[c-nsp] WCCP2 VRF Aware
Maile Halatuituia
maile.halatuituia at tcc.to
Tue Apr 26 23:58:03 EDT 2016
Jeff Please confirmed what is say below
1. in my case i should remain with my two access list for the http and https
2. i have to do redirect in on my Router interface facing my clients and redirect out on my interface facing my proxy server right ???
thanks
________________________________
From: Jeff Orr <jeffborr at gmail.com>
Sent: Wednesday, April 27, 2016 4:14 PM
To: Maile Halatuituia; Cisco Network Service Providers
Subject: Re: [c-nsp] WCCP2 VRF Aware
Found this good article, might be worth a read. http://www.crypt.gen.nz/papers/cisco_squid_wccp.html
I would still try to use a separate subnet for proxy, and do redirect IN for clients. However, 1900 should support outbound.
Jeff
On Tue, Apr 26, 2016 at 11:09 PM Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:
Cisco 1941 running IOS below
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
________________________________
From: Jeff Orr <jeffborr at gmail.com<mailto:jeffborr at gmail.com>>
Sent: Wednesday, April 27, 2016 4:05 PM
To: Maile Halatuituia; Cisco Network Service Providers
Subject: Re: [c-nsp] WCCP2 VRF Aware
What model of switch are you running this on?
On Tue, Apr 26, 2016 at 11:01 PM Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:
Hi Jeff
Here are the lists
#sh ip access-lists WCCP_HTTP
Extended IP access list WCCP_HTTP
10 deny ip host 10.240.0.30 any log-input
20 permit tcp 10.242.0.0 0.0.0.7 any eq www log-input
30 permit tcp 10.240.0.0 0.0.0.255 any eq www log-input (11723 matches)
40 deny ip any any (212566 matches)
#sh ip access-lists WCCP_HTTPS
Extended IP access list WCCP_HTTPS
10 deny ip host 10.240.0.30 any
15 permit tcp 10.240.0.0 0.0.0.255 any eq 443 log-input (22471 matches)
20 permit tcp 10.242.0.0 0.0.0.7 any eq www log-input
30 deny ip any any (48 matches)
10.240.0.30 is my proxy
________________________________
From: Jeff Orr <jeffborr at gmail.com<mailto:jeffborr at gmail.com>>
Sent: Wednesday, April 27, 2016 3:27 PM
To: Maile Halatuituia; Cisco Network Service Providers
Subject: Re: [c-nsp] WCCP2 VRF Aware
WCCP can give you fits, we have 54 proxies our team manage and ran into an issue similar to what you mentioned not that long ago.
First thing, I see you specified a redirect-list, but it was not included. Can you post it? Also, I have run into issues (more in the WAAS space) with having the WCCP device and clients on the same subnet. I suggest having the SQUID server on a separate SVI.
Finally, what hardware platform is this on? Try using ingress redirect on the seperate client SVI.
Good luck!
On Tue, Apr 26, 2016 at 5:26 PM Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:
Hi
Here is my router wccp config
In global config i enable ip wccp
#ip wccp web-cache redirect-list WCCP_HTTP
#ip wccp 70 redirect-list WCCP_HTTPS
Interface facing my Clients and also Squid is in the same subnet
int g0/0.904
ip wccp web-cache redirect out
ip wccp 70 redirect out.
Verification
#sh ip wccp sum
WCCP version 2 enabled, 2 services
Service Clients Routers Assign Redirect Bypass
------- ------- ------- ------ -------- ------
Default routing table (Router Id: x.x.x.x):
web-cache 1 1 HASH GRE GRE
70 1 1 HASH GRE GRE
#sh tunnel groups wccp
WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
intf: Tunnel2, locally sourced
WCCP : service group 326 in "Default", ver v2, assgnmnt: hash-table
intf: Tunnel0, locally sourced
#sh adjacency tunnel 0 detail
Protocol Interface Address
IP Tunnel0 10.240.0.30(3)
connectionid 1
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 31
Encap length 28
4500000000000000FF2FC732CA861F08
0AF0001E0000883E01460000
Tun endpt
Next chain element:
IP adj out of GigabitEthernet0/0.904, addr 10.240.0.30
#sh adjacency tunnel 2 detail
Protocol Interface Address
IP Tunnel2 10.240.0.30(3)
connectionid 1
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 32
Encap length 28
4500000000000000FF2FC732CA861F08
0AF0001E0000883E00000000
Tun endpt
Next chain element:
IP adj out of GigabitEthernet0/0.904, addr 10.240.0.30
#sh ip wccp web-cache detail
WCCP Client information:
WCCP Client ID: 10.240.0.30
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets s/w Redirected: 0
Connect Time: 00:08:42
GRE Bypassed Packets
Process: 0
CEF: 0
Errors: 0
If you can see all seems to be established between the router and squid box but no PACKET has been redirected.
For my IOS
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
It's been over two weeks now and i seems to looking everywhere but no luck.
Also here is my iptables rules for you info whch run on ubuntu 14.04 with squid
# squid -v
Squid Cache: Version 3.5.16
Service Name: squid
Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production
configure options: '--prefix=/usr/local' '--enable-translation' '--enable-external-acl-helpers=none' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-wccp2' '--enable-follow-x-forwarded-for' '--enable-cache-digests' '--enable-auth-negotiate=none' '--disable-auth-digest' '--disable-auth-ntlm' '--disable-url-rewrite-helpers' '--enable-storeid-rewrite-helpers=file' '--enable-log-daemon-helpers=file' '--with-openssl=/usr/local' '--enable-ssl' '--enable-ssl-crtd' '--enable-zph-qos' '--enable-snmp' '--enable-inline' '--with-dl' '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -pipe' 'CXXFLAGS=-O3 -m64 -pipe' 'LIBOPENSSL_CFLAGS=-I/usr/local/include' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' '--disable-strict-error-checking' '--enable-build-info=Intercept/WCCPv2/LibreSSL/CRTD/(A)UFS/DISKD/ROCK/eCAP/64/GCC Production'
IPtables Rules for redirection to squid ports
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3127
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -j MASQUERADE
Appreciate you kind asistance ....
hanks in advance
Maile
________________________________________
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>> on behalf of Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>>
Sent: Monday, April 25, 2016 9:00 PM
To: Jeff Orr; cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] WCCP2 VRF Aware
?Thanks Jeff
Can you elaborate on what you refer to as subset specifically ???
Thanks in advance
________________________________
From: Jeff Orr <jeffborr at gmail.com<mailto:jeffborr at gmail.com>>
Sent: Monday, April 25, 2016 12:12 PM
To: Maile Halatuituia; cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] WCCP2 VRF Aware
Check your WCCP settings relating to redirect method. L2 or GRE and hash vs mask. Some devices only support a subset.
On Sun, Apr 17, 2016 at 11:21 PM Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to><mailto:maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>>> wrote:
Hi
i am trying to setup transparent proxy for a Test Lab with cisco 15.0 IOS. If i manually input my proxy setting on my browser, i can see the client access with no problem, however if i remove that proxy setting then it still access but seems it bypass the proxy.
i check wccp2 detail on the router sides and it all looks OK such as the ip wccp vrf XXX detail and view,
also i check using the sh adjacency tunnel X encap etc etc it lokks fine for me, but seems packet is not intercept and forward through the gre tunnel to the proxy .... any word would be help .... thanks
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net><mailto:cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
More information about the cisco-nsp
mailing list