[c-nsp] WCCP2 VRF Aware

Maile Halatuituia maile.halatuituia at tcc.to
Tue Apr 26 17:26:14 EDT 2016


Hi
Here is my router wccp config
In global config i enable ip wccp
#ip wccp web-cache redirect-list WCCP_HTTP
#ip wccp 70 redirect-list WCCP_HTTPS
Interface facing my Clients and also Squid is in the same subnet

int g0/0.904
ip wccp web-cache redirect out
ip wccp 70 redirect out.

Verification

#sh ip wccp sum
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: x.x.x.x):
web-cache   1         1         HASH        GRE        GRE
70                  1         1         HASH        GRE        GRE

#sh tunnel groups wccp
 WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel2, locally sourced
 WCCP : service group 326 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel0, locally sourced

#sh adjacency tunnel 0 detail
Protocol Interface                 Address
IP       Tunnel0                   10.240.0.30(3)
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 31
                                   Encap length 28
                                   4500000000000000FF2FC732CA861F08
                                   0AF0001E0000883E01460000
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of GigabitEthernet0/0.904, addr 10.240.0.30
#sh adjacency tunnel 2 detail
    Protocol Interface                 Address
IP       Tunnel2                   10.240.0.30(3)
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 32
                                   Encap length 28
                                   4500000000000000FF2FC732CA861F08
                                   0AF0001E0000883E00000000
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of GigabitEthernet0/0.904, addr 10.240.0.30
#sh ip wccp web-cache detail
WCCP Client information:
        WCCP Client ID:          10.240.0.30
        Protocol Version:        2.0
        State:                   Usable
        Redirection:             GRE
        Packet Return:           GRE
        Assignment:              HASH
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:          256 (100.00%)
        Packets s/w Redirected:  0
        Connect Time:            00:08:42
        GRE Bypassed Packets
          Process:               0
          CEF:                   0
          Errors:                0
If you can see all seems to be established between the router and squid box but no PACKET has been redirected.
For my IOS
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

It's been over two weeks now and i seems to looking everywhere but no luck.
Also here is my iptables rules for you info whch run on ubuntu 14.04 with squid

# squid -v
Squid Cache: Version 3.5.16
Service Name: squid
Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production
configure options:  '--prefix=/usr/local' '--enable-translation' '--enable-external-acl-helpers=none' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-wccp2' '--enable-follow-x-forwarded-for' '--enable-cache-digests' '--enable-auth-negotiate=none' '--disable-auth-digest' '--disable-auth-ntlm' '--disable-url-rewrite-helpers' '--enable-storeid-rewrite-helpers=file' '--enable-log-daemon-helpers=file' '--with-openssl=/usr/local' '--enable-ssl' '--enable-ssl-crtd' '--enable-zph-qos' '--enable-snmp' '--enable-inline' '--with-dl' '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -pipe' 'CXXFLAGS=-O3 -m64 -pipe' 'LIBOPENSSL_CFLAGS=-I/usr/local/include' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' '--disable-strict-error-checking' '--enable-build-info=Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production'
IPtables Rules for redirection to squid ports
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3127
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -j MASQUERADE


Appreciate you kind asistance ....
hanks in advance
Maile



________________________________________
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Maile Halatuituia <maile.halatuituia at tcc.to>
Sent: Monday, April 25, 2016 9:00 PM
To: Jeff Orr; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WCCP2 VRF Aware

?Thanks Jeff

Can you elaborate on what you refer to as subset specifically ???

Thanks in advance

________________________________
From: Jeff Orr <jeffborr at gmail.com>
Sent: Monday, April 25, 2016 12:12 PM
To: Maile Halatuituia; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WCCP2 VRF Aware

Check your WCCP settings relating to redirect method. L2 or GRE and hash vs mask. Some devices only support a subset.
On Sun, Apr 17, 2016 at 11:21 PM Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:

Hi

i am trying to setup transparent proxy for a Test Lab with cisco 15.0 IOS. If i manually input my proxy setting on my browser, i can see the client access with no problem, however if i remove that proxy setting then it still access but seems it bypass the proxy.

i check wccp2 detail on the router sides and it all looks OK such as the ip wccp vrf XXX detail and view,

also i check using the sh adjacency tunnel X encap etc etc it lokks fine for me, but seems packet is not intercept and forward through the gre tunnel to the proxy .... any word would be help .... thanks

Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.


More information about the cisco-nsp mailing list