Guest

Cisco 500 Series Content Engines

How to Bypass the Content Engine with Router Access Lists

Cisco - How to Bypass the Content Engine with Router Access Lists

Document ID: 12561

Updated: Jan 08, 2007

   Print

Introduction

This document explains how to use a simple router configuration with Access Control Lists (ACLs) in order to permit or deny traffic to the Cisco Content Engine.

In this scenario, any traffic that originates from C1 (172.18.124.193) and C2 (10.27.3.4) and is destined for any host bypasses the Cache Engine as specified by the ACL. All other traffic is forwarded.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Cache Engine 505 in a lab environment with cleared configurations

  • Cisco 2611 Router

  • Cisco IOS® Software Release 12.1(3)T

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Conventions

Refer to the Cisco Technical Tips Conventions for information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

ce_acl-A.gif

Configurations

This document uses this configuration:

How to Bypass the Content Engine with Router ACLs


!--- Your command lines should appear similar to the following: 

router# configure terminal
router(config)# ip wccp web-cache redirect-list 120
router(config)# access-list 120 deny ip host 172.18.124.193 any
router(config)# access-list 120 deny ip host 10.27.3.4 any
router(config)# access-list 120 permit ip any any

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT in order to view an analysis of show command output.

  • show version - Displays the software that runs on the router, as well as some other components as the system uptime (such as where the code was previously booted, and the date when it was compiled).

         33-ns-gateway#show version
         Cisco Internetwork Operating System Software
         IOS (tm) C2600 Software (C2600-I-M), Version 12.1(3)T,  RELEASE SOFTWARE (fc1)
         Copyright (c) 1986-2000 by cisco Systems, Inc.
         Compiled Wed 19-Jul-00 16:02 by ccai
         Image text-base: 0x80008088, data-base: 0x808A9264
          
         ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
          
         33-Ns-gateway uptime is 1 day, 1 hour, 1 minute
         System returned to ROM by reload
         System restarted at 11:03:21 UTC Thu May 17 2001
         System image file is "flash:c2600-i-mz.121-3.T"
          
         cisco 2610 (MPC860) processor (revision 0x203) with 
            44032K/5120K bytes of memory.
         Processor board ID JAD04330MR6 (3648101504)
         M860 processor: part number 0, mask 49
         Bridging software.
         X.25 software, Version 3.0.0.
         5 Ethernet/IEEE 802.3 interface(s)
         32K bytes of non-volatile configuration memory.
         16384K bytes of processor board System flash (Read/Write)
          
         Configuration register is 0x2102
  • show running-config - Displays the running configuration on the router.

         33-Ns-gateway#show running-config
         Building configuration...
         Current configuration:
         !
         ! Last configuration change at 12:04:57 UTC Fri May 18 2001
         ! NVRAM config last updated at 11:01:10 UTC Fri May 18 2001
         !
         version 12.1
         service timestamps debug datetime msec
         service timestamps log datetime msec
         no service password-encryption
         !
         hostname 33-Ns-gateway
         !
         logging buffered 64000 debugging
         enable secret 5 $1$IWJr$nI.NcIr/b9DN7jEQQC17R/
         !
         !
         !
         !
         !
         ip subnet-zero
         ip wccp web-cache redirect-list 120
         ip cef
         no ip domain-lookup
         ip domain-name cisco.com
         ip name-server 161.44.11.21
         ip name-server 161.44.11.206
         !
         !
         !
         !
         interface Ethernet0/0
          ip address 10.1.3.50 255.255.255.0
          no ip route-cache cef
         !
         interface Ethernet1/0
          description interface to the CE .5
          bandwidth 100
          ip address 10.27.2.1 255.255.255.0
          full-duplex
         !
         interface Ethernet1/1
          description inter to DMZ
          ip address 172.18.124.211 255.255.255.0
          ip wccp web-cache redirect out
          no ip route-cache cef
          no ip route-cache
          no ip mroute-cache
         !
         interface Ethernet1/2
          description Preconfigured for recreates 10.27.3.0/24 net
          ip address 10.27.3.1 255.255.255.0
          no ip route-cache cef
         !
         interface Ethernet1/3
          no ip address
          shutdown
         !
         ip classless
         ip route 0.0.0.0 0.0.0.0 172.18.124.1
         no ip http server
         !
         access-list 120 deny   ip host 172.18.124.193 any log-input
         access-list 120 deny   ip host 10.27.3.4 any log-input
         access-list 120 permit ip any any log
         !
         line con 0
          exec-timeout 0 0
          transport input none
         line aux 0
          exec-timeout 0 0
         line vty 0 4
          exec-timeout 0 0
          password ww
          login
         !
         no scheduler allocate
         end
  • show access-lists - Lists the access-list command statements in the router configuration. This command also lists a hit count that indicates the number of times an element has been matched when an access-list command search is issued.

         2.33-ns-gateway#show access-lists 120
         Extended IP access list 120
         deny ip host 172.18.124.193 any log-input (114 matches)
         deny ip host 10.27.3.4 any log-input (30 matches)
         permit ip any any log
  • show log - Displays the system error log on the router.

         3.33-ns-gateway#show log
         Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
         Console logging: level debugging, 906 messages logged
         Monitor logging: level debugging, 165 messages logged
         Buffer logging: level debugging, 267 messages logged
         Trap logging: level informational, 114 message lines logged 
         Log Buffer (64000 bytes):
         May 18 09:57:00.837: %CLEAR-5-COUNTERS: 
            Clear counter on all interfaces by vty2 
         (172.18.124.193)
         May 18 10:24:53.218: %SEC-6-IPACCESSLOGP: 
            list 120 denied tcp 172.18.124.193(0) 
         -> 216.4.77.193(0), 1 packet
         May 18 10:28:44.890: %SEC-6-IPACCESSLOGP: 
            list 120 denied tcp 10.27.3.4(0) 
         -> 64.224.45.130(0), 1 packet
         May 18 10:29:08.861: %SEC-6-IPACCESSLOGP: 
            list 120 denied tcp 172.18.124.193(0) 
         -> 212.20.160.80(0), 1 packet
         May 18 10:29:53.563: %SEC-6-IPACCESSLOGP: 
            list 120 denied tcp 172.18.124.193(0) 
         -> 216.4.77.193(0), 19 packets
         May 18 10:33:53.672: %SEC-6-IPACCESSLOGP: 
            list 120 denied tcp 10.27.3.4(0) 
         -> 216.4.77.193(0), 1 packet

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jan 08, 2007
Document ID: 12561