I have a Catalyst 3560 directly connected to the Websense and my users are in vlan1. the connection between my switch and the websense is in vlan3 and that's what it should be for wccp to work. So if I understand correctly, wccp L2 only works for local users; users who are assigned to the vlan configured on the switch that is directly connected to the Websense. How about if I have another users on a different vlan? HOw will they be redeitected to the Websense? Thx
Where are you applying your WCCP redirect command? There are two ways you can approach this, you can configure the redirect on the outbound interface/vlan that leads to the internet, which is not the preferred way to do this. The other way is to confgure the WCCP redirect on every inbound interface to the 3560. So if Vlan3 is the outbound interface to the Internet and Vlan1 and Vlan2 are internal Vlan's you would configure the WCCP redirect on both vlan1 and vlan2 SVI.
you would use this command:
ip wccp (Service#) redirect in
i am using redirect in on vlan1 on the 3560. My vlan3 is on a Cisco 1841 router.
1841 with vlan3 configured as fa0/0.3 with encapsulation dot1q to switch1.
1841 - vlan3 (fa0/0) <--> (fa0/1)2960 switch1 (gig0/1)<--> (fa0/5) 3560 - vlan1(fa0/24) <-- websense)
Depends on the network layout. what is the IP of your websense appliance? what vlan is your websense appliance on? Does all traffic from the 3560 become vlan 3 when it leaves the 3560 to the 1841?
Per Cisco recommendation, the websense interface and the 3560 interface is in the same vlan & same subnet. vlan 3 is defined in the 1841 router. vlan 1 is defined on the 3560.
I am a bit confused about wccp. wccp only redirects traffic locally, meaning users within the vlan defined on the switch where wccp is configured. Correct?
I do not understand what you mean when you say redirects traffic locally?
So like for me I have multiple Layer 3 links out to multiple locations via P-to-P fiber. All connections from all locations come back to my 6500 Core switch. I enable WCCP redirect on the inbound interfaces on the Core from those locations. Then the traffic comes into the core, is redirected for my WCCP function and then is either permitted or denied, if denied is then served a deny page from my web filter.
I understand your setup. With my setup, I configured wccp redirection for vlan1 on my 3560 (which is my core). But my vlan 3 is defined on the router. I have a static route from the router to the firewall and the router is connected to another switch then the 3560. So it is comunicating at layer 3 from the router to the 3560. So my assumption is to configure wccp redirection on the interface where the router traffic is coming in, which is fa0/5. But the 3560 does not support wccp redirect command on the interface.