[c-nsp] WCCP2 VRF Aware
Jeff Orr
jeffborr at gmail.com
Tue Apr 26 23:05:32 EDT 2016
What model of switch are you running this on?
On Tue, Apr 26, 2016 at 11:01 PM Maile Halatuituia <maile.halatuituia at tcc.to>
wrote:
> Hi Jeff
>
> Here are the lists
> #sh ip access-lists WCCP_HTTP
> Extended IP access list WCCP_HTTP
> 10 deny ip host 10.240.0.30 any log-input
> 20 permit tcp 10.242.0.0 0.0.0.7 any eq www log-input
> 30 permit tcp 10.240.0.0 0.0.0.255 any eq www log-input (11723 matches)
> 40 deny ip any any (212566 matches)
>
>
> #sh ip access-lists WCCP_HTTPS
> Extended IP access list WCCP_HTTPS
> 10 deny ip host 10.240.0.30 any
> 15 permit tcp 10.240.0.0 0.0.0.255 any eq 443 log-input (22471 matches)
> 20 permit tcp 10.242.0.0 0.0.0.7 any eq www log-input
> 30 deny ip any any (48 matches)
>
> 10.240.0.30 is my proxy
>
>
> ------------------------------
> *From:* Jeff Orr <jeffborr at gmail.com>
> *Sent:* Wednesday, April 27, 2016 3:27 PM
> *To:* Maile Halatuituia; Cisco Network Service Providers
>
> *Subject:* Re: [c-nsp] WCCP2 VRF Aware
> WCCP can give you fits, we have 54 proxies our team manage and ran into an
> issue similar to what you mentioned not that long ago.
>
> First thing, I see you specified a redirect-list, but it was not included.
> Can you post it? Also, I have run into issues (more in the WAAS space) with
> having the WCCP device and clients on the same subnet. I suggest having the
> SQUID server on a separate SVI.
>
> Finally, what hardware platform is this on? Try using ingress redirect on
> the seperate client SVI.
>
> Good luck!
>
> On Tue, Apr 26, 2016 at 5:26 PM Maile Halatuituia <
> maile.halatuituia at tcc.to> wrote:
>
>> Hi
>> Here is my router wccp config
>> In global config i enable ip wccp
>> #ip wccp web-cache redirect-list WCCP_HTTP
>> #ip wccp 70 redirect-list WCCP_HTTPS
>> Interface facing my Clients and also Squid is in the same subnet
>>
>> int g0/0.904
>> ip wccp web-cache redirect out
>> ip wccp 70 redirect out.
>>
>> Verification
>>
>> #sh ip wccp sum
>> WCCP version 2 enabled, 2 services
>>
>> Service Clients Routers Assign Redirect Bypass
>> ------- ------- ------- ------ -------- ------
>> Default routing table (Router Id: x.x.x.x):
>> web-cache 1 1 HASH GRE GRE
>> 70 1 1 HASH GRE GRE
>>
>> #sh tunnel groups wccp
>> WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
>> intf: Tunnel2, locally sourced
>> WCCP : service group 326 in "Default", ver v2, assgnmnt: hash-table
>> intf: Tunnel0, locally sourced
>>
>> #sh adjacency tunnel 0 detail
>> Protocol Interface Address
>> IP Tunnel0 10.240.0.30(3)
>> connectionid 1
>> 0 packets, 0 bytes
>> epoch 0
>> sourced in sev-epoch 31
>> Encap length 28
>> 4500000000000000FF2FC732CA861F08
>> 0AF0001E0000883E01460000
>> Tun endpt
>> Next chain element:
>> IP adj out of GigabitEthernet0/0.904,
>> addr 10.240.0.30
>> #sh adjacency tunnel 2 detail
>> Protocol Interface Address
>> IP Tunnel2 10.240.0.30(3)
>> connectionid 1
>> 0 packets, 0 bytes
>> epoch 0
>> sourced in sev-epoch 32
>> Encap length 28
>> 4500000000000000FF2FC732CA861F08
>> 0AF0001E0000883E00000000
>> Tun endpt
>> Next chain element:
>> IP adj out of GigabitEthernet0/0.904,
>> addr 10.240.0.30
>> #sh ip wccp web-cache detail
>> WCCP Client information:
>> WCCP Client ID: 10.240.0.30
>> Protocol Version: 2.0
>> State: Usable
>> Redirection: GRE
>> Packet Return: GRE
>> Assignment: HASH
>> Initial Hash Info: 00000000000000000000000000000000
>> 00000000000000000000000000000000
>> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>> Hash Allotment: 256 (100.00%)
>> Packets s/w Redirected: 0
>> Connect Time: 00:08:42
>> GRE Bypassed Packets
>> Process: 0
>> CEF: 0
>> Errors: 0
>> If you can see all seems to be established between the router and squid
>> box but no PACKET has been redirected.
>> For my IOS
>> ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
>>
>> It's been over two weeks now and i seems to looking everywhere but no
>> luck.
>> Also here is my iptables rules for you info whch run on ubuntu 14.04 with
>> squid
>>
>> # squid -v
>> Squid Cache: Version 3.5.16
>> Service Name: squid
>> Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production
>> configure options: '--prefix=/usr/local' '--enable-translation'
>> '--enable-external-acl-helpers=none' '--enable-storeio=ufs,aufs,diskd,rock'
>> '--enable-removal-policies=lru,heap' '--enable-wccp2'
>> '--enable-follow-x-forwarded-for' '--enable-cache-digests'
>> '--enable-auth-negotiate=none' '--disable-auth-digest'
>> '--disable-auth-ntlm' '--disable-url-rewrite-helpers'
>> '--enable-storeid-rewrite-helpers=file' '--enable-log-daemon-helpers=file'
>> '--with-openssl=/usr/local' '--enable-ssl' '--enable-ssl-crtd'
>> '--enable-zph-qos' '--enable-snmp' '--enable-inline' '--with-dl'
>> '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -pipe'
>> 'CXXFLAGS=-O3 -m64 -pipe' 'LIBOPENSSL_CFLAGS=-I/usr/local/include'
>> 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'
>> '--disable-strict-error-checking'
>> '--enable-build-info=Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC
>> Production'
>> IPtables Rules for redirection to squid ports
>> -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
>> 3127
>> -A PREROUTING -i wccp0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
>> 3129
>> -A POSTROUTING -j MASQUERADE
>>
>>
>> Appreciate you kind asistance ....
>> hanks in advance
>> Maile
>>
>>
>>
>> ________________________________________
>> From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Maile
>> Halatuituia <maile.halatuituia at tcc.to>
>> Sent: Monday, April 25, 2016 9:00 PM
>> To: Jeff Orr; cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] WCCP2 VRF Aware
>>
>> ?Thanks Jeff
>>
>> Can you elaborate on what you refer to as subset specifically ???
>>
>> Thanks in advance
>>
>> ________________________________
>> From: Jeff Orr <jeffborr at gmail.com>
>> Sent: Monday, April 25, 2016 12:12 PM
>> To: Maile Halatuituia; cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] WCCP2 VRF Aware
>>
>> Check your WCCP settings relating to redirect method. L2 or GRE and hash
>> vs mask. Some devices only support a subset.
>> On Sun, Apr 17, 2016 at 11:21 PM Maile Halatuituia <
>> maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:
>>
>> Hi
>>
>> i am trying to setup transparent proxy for a Test Lab with cisco 15.0
>> IOS. If i manually input my proxy setting on my browser, i can see the
>> client access with no problem, however if i remove that proxy setting then
>> it still access but seems it bypass the proxy.
>>
>> i check wccp2 detail on the router sides and it all looks OK such as the
>> ip wccp vrf XXX detail and view,
>>
>> also i check using the sh adjacency tunnel X encap etc etc it lokks fine
>> for me, but seems packet is not intercept and forward through the gre
>> tunnel to the proxy .... any word would be help .... thanks
>>
>> Confidentiality Notice: This email (including any attachment) is intended
>> for internal use only. Any unauthorized use, dissemination or copying of
>> the content is prohibited. If you are not the intended recipient and have
>> received this e-mail in error, please notify the sender by email and delete
>> this email and any attachment.
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:
>> cisco-nsp at puck.nether.net>
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> Confidentiality Notice: This email (including any attachment) is intended
>> for internal use only. Any unauthorized use, dissemination or copying of
>> the content is prohibited. If you are not the intended recipient and have
>> received this e-mail in error, please notify the sender by email and delete
>> this email and any attachment.
>> Confidentiality Notice: This email (including any attachment) is intended
>> for internal use only. Any unauthorized use, dissemination or copying of
>> the content is prohibited. If you are not the intended recipient and have
>> received this e-mail in error, please notify the sender by email and delete
>> this email and any attachment.
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> Confidentiality Notice: This email (including any attachment) is intended
>> for internal use only. Any unauthorized use, dissemination or copying of
>> the content is prohibited. If you are not the intended recipient and have
>> received this e-mail in error, please notify the sender by email and delete
>> this email and any attachment.
>> Confidentiality Notice: This email (including any attachment) is intended
>> for internal use only. Any unauthorized use, dissemination or copying of
>> the content is prohibited. If you are not the intended recipient and have
>> received this e-mail in error, please notify the sender by email and delete
>> this email and any attachment.
>>
> Confidentiality Notice: This email (including any attachment) is intended
> for internal use only. Any unauthorized use, dissemination or copying of
> the content is prohibited. If you are not the intended recipient and have
> received this e-mail in error, please notify the sender by email and delete
> this email and any attachment.
> Confidentiality Notice: This email (including any attachment) is intended
> for internal use only. Any unauthorized use, dissemination or copying of
> the content is prohibited. If you are not the intended recipient and have
> received this e-mail in error, please notify the sender by email and delete
> this email and any attachment.
>
More information about the cisco-nsp
mailing list