[c-nsp] Cisco WCCP and Squid on Linux

Reuben Farrelly reuben-cisco-nsp at reub.net
Mon Jun 27 07:20:45 EDT 2005 

On 27/06/2005 11:10 p.m., Mark Tinka wrote:
> On Monday 27 June 2005 05:42, Dave Weis wrote:
> 
>> Yes, it's a very simple network, 1 Cisco router, 1
>> Squid server, and 1 3Com total control chassis.
> 
> Whats OS are you running Squid on? Linux? FreeBSD? 
> e.t.c.?
> 
> With WCCP, especially on a general purpose UNIX-like OS, 
> enabling interception caching is not as easy as flipping 
> on a switch - a lot of things have to be working 
> together for it to work (and they are several).

And some trial and error :(

>> It looks like ip_gre
> 
> If running Linux, have you tried using the ip_wccp.c 
> module located at:
> 
> http://www.squid-cache.org/WCCP-support/Linux/ip_wccp.c
> 
> as Linux's GRE driver doesn't know what to do with the 
> GRE packet that comes from the router? 

It does from kernel 2.6.10 onwards.  It's actually easier to do it with the 
ip_gre module if the kernel supports it (I've used both - using the built in 
ip_gre module means you never have to rebuild ip_wccp every time your kernel 
changes).

> FreeBSD 4.8 and above doesn't have this problem, as it 
> has GRE and WCCP support in the kernel that will work 
> well with IOS's GRE.
> 
>> No. We have two sites that we are trying to make this
>> work on, one has just the setup above, the other has a
>> web server also. When we first tried to set it up we
>> broke all inbound access, so we are starting with the
>> simple config.
> 
> To not_break inbound access, you'll probably need to 
> attach an ACL to your WCCP setup so local web servers 
> (at least those running on port 80), and of course, the 
> Squid box itself, don't get redirected via WCCP, for 
> obvious reasons.

You shouldn't have to add the cache engine.  WCCP is supposed to automatically 
bypass the registered cache engine - although I've seen bugs whereby it 
doesn't work in this way.  But that's buggy behaviour, not by design.

I gather from the bugs and documentation that I've read, that cisco really 
intend the cache engine to be on an interface of it's own, without WCCP 
interception on that interface, and client traffic coming in on another 
interface.  My setup is like yours though..

reuben

More information about the cisco-nsp mailing list