Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Transparent Proxy and ARM > Transparent interception strategies > Transparent interception with WCCP v2 devices > Enabling WCCP processing for a service group
Enabling WCCP processing for a service group
Help | Content Gateway | Version 7.8.x
For each WCCP v2 service group that you configure, you must enable WCCP processing.
WCCP v2 routers contain multiple network interfaces, including:
*
one or more interfaces that receive inbound (ingress) client traffic
*
one or more interfaces connected to Content Gateway
*
an interface dedicated to outbound (egress) traffic that is aimed at the Internet
Following are some guidelines for enabling WCCP processing for a service group on a router. Consult the procedures in your router documentation for specifics.
1.
Turn on the WCCP feature:
ip wccp <service group ID> password [0-7] <passwd>
2.
On the router or switch interface, enable redirection for incoming (ingress) packets or outgoing (egress) packets.
 
* 
Note 
Where your hardware and network topology support it, it is recommended that redirection be performed on the ingress interface (using the "redirect in" commands).
The following are examples. Be sure to substitute the service group IDs that you have established on your router(s).
First, select the interface to configure:
interface <type> <number>
Second, establish your redirection rules:
ip wccp <service group ID> redirect in
Examples for inbound redirection:
Run these commands for each protocol that you want to support, but only on the interface(s) dedicated to inbound (ingress) traffic.
For example, to turn on redirection of HTTP destination port traffic, enter:
ip wccp 0 redirect in
To turn on redirection of HTTPS destination port traffic:
ip wccp 70 redirect in
To turn on redirection of FTP destination port traffic enter:
ip wccp 5 redirect in
To turn on redirection of HTTP source port traffic, which is required for IP spoofing, enter:
ip wccp 20 redirect in
Examples for outbound (egress) redirection:
Run these commands for each protocol that you want to support, but only on the interface(s) dedicated to outbound (egress) traffic.
First, select the interface to configure:
interface <type> <number>
Second, establish your redirection rules:
ip wccp <service group ID> redirect out
For example, to turn on redirection for HTTP, enter:
ip wccp 0 redirect out
To turn on redirection for HTTPS:
ip wccp 70 redirect out
To turn on redirection for FTP enter:
ip wccp 5 redirect out
3.
IMPORTANT: When ARM dynamic or static bypass is enabled, or IP spoofing is enabled, and redirection is on the outbound (egress) interface, exclude redirection of Content Gateway outbound packets on the router interface that handles Content Gateway's egress traffic. See the illustration, below.
a.
Select the interface that handles Content Gateway egress traffic:
interface <type> <number>
b.
Exclude Content Gateway outbound traffic on the interface from all redirection rules on the router:
ip wccp redirect exclude in
When ARM bypass occurs, or IP spoofing is enabled, the proxy sends traffic to the Internet with the original source IP address. The "redirect exclude in" command prevents the router from looping the traffic back to Content Gateway.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Transparent Proxy and ARM > Transparent interception strategies > Transparent interception with WCCP v2 devices > Enabling WCCP processing for a service group
Copyright 2016 Forcepoint LLC. All rights reserved.