This document explains how to use a simple router configuration with Access Control Lists (ACLs) in order to permit or deny traffic to the Cisco Content Engine.
In this scenario, any traffic that originates from C1 (172.18.124.193) and C2 (10.27.3.4) and is destined for any host bypasses the Cache Engine as specified by the ACL. All other traffic is forwarded.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
Cisco Cache Engine 505 in a lab environment with cleared configurations
Cisco 2611 Router
Cisco IOS® Software Release 12.1(3)T
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Refer to the Cisco Technical Tips Conventions for information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
This document uses this network setup:
This document uses this configuration:
|How to Bypass the Content Engine with Router ACLs|
!--- Your command lines should appear similar to the following: router# configure terminal router(config)# ip wccp web-cache redirect-list 120 router(config)# access-list 120 deny ip host 172.18.124.193 any router(config)# access-list 120 deny ip host 10.27.3.4 any router(config)# access-list 120 permit ip any any
Use this section to confirm that your configuration works properly.
show version - Displays the software that runs on the router, as well as some other components as the system uptime (such as where the code was previously booted, and the date when it was compiled).
33-ns-gateway#show version Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-I-M), Version 12.1(3)T, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Wed 19-Jul-00 16:02 by ccai Image text-base: 0x80008088, data-base: 0x808A9264 ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1) 33-Ns-gateway uptime is 1 day, 1 hour, 1 minute System returned to ROM by reload System restarted at 11:03:21 UTC Thu May 17 2001 System image file is "flash:c2600-i-mz.121-3.T" cisco 2610 (MPC860) processor (revision 0x203) with 44032K/5120K bytes of memory. Processor board ID JAD04330MR6 (3648101504) M860 processor: part number 0, mask 49 Bridging software. X.25 software, Version 3.0.0. 5 Ethernet/IEEE 802.3 interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102
show running-config - Displays the running configuration on the router.
33-Ns-gateway#show running-config Building configuration... Current configuration: ! ! Last configuration change at 12:04:57 UTC Fri May 18 2001 ! NVRAM config last updated at 11:01:10 UTC Fri May 18 2001 ! version 12.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname 33-Ns-gateway ! logging buffered 64000 debugging enable secret 5 $1$IWJr$nI.NcIr/b9DN7jEQQC17R/ ! ! ! ! ! ip subnet-zero ip wccp web-cache redirect-list 120 ip cef no ip domain-lookup ip domain-name cisco.com ip name-server 184.108.40.206 ip name-server 220.127.116.11 ! ! ! ! interface Ethernet0/0 ip address 10.1.3.50 255.255.255.0 no ip route-cache cef ! interface Ethernet1/0 description interface to the CE .5 bandwidth 100 ip address 10.27.2.1 255.255.255.0 full-duplex ! interface Ethernet1/1 description inter to DMZ ip address 172.18.124.211 255.255.255.0 ip wccp web-cache redirect out no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Ethernet1/2 description Preconfigured for recreates 10.27.3.0/24 net ip address 10.27.3.1 255.255.255.0 no ip route-cache cef ! interface Ethernet1/3 no ip address shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 172.18.124.1 no ip http server ! access-list 120 deny ip host 172.18.124.193 any log-input access-list 120 deny ip host 10.27.3.4 any log-input access-list 120 permit ip any any log ! line con 0 exec-timeout 0 0 transport input none line aux 0 exec-timeout 0 0 line vty 0 4 exec-timeout 0 0 password ww login ! no scheduler allocate end
show access-lists - Lists the access-list command statements in the router configuration. This command also lists a hit count that indicates the number of times an element has been matched when an access-list command search is issued.
2.33-ns-gateway#show access-lists 120 Extended IP access list 120 deny ip host 172.18.124.193 any log-input (114 matches) deny ip host 10.27.3.4 any log-input (30 matches) permit ip any any log
show log - Displays the system error log on the router.
3.33-ns-gateway#show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 906 messages logged Monitor logging: level debugging, 165 messages logged Buffer logging: level debugging, 267 messages logged Trap logging: level informational, 114 message lines logged Log Buffer (64000 bytes): May 18 09:57:00.837: %CLEAR-5-COUNTERS: Clear counter on all interfaces by vty2 (172.18.124.193) May 18 10:24:53.218: %SEC-6-IPACCESSLOGP: list 120 denied tcp 172.18.124.193(0) -> 18.104.22.168(0), 1 packet May 18 10:28:44.890: %SEC-6-IPACCESSLOGP: list 120 denied tcp 10.27.3.4(0) -> 22.214.171.124(0), 1 packet May 18 10:29:08.861: %SEC-6-IPACCESSLOGP: list 120 denied tcp 172.18.124.193(0) -> 126.96.36.199(0), 1 packet May 18 10:29:53.563: %SEC-6-IPACCESSLOGP: list 120 denied tcp 172.18.124.193(0) -> 188.8.131.52(0), 19 packets May 18 10:33:53.672: %SEC-6-IPACCESSLOGP: list 120 denied tcp 10.27.3.4(0) -> 184.108.40.206(0), 1 packet
There is currently no specific troubleshooting information available for this configuration.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.