[c-nsp] WCCP2 VRF Aware

Jeff Orr jeffborr at gmail.com
Tue Apr 26 23:14:51 EDT 2016


Found this good article, might be worth a read.
http://www.crypt.gen.nz/papers/cisco_squid_wccp.html

I would still try to use a separate  subnet for proxy, and do redirect IN
for clients. However, 1900 should support outbound.

Jeff

On Tue, Apr 26, 2016 at 11:09 PM Maile Halatuituia <maile.halatuituia at tcc.to>
wrote:

> Cisco 1941 running IOS below
>
> Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version
> 15.1(4)M4, RELEASE SOFTWARE (fc1)​
>
>
> ------------------------------
> *From:* Jeff Orr <jeffborr at gmail.com>
> *Sent:* Wednesday, April 27, 2016 4:05 PM
>
> *To:* Maile Halatuituia; Cisco Network Service Providers
> *Subject:* Re: [c-nsp] WCCP2 VRF Aware
> What model of switch are you running this on?
>
> On Tue, Apr 26, 2016 at 11:01 PM Maile Halatuituia <
> maile.halatuituia at tcc.to> wrote:
>
>> Hi Jeff
>>
>> Here are the lists
>> #sh ip access-lists WCCP_HTTP
>> Extended IP access list WCCP_HTTP
>>     10 deny ip host 10.240.0.30 any log-input
>>     20 permit tcp 10.242.0.0 0.0.0.7 any eq www log-input
>>     30 permit tcp 10.240.0.0 0.0.0.255 any eq www log-input (11723
>> matches)
>>     40 deny ip any any (212566 matches)
>>
>>
>> #sh ip access-lists WCCP_HTTPS
>> Extended IP access list WCCP_HTTPS
>>     10 deny ip host 10.240.0.30 any
>>     15 permit tcp 10.240.0.0 0.0.0.255 any eq 443 log-input (22471
>> matches)
>>     20 permit tcp 10.242.0.0 0.0.0.7 any eq www log-input
>>     30 deny ip any any (48 matches)
>>
>> 10.240.0.30 is my proxy
>>
>>
>> ------------------------------
>> *From:* Jeff Orr <jeffborr at gmail.com>
>> *Sent:* Wednesday, April 27, 2016 3:27 PM
>> *To:* Maile Halatuituia; Cisco Network Service Providers
>>
>> *Subject:* Re: [c-nsp] WCCP2 VRF Aware
>> WCCP can give you fits, we have 54 proxies our team manage and ran into
>> an issue similar to what you mentioned not that long ago.
>>
>> First thing, I see you specified a redirect-list, but it was not
>> included. Can you post it? Also, I have run into issues (more in the WAAS
>> space) with having the WCCP device and clients on the same subnet. I
>> suggest having the SQUID server on a separate SVI.
>>
>> Finally, what hardware platform is this on? Try using ingress redirect on
>> the seperate client SVI.
>>
>> Good luck!
>>
>> On Tue, Apr 26, 2016 at 5:26 PM Maile Halatuituia <
>> maile.halatuituia at tcc.to> wrote:
>>
>>> Hi
>>> Here is my router wccp config
>>> In global config i enable ip wccp
>>> #ip wccp web-cache redirect-list WCCP_HTTP
>>> #ip wccp 70 redirect-list WCCP_HTTPS
>>> Interface facing my Clients and also Squid is in the same subnet
>>>
>>> int g0/0.904
>>> ip wccp web-cache redirect out
>>> ip wccp 70 redirect out.
>>>
>>> Verification
>>>
>>> #sh ip wccp sum
>>> WCCP version 2 enabled, 2 services
>>>
>>> Service     Clients   Routers   Assign      Redirect   Bypass
>>> -------     -------   -------   ------      --------   ------
>>> Default routing table (Router Id: x.x.x.x):
>>> web-cache   1         1         HASH        GRE        GRE
>>> 70                  1         1         HASH        GRE        GRE
>>>
>>> #sh tunnel groups wccp
>>>  WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
>>>    intf: Tunnel2, locally sourced
>>>  WCCP : service group 326 in "Default", ver v2, assgnmnt: hash-table
>>>    intf: Tunnel0, locally sourced
>>>
>>> #sh adjacency tunnel 0 detail
>>> Protocol Interface                 Address
>>> IP       Tunnel0                   10.240.0.30(3)
>>>                                    connectionid 1
>>>                                    0 packets, 0 bytes
>>>                                    epoch 0
>>>                                    sourced in sev-epoch 31
>>>                                    Encap length 28
>>>                                    4500000000000000FF2FC732CA861F08
>>>                                    0AF0001E0000883E01460000
>>>                                    Tun endpt
>>>                                    Next chain element:
>>>                                     IP adj out of
>>> GigabitEthernet0/0.904, addr 10.240.0.30
>>> #sh adjacency tunnel 2 detail
>>>     Protocol Interface                 Address
>>> IP       Tunnel2                   10.240.0.30(3)
>>>                                    connectionid 1
>>>                                    0 packets, 0 bytes
>>>                                    epoch 0
>>>                                    sourced in sev-epoch 32
>>>                                    Encap length 28
>>>                                    4500000000000000FF2FC732CA861F08
>>>                                    0AF0001E0000883E00000000
>>>                                    Tun endpt
>>>                                    Next chain element:
>>>                                     IP adj out of
>>> GigabitEthernet0/0.904, addr 10.240.0.30
>>> #sh ip wccp web-cache detail
>>> WCCP Client information:
>>>         WCCP Client ID:          10.240.0.30
>>>         Protocol Version:        2.0
>>>         State:                   Usable
>>>         Redirection:             GRE
>>>         Packet Return:           GRE
>>>         Assignment:              HASH
>>>         Initial Hash Info:       00000000000000000000000000000000
>>>                                  00000000000000000000000000000000
>>>         Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>                                  FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>         Hash Allotment:          256 (100.00%)
>>>         Packets s/w Redirected:  0
>>>         Connect Time:            00:08:42
>>>         GRE Bypassed Packets
>>>           Process:               0
>>>           CEF:                   0
>>>           Errors:                0
>>> If you can see all seems to be established between the router and squid
>>> box but no PACKET has been redirected.
>>> For my IOS
>>> ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
>>>
>>> It's been over two weeks now and i seems to looking everywhere but no
>>> luck.
>>> Also here is my iptables rules for you info whch run on ubuntu 14.04
>>> with squid
>>>
>>> # squid -v
>>> Squid Cache: Version 3.5.16
>>> Service Name: squid
>>> Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production
>>> configure options:  '--prefix=/usr/local' '--enable-translation'
>>> '--enable-external-acl-helpers=none' '--enable-storeio=ufs,aufs,diskd,rock'
>>> '--enable-removal-policies=lru,heap' '--enable-wccp2'
>>> '--enable-follow-x-forwarded-for' '--enable-cache-digests'
>>> '--enable-auth-negotiate=none' '--disable-auth-digest'
>>> '--disable-auth-ntlm' '--disable-url-rewrite-helpers'
>>> '--enable-storeid-rewrite-helpers=file' '--enable-log-daemon-helpers=file'
>>> '--with-openssl=/usr/local' '--enable-ssl' '--enable-ssl-crtd'
>>> '--enable-zph-qos' '--enable-snmp' '--enable-inline' '--with-dl'
>>> '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -pipe'
>>> 'CXXFLAGS=-O3 -m64 -pipe' 'LIBOPENSSL_CFLAGS=-I/usr/local/include'
>>> 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'
>>> '--disable-strict-error-checking'
>>> '--enable-build-info=Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC
>>> Production'
>>> IPtables Rules for redirection to squid ports
>>> -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
>>> 3127
>>> -A PREROUTING -i wccp0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
>>> 3129
>>> -A POSTROUTING -j MASQUERADE
>>>
>>>
>>> Appreciate you kind asistance ....
>>> hanks in advance
>>> Maile
>>>
>>>
>>>
>>> ________________________________________
>>> From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Maile
>>> Halatuituia <maile.halatuituia at tcc.to>
>>> Sent: Monday, April 25, 2016 9:00 PM
>>> To: Jeff Orr; cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] WCCP2 VRF Aware
>>>
>>> ?Thanks Jeff
>>>
>>> Can you elaborate on what you refer to as subset specifically ???
>>>
>>> Thanks in advance
>>>
>>> ________________________________
>>> From: Jeff Orr <jeffborr at gmail.com>
>>> Sent: Monday, April 25, 2016 12:12 PM
>>> To: Maile Halatuituia; cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] WCCP2 VRF Aware
>>>
>>> Check your WCCP settings relating to redirect method. L2 or GRE and hash
>>> vs mask. Some devices only support a subset.
>>> On Sun, Apr 17, 2016 at 11:21 PM Maile Halatuituia <
>>> maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:
>>>
>>> Hi
>>>
>>> i am trying to setup transparent proxy for a Test Lab with cisco 15.0
>>> IOS. If i manually input my proxy setting on my browser, i can see the
>>> client access with no problem, however if i remove that proxy setting then
>>> it still access but seems it bypass the proxy.
>>>
>>> i check wccp2 detail on the router sides and it all looks OK such as the
>>> ip wccp vrf XXX detail and view,
>>>
>>> also i check using the sh adjacency tunnel X encap etc etc it lokks fine
>>> for me, but seems packet is not intercept and forward through the gre
>>> tunnel to the proxy .... any word would be help .... thanks
>>>
>>> Confidentiality Notice: This email (including any attachment) is
>>> intended for internal use only. Any unauthorized use, dissemination or
>>> copying of the content is prohibited. If you are not the intended recipient
>>> and have received this e-mail in error, please notify the sender by email
>>> and delete this email and any attachment.
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:
>>> cisco-nsp at puck.nether.net>
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> Confidentiality Notice: This email (including any attachment) is
>>> intended for internal use only. Any unauthorized use, dissemination or
>>> copying of the content is prohibited. If you are not the intended recipient
>>> and have received this e-mail in error, please notify the sender by email
>>> and delete this email and any attachment.
>>> Confidentiality Notice: This email (including any attachment) is
>>> intended for internal use only. Any unauthorized use, dissemination or
>>> copying of the content is prohibited. If you are not the intended recipient
>>> and have received this e-mail in error, please notify the sender by email
>>> and delete this email and any attachment.
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> Confidentiality Notice: This email (including any attachment) is
>>> intended for internal use only. Any unauthorized use, dissemination or
>>> copying of the content is prohibited. If you are not the intended recipient
>>> and have received this e-mail in error, please notify the sender by email
>>> and delete this email and any attachment.
>>> Confidentiality Notice: This email (including any attachment) is
>>> intended for internal use only. Any unauthorized use, dissemination or
>>> copying of the content is prohibited. If you are not the intended recipient
>>> and have received this e-mail in error, please notify the sender by email
>>> and delete this email and any attachment.
>>>
>> Confidentiality Notice: This email (including any attachment) is intended
>> for internal use only. Any unauthorized use, dissemination or copying of
>> the content is prohibited. If you are not the intended recipient and have
>> received this e-mail in error, please notify the sender by email and delete
>> this email and any attachment.
>> Confidentiality Notice: This email (including any attachment) is intended
>> for internal use only. Any unauthorized use, dissemination or copying of
>> the content is prohibited. If you are not the intended recipient and have
>> received this e-mail in error, please notify the sender by email and delete
>> this email and any attachment.
>>
> Confidentiality Notice: This email (including any attachment) is intended
> for internal use only. Any unauthorized use, dissemination or copying of
> the content is prohibited. If you are not the intended recipient and have
> received this e-mail in error, please notify the sender by email and delete
> this email and any attachment.
> Confidentiality Notice: This email (including any attachment) is intended
> for internal use only. Any unauthorized use, dissemination or copying of
> the content is prohibited. If you are not the intended recipient and have
> received this e-mail in error, please notify the sender by email and delete
> this email and any attachment.
>


More information about the cisco-nsp mailing list