WCCPv2 and Squid-cache v3.1, a nice couple.
May 21, 2013 9 Comments
WCCP protocol can be much more interesting than the two commands needed for the CCIE exam. In this lab we will deploy a basic end-to-end solution using IOS 15.2S and the well known open-source solution Squid v3.1 as the content engine.
WCCP version2 is deployed in the lab.
1-Topology
WCCP enables the router to transparently intercept client traffic destined to Internet and redirect it to a local content engine. Client browsers doesn’t point to the content engine as proxy.
Cisco and the content engine communicate through unidirectional point-to-point tunnels (either layer2 or GRE ).
2-WCCPv2 Interception
The tunnel interfaces are automatically created in order to process outgoing GRE-encapsulated traffic for WCCP.
Short definitions of some related concepts:
| Forward proxy | Filter access to Internet and reduces BW related to Internet static resources like regular updates, big file downloads… |
| Reverse proxy | Allows external users (ex: on Internet) to access internal servers. Generally supports security features as well as caching and load balancing. |
| WCCP Bypass Packets | When the content engine cannot manage the redirected packets appropriately, it returns the packets unchanged to the originating router. These packets are called bypass packets. |
| Closed service (default = open) | WCCP discards packets that do not have a WCCP client registered (external devices) to receive the redirected traffic. |
Router configuration
The router configuration is straightforward:
| ip cef ip wccp web-cache password 0 cisco ! interface FastEthernet0/0 ip wccp web-cache redirect in |
We are not using ip wccp web-cache redirect out which is used on interfaces facing outside users trying to connect to inside servers (reverse-proxy)
Fa0/0 is the interface facing internal clients trying to connect to Internet.
Of course, you can add other functionalities like more services or filtering packets to be redirected.
Router verification commands
| sh ip int fa0/0 sh ip int brief sh tunnel in Tunnel0 sh tunnel in Tunnel1 sh ip wccp summary sh ip wccp global counters sh ip wccp sh ip wccp web-cache counters sh tunnel groups wccp sh adjacency tunnel 0 detail sh ip wccp web-cache detail |
Here is the outcome
Squid config
The configuration is slightly different depending on what Squid and IOS version/platform you are using, so make sure to refer to appropriate configuration guides.
Enabling wccpv2 protocol on squid to work with your router.
|
wccp2_router 192.168.1.121wccp2_forwarding_method grewccp2_return_method gre wccp2_service standard 0 password=cisco http_port 3128 intercept |
| wccp2_router 192.168.1.121 | Designate the router intercepting the traffic |
| wccp2_forwarding_method gre | Router to squid encapsulation |
| wccp2_return_method gre | Squid to router encapsulation |
| wccp2_service standard 0 password=cisco | Standard service defines http traffic interception, with password protection between squid and the router |
| http_port 3128 intercept | Configure Squid 3.1 to transparent interception |
To illustrate the concept squid is configured with permissive strategy (last rule permit everything). As with Cisco ACLs, the first matched rule is applied. With restrictive strategy make sure to put permission rules “allow” before the last “deny all”.
The initial squid configuration file looks very intimidating, so create a version free of comments and empty lines using:
grep -ve ^$ -ve ^# /etc/squid3/squid.conf
| acl manager proto cache_objectacl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 192.168.2.0/24 acl alldst dst 0.0.0.0/32 acl SSL_ports port 443acl Safe_ports port 80# httpacl Safe_ports port 21# ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow localnet http_access allow alldst http_access allow all #http_access deny all http_port 3128 intercept visible_hostname squid31.cciethebeginning.wordpress.com wccp2_router 192.168.1.121 wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 password=cisco hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 |
Linux verification
Observing IOS-Squid communication through Wireshark
The following Wireshark snapshots illustrates the two communication tunnels established between the router and Squid as well client-to-Internet traffic redirected from the router to Squid.
3-GRE tunnels
4-Redirected traffic
This should give you a starting point from which you can dig deeper into Squid and IOS cooperation.
Reference links
http://wiki.squid-cache.org/Features/Wccp2
http://www.squid-cache.org/Versions/v3/3.1/cfgman/
About ajnouri
CCIE, the beginning! 
I found your post very comprehensive and useful. However, I have one question.
All the other tutorials showed some “iptables” setting on linux which is not mentioned anywhere in your post.
Did you miss it or in your OS and your configuration it is not required.
Please reply.
Hi Akshay. The goal is to introduce the topic step by step in its simplest form, so it is easy to grasp the concept and troubleshoot eventual issues.
I operated step by step so everything works fine, only then you move forward and add additional services iptables/ipfw.. on top of what already works.
I hope this helps.
Hi ajnouri
Actually I followed your article and did exactly what yo suggested but things just didn’t work.
I am using Cisco 2921 and Ubuntu 12.04. Then, after some more googing I came to know about the additional configurations that we have to do in order to make WCCP work. Can you please help me out in required Linux setting also. Or maybe share the configurations that you had in place to make it work.
Thanks for your prompt reply !
Hi Akshay,
Take a look at this page for IOS version
http://wiki.squid-cache.org/Features/Wccp2
Step1: Simple Connectivity with just routing and IP addresses configured on router interfaces and linux box (squid host)
Step validator:
Make sure you have successful conenctivity between (just with routing and IP addresses configured on interfaces):
– internal and external
– internal and squid
– squid and external
Step2: WCCPv2 Router configuration
ip cefip wccp web-cache password 0 sharedpassword
!
interface
ip wccp web-cache redirect in
Step3: install squid on your linux box, make sure forwarding is enabled and configure /etc/squid3/squid.conf
wccp2_routerwccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=sharedpassword
http_port 3128 intercept
Step validator:
– Make sure squid can make a request to Internet by issuing
squidclient -h your_squid_IP -p 3128 google.com– Make sure the router is redirecting the client traffic to Squid using “debug ip wccp packet redirect”
– Using a traffic analyzer (wireshark for example) you can observe whether squid and the router have formed GRE tunnels
– On the router
– check GRE tunnel establishment:
sh adjacency tunnel 0 detailsh ip wccp web-cache detail
– check WCCP counters
sh ip wccp summarysh ip wccp global counters
Although it’s not working right now but I think I am really close.
Router has 3 interfaces and the config is this:
!
ip wccp web-cache password 7 01100F175804
!
interface GigabitEthernet0/0
ip address 187.72.34.82 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 172.16.1.1 255.255.255.0
ip wccp web-cache redirect in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat inside source list NATTABLE_HOSTS interface GigabitEthernet0/0 od
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
ip access-list standard NATTABLE_HOSTS
permit 192.168.0.0 0.0.255.255
permit 172.16.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
Squid is compiled with following options:
configure
options: ‘–prefix=/usr’ ‘–includedir=/usr/include’
‘–datadir=/usr/share’ ‘–bindir=/usr/sbin’
‘–libexecdir=/usr/lib/squid’ ‘–localstatedir=/var’
‘–sysconfdir=/etc/squid3’ ‘–enable-delay-pools’ ‘–enable-ssl-crtd’
‘–enable-linux-netfilter’ ‘–enable-eui’ ‘–enable-snmp’
‘–enable-gnuregex’ ‘–enable-icmp’ ‘–with-logdir=/var/log/squid/’
‘–enable-referer-log’ ‘–enable-cache-digests’ ‘–enable-wccp’
‘–enable-wccpv2’ ‘–enable-ssl’ –enable-ltdl-convenience
Squid.conf:
http_port 192.168.1.2:3129 intercept
http_port 192.168.1.2:3128
wccp2_router 192.168.1.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=cisco
Cache.log is also without any errors.
On ubuntu 12.04 I have set the following rules (based on http://wiki.squid-cache.org/Features/Wccp2):
modprobe ip_gre
ip tunnel add wccp0 mode gre remote 187.72.34.82 local 192.168.1.2 dev eth0
ifconfig wccp0 192.168.1.2 netmask 255.255.255.255 up
echo 0>/proc/sys/net/ipv4/conf/wccp0/rp_filter
echo 0>/proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1>/proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT –to-port 3129
iptables -t nat -A POSTROUTING -j MASQUERADE
With all this setup, client browser keeps on loading and loading and finally says server taking too long to respond etc.
On the squid machine, via wireshark, I can see that a lot of “destination unreachable” messages are sent from squid to router when I visit some website on browser.
From: 192.168.1.2 to 192.168.1.1 [port unreachable]
When I manually set proxy IP in browser it works(websites open fine).I could also see HereIAm and ISeeYou messages flowing fine.
What am I missing ?
Perform a SWOT analysis and ffind out where you stand in the industry stacked against these
players. In this information age, it is now easier to start off business enterprise on-line than opening
up a physical store due to lower startup and fixed costs.
Working on your business means that you arre trying to grow itt through means oof streamlining business
processes, coming up with new marketing strategies, and so on.
I’ve been fighting with this on and off for a few weeks now. This is a great article but like many others I’ve found skates over or misses out completely the detail around setting up the GRE tunnel at the squid server end. Well, I finally got it working and the stumbling block for me was indeed the GRE tunnel. I made a silly assumption (and you know what they say about that!) – I assumed that the remote address of the tunnel (the Cisco end) would be the address of the interface on which the proxy server was connected. Not the case. The Cisco wccp engine uses the wccp Router Id which can be seen by issuing the command:
# show ip wccp
and looking for the “Router Identifier”. It is this ip address that the Cisco uses when adding the GRE encapsulation. It looks like IOS chooses the highest ip address from all of your configured interfaces but that may be just what it did on my router. It’s supposed to be possible to change it with the
#config ip wccp source-interface
command by my 12.4 IOS didn’t like that. So once I’d updated by squid server with the correct remote ip address of the Cisco and added a rule to the appropriate acl which allows GRE packets between the Cisco and squid server, everything burst into life.
Thought I’d share this snippet as I’ve seen no mention of it elsewhere.
Thanks for a great article.
Hi there,
Could you add more about QoS configuration steps with WCCP or VCB on cisco router?
Reblogged this on Konkretor Blog, IT Stuff and more.