[c-nsp] WCCP2 VRF Aware
Maile Halatuituia
maile.halatuituia at tcc.to
Tue Apr 26 17:26:14 EDT 2016
Hi
Here is my router wccp config
In global config i enable ip wccp
#ip wccp web-cache redirect-list WCCP_HTTP
#ip wccp 70 redirect-list WCCP_HTTPS
Interface facing my Clients and also Squid is in the same subnet
int g0/0.904
ip wccp web-cache redirect out
ip wccp 70 redirect out.
Verification
#sh ip wccp sum
WCCP version 2 enabled, 2 services
Service Clients Routers Assign Redirect Bypass
------- ------- ------- ------ -------- ------
Default routing table (Router Id: x.x.x.x):
web-cache 1 1 HASH GRE GRE
70 1 1 HASH GRE GRE
#sh tunnel groups wccp
WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
intf: Tunnel2, locally sourced
WCCP : service group 326 in "Default", ver v2, assgnmnt: hash-table
intf: Tunnel0, locally sourced
#sh adjacency tunnel 0 detail
Protocol Interface Address
IP Tunnel0 10.240.0.30(3)
connectionid 1
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 31
Encap length 28
4500000000000000FF2FC732CA861F08
0AF0001E0000883E01460000
Tun endpt
Next chain element:
IP adj out of GigabitEthernet0/0.904, addr 10.240.0.30
#sh adjacency tunnel 2 detail
Protocol Interface Address
IP Tunnel2 10.240.0.30(3)
connectionid 1
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 32
Encap length 28
4500000000000000FF2FC732CA861F08
0AF0001E0000883E00000000
Tun endpt
Next chain element:
IP adj out of GigabitEthernet0/0.904, addr 10.240.0.30
#sh ip wccp web-cache detail
WCCP Client information:
WCCP Client ID: 10.240.0.30
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets s/w Redirected: 0
Connect Time: 00:08:42
GRE Bypassed Packets
Process: 0
CEF: 0
Errors: 0
If you can see all seems to be established between the router and squid box but no PACKET has been redirected.
For my IOS
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
It's been over two weeks now and i seems to looking everywhere but no luck.
Also here is my iptables rules for you info whch run on ubuntu 14.04 with squid
# squid -v
Squid Cache: Version 3.5.16
Service Name: squid
Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production
configure options: '--prefix=/usr/local' '--enable-translation' '--enable-external-acl-helpers=none' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-wccp2' '--enable-follow-x-forwarded-for' '--enable-cache-digests' '--enable-auth-negotiate=none' '--disable-auth-digest' '--disable-auth-ntlm' '--disable-url-rewrite-helpers' '--enable-storeid-rewrite-helpers=file' '--enable-log-daemon-helpers=file' '--with-openssl=/usr/local' '--enable-ssl' '--enable-ssl-crtd' '--enable-zph-qos' '--enable-snmp' '--enable-inline' '--with-dl' '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -pipe' 'CXXFLAGS=-O3 -m64 -pipe' 'LIBOPENSSL_CFLAGS=-I/usr/local/include' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' '--disable-strict-error-checking' '--enable-build-info=Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production'
IPtables Rules for redirection to squid ports
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3127
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -j MASQUERADE
Appreciate you kind asistance ....
hanks in advance
Maile
________________________________________
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Maile Halatuituia <maile.halatuituia at tcc.to>
Sent: Monday, April 25, 2016 9:00 PM
To: Jeff Orr; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WCCP2 VRF Aware
?Thanks Jeff
Can you elaborate on what you refer to as subset specifically ???
Thanks in advance
________________________________
From: Jeff Orr <jeffborr at gmail.com>
Sent: Monday, April 25, 2016 12:12 PM
To: Maile Halatuituia; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WCCP2 VRF Aware
Check your WCCP settings relating to redirect method. L2 or GRE and hash vs mask. Some devices only support a subset.
On Sun, Apr 17, 2016 at 11:21 PM Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:
Hi
i am trying to setup transparent proxy for a Test Lab with cisco 15.0 IOS. If i manually input my proxy setting on my browser, i can see the client access with no problem, however if i remove that proxy setting then it still access but seems it bypass the proxy.
i check wccp2 detail on the router sides and it all looks OK such as the ip wccp vrf XXX detail and view,
also i check using the sh adjacency tunnel X encap etc etc it lokks fine for me, but seems packet is not intercept and forward through the gre tunnel to the proxy .... any word would be help .... thanks
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
More information about the cisco-nsp
mailing list