Web Proxy to do IP spoofing. When enabled, requests originating from
a client retain the client’s source address and appear to originate from the client instead of the
Web Proxy.
a client retain the client’s source address and appear to originate from the client instead of the
Web Proxy.
When you enable IP spoofing, you must create two WCCP services. One WCCP service must
redirect traffic based on the destination port, and another based on the source port for the
return path. The service based on the destination port can be the standard web-cache service.
However, you must still create at least one dynamic service.
redirect traffic based on the destination port, and another based on the source port for the
return path. The service based on the destination port can be the standard web-cache service.
However, you must still create at least one dynamic service.
The two WCCP services you define for IP spoofing must have the same values for the
following settings:
following settings:
• Port numbers
• Router IP addresses
• Router security and password