Cisco Cisco Web Security Appliance S660 Mode D'Emploi
25-13
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 25 Configuring Network Settings
Configuring Transparent Redirection
If you select Allow Mask Only or Allow Hash or Mask, you can customize the mask or specify the
number of bits:
number of bits:
•
Custom mask (max 5 bits). You can specify the mask. The web interface displays the number of
bits associated with the mask you provide.
bits associated with the mask you provide.
•
System generated mask. You can let the system generate a mask for you. Optionally, you can
specify the number of bits for the system-generated mask, up to 5 bits.
specify the number of bits for the system-generated mask, up to 5 bits.
Working with the Forwarding and Return Method
WCCP defines the forwarding method as the method by which redirected packets are transported from
the router to the web proxy. Conversely, the return method redirects packets from the web proxy to the
router.
the router to the web proxy. Conversely, the return method redirects packets from the web proxy to the
router.
You configure the forwarding and return methods for a WCCP service in the Forwarding Method and
Return Method fields under the Advanced section when you create or edit a WCCP service.
Return Method fields under the Advanced section when you create or edit a WCCP service.
You can configure WCCP services to use either of the following methods:
•
Layer 2 (L2). This method redirects traffic at layer 2 by replacing the packet’s destination MAC
address with the MAC address of the target web proxy. This method requires that the target web
proxy be directly connected to the router at layer 2. WCCP routers only allow L2 negotiation when
the appliance is directly connected to the router at layer 2. The L2 method redirects traffic at the
router hardware level, and typically has better performance than Generic Routing Encapsulation
(GRE). You might want to choose L2 when the router is directly connected to the appliance and you
want the performance improvement provided by the L2 method. You can only use the L2 method
with WCCP routers that support L2 forwarding.
address with the MAC address of the target web proxy. This method requires that the target web
proxy be directly connected to the router at layer 2. WCCP routers only allow L2 negotiation when
the appliance is directly connected to the router at layer 2. The L2 method redirects traffic at the
router hardware level, and typically has better performance than Generic Routing Encapsulation
(GRE). You might want to choose L2 when the router is directly connected to the appliance and you
want the performance improvement provided by the L2 method. You can only use the L2 method
with WCCP routers that support L2 forwarding.
•
Generic Routing Encapsulation (GRE). This method redirects traffic at layer 3 by encapsulating
the IP packet with a GRE header and a redirect header. This method redirects traffic at the router
software level, which can impact performance. You might want to choose GRE when the appliance
is not directly connected to the router.
the IP packet with a GRE header and a redirect header. This method redirects traffic at the router
software level, which can impact performance. You might want to choose GRE when the appliance
is not directly connected to the router.
You can also configure a WCCP service to allow either the L2 or GRE methods. When a WCCP service
allows both L2 and GRE, the appliance uses the method that the router says it supports. If both the router
and appliance support L2 and GRE, the appliance uses L2.
allows both L2 and GRE, the appliance uses the method that the router says it supports. If both the router
and appliance support L2 and GRE, the appliance uses L2.
Note
If the router is not directly connected to the appliance, you must choose GRE.
IP Spoofing when Using WCCP
You can configure the Web Proxy to do IP spoofing. When enabled, requests originating from a client
retain the client’s source address and appear to originate from the client instead of the Web Proxy.
retain the client’s source address and appear to originate from the client instead of the Web Proxy.
When you enable IP spoofing, you must create two WCCP services. One WCCP service must redirect
traffic based on the destination port, and another based on the source port for the return path. The service
based on the destination port can be the standard web-cache service. However, you must still create at
least one dynamic service.
traffic based on the destination port, and another based on the source port for the return path. The service
based on the destination port can be the standard web-cache service. However, you must still create at
least one dynamic service.
The two WCCP services you define for IP spoofing must have the same values for the following settings:
•
Port numbers
•
Router IP addresses