It is easy to find design and configuration guides about OTV implementations on Nexus 7000 switches, ASR and CSR routers. But it is much harder to find some information about the requirements for your WAN.
Please read my previous blog posts about OTV here, here, here and here. I’ll cover the OTV device configurations in those posts. But for now, lets start with the DCI WAN for OTV.
First of all, there are two OTV deployment options:
- Unicast mode
- Multicast mode
The WAN requirements in unicast mode are simple: deliver unicast connectivity between the join interfaces of all OTV edge devices. This is just a simple straight forward configuration, I will not cover this in this blog post.
The multicast deployment is a bit harder to configure and requirements are less easier to find. This blog post will cover the required WAN configuration in a multicast deployment. In this particular scenario, we use dark fiber / DWDM connections as DCI to get a more clear understanding about the requirements and configuration.
First, a drawing to get a view on this deployment scenario:
OTV WAN multicast layout
This blog will provide you with the most easiest way to get your OTV multicast deployment up and running. There are some more finetune options available, but that will not be covered in this blog.
In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 3th blog in the series about the proxy configuration.
There are a two proxy modes:
- Explicit Forward Mode
- Transparent Mode
In Explicit Forward Mode the client does have an Proxy configuration. There is no configuration needed on the network infrastructure (routers/switches). Authentication is easy and there are three methods for providing the proxy information:
- Automatic Proxy script
- Enter the proxy server IP address
- Automatic detect settings using WPAD protocol
In transparent mode, there is no configuration needed on the clients. The network infrastructure redirects the traffic (WCCP). Authentication could be an issue.
Redirection options are:
- Web Cache control protocol (WCCP, used in Cisco ASA, ASR and Catalyst switches)
- Policy based routing
- Layer 4 switch
- Layer 7 switch (like a Citrix Netscaler)
WCCP is the most used redirection option for transparant proxies. For more information about WCCP and the configuration, check this link.
PAC files are used in Explicit Forward Mode. The PAC file link is configured on the clients’ proxy settings. If you need help with creating PAC files, check this link.
You can host the PAC file on any webserver, but hosting on the WSA is possible too. Click Security Services > PAC File Hosting and upload your PAC file. It’s recommended to host the PAC file on a seperate web server.