[c-nsp] WCCP2 VRF Aware

Maile Halatuituia maile.halatuituia at tcc.to
Tue Apr 26 23:58:03 EDT 2016


Jeff Please confirmed what is say below​


1. in my case i should remain with my two access list for the http and https

2. i have to do redirect in on my Router interface facing my clients and redirect out on my interface facing my proxy server right ???


thanks

________________________________
From: Jeff Orr <jeffborr at gmail.com>
Sent: Wednesday, April 27, 2016 4:14 PM
To: Maile Halatuituia; Cisco Network Service Providers
Subject: Re: [c-nsp] WCCP2 VRF Aware

Found this good article, might be worth a read. http://www.crypt.gen.nz/papers/cisco_squid_wccp.html

I would still try to use a separate  subnet for proxy, and do redirect IN for clients. However, 1900 should support outbound.

Jeff

On Tue, Apr 26, 2016 at 11:09 PM Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:

Cisco 1941 running IOS below

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)​


________________________________
From: Jeff Orr <jeffborr at gmail.com<mailto:jeffborr at gmail.com>>
Sent: Wednesday, April 27, 2016 4:05 PM

To: Maile Halatuituia; Cisco Network Service Providers
Subject: Re: [c-nsp] WCCP2 VRF Aware
What model of switch are you running this on?

On Tue, Apr 26, 2016 at 11:01 PM Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:

Hi Jeff

Here are the lists

#sh ip access-lists WCCP_HTTP
Extended IP access list WCCP_HTTP
    10 deny ip host 10.240.0.30 any log-input
    20 permit tcp 10.242.0.0 0.0.0.7 any eq www log-input
    30 permit tcp 10.240.0.0 0.0.0.255 any eq www log-input (11723 matches)
    40 deny ip any any (212566 matches)


#sh ip access-lists WCCP_HTTPS
Extended IP access list WCCP_HTTPS
    10 deny ip host 10.240.0.30 any
    15 permit tcp 10.240.0.0 0.0.0.255 any eq 443 log-input (22471 matches)
    20 permit tcp 10.242.0.0 0.0.0.7 any eq www log-input
    30 deny ip any any (48 matches)

10.240.0.30 is my proxy



________________________________
From: Jeff Orr <jeffborr at gmail.com<mailto:jeffborr at gmail.com>>
Sent: Wednesday, April 27, 2016 3:27 PM
To: Maile Halatuituia; Cisco Network Service Providers

Subject: Re: [c-nsp] WCCP2 VRF Aware
WCCP can give you fits, we have 54 proxies our team manage and ran into an issue similar to what you mentioned not that long ago.

First thing, I see you specified a redirect-list, but it was not included. Can you post it? Also, I have run into issues (more in the WAAS space) with having the WCCP device and clients on the same subnet. I suggest having the SQUID server on a separate SVI.

Finally, what hardware platform is this on? Try using ingress redirect on the seperate client SVI.

Good luck!

On Tue, Apr 26, 2016 at 5:26 PM Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:
Hi
Here is my router wccp config
In global config i enable ip wccp
#ip wccp web-cache redirect-list WCCP_HTTP
#ip wccp 70 redirect-list WCCP_HTTPS
Interface facing my Clients and also Squid is in the same subnet

int g0/0.904
ip wccp web-cache redirect out
ip wccp 70 redirect out.

Verification

#sh ip wccp sum
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass
-------     -------   -------   ------      --------   ------
Default routing table (Router Id: x.x.x.x):
web-cache   1         1         HASH        GRE        GRE
70                  1         1         HASH        GRE        GRE

#sh tunnel groups wccp
 WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel2, locally sourced
 WCCP : service group 326 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel0, locally sourced

#sh adjacency tunnel 0 detail
Protocol Interface                 Address
IP       Tunnel0                   10.240.0.30(3)
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 31
                                   Encap length 28
                                   4500000000000000FF2FC732CA861F08
                                   0AF0001E0000883E01460000
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of GigabitEthernet0/0.904, addr 10.240.0.30
#sh adjacency tunnel 2 detail
    Protocol Interface                 Address
IP       Tunnel2                   10.240.0.30(3)
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 32
                                   Encap length 28
                                   4500000000000000FF2FC732CA861F08
                                   0AF0001E0000883E00000000
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of GigabitEthernet0/0.904, addr 10.240.0.30
#sh ip wccp web-cache detail
WCCP Client information:
        WCCP Client ID:          10.240.0.30
        Protocol Version:        2.0
        State:                   Usable
        Redirection:             GRE
        Packet Return:           GRE
        Assignment:              HASH
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:          256 (100.00%)
        Packets s/w Redirected:  0
        Connect Time:            00:08:42
        GRE Bypassed Packets
          Process:               0
          CEF:                   0
          Errors:                0
If you can see all seems to be established between the router and squid box but no PACKET has been redirected.
For my IOS
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

It's been over two weeks now and i seems to looking everywhere but no luck.
Also here is my iptables rules for you info whch run on ubuntu 14.04 with squid

# squid -v
Squid Cache: Version 3.5.16
Service Name: squid
Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production
configure options:  '--prefix=/usr/local' '--enable-translation' '--enable-external-acl-helpers=none' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-wccp2' '--enable-follow-x-forwarded-for' '--enable-cache-digests' '--enable-auth-negotiate=none' '--disable-auth-digest' '--disable-auth-ntlm' '--disable-url-rewrite-helpers' '--enable-storeid-rewrite-helpers=file' '--enable-log-daemon-helpers=file' '--with-openssl=/usr/local' '--enable-ssl' '--enable-ssl-crtd' '--enable-zph-qos' '--enable-snmp' '--enable-inline' '--with-dl' '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -pipe' 'CXXFLAGS=-O3 -m64 -pipe' 'LIBOPENSSL_CFLAGS=-I/usr/local/include' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' '--disable-strict-error-checking' '--enable-build-info=Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production'
IPtables Rules for redirection to squid ports
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3127
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -j MASQUERADE


Appreciate you kind asistance ....
hanks in advance
Maile



________________________________________
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>> on behalf of Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>>
Sent: Monday, April 25, 2016 9:00 PM
To: Jeff Orr; cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] WCCP2 VRF Aware

?Thanks Jeff

Can you elaborate on what you refer to as subset specifically ???

Thanks in advance

________________________________
From: Jeff Orr <jeffborr at gmail.com<mailto:jeffborr at gmail.com>>
Sent: Monday, April 25, 2016 12:12 PM
To: Maile Halatuituia; cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] WCCP2 VRF Aware

Check your WCCP settings relating to redirect method. L2 or GRE and hash vs mask. Some devices only support a subset.
On Sun, Apr 17, 2016 at 11:21 PM Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to><mailto:maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>>> wrote:

Hi

i am trying to setup transparent proxy for a Test Lab with cisco 15.0 IOS. If i manually input my proxy setting on my browser, i can see the client access with no problem, however if i remove that proxy setting then it still access but seems it bypass the proxy.

i check wccp2 detail on the router sides and it all looks OK such as the ip wccp vrf XXX detail and view,

also i check using the sh adjacency tunnel X encap etc etc it lokks fine for me, but seems packet is not intercept and forward through the gre tunnel to the proxy .... any word would be help .... thanks

Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net><mailto:cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.


More information about the cisco-nsp mailing list