WCCPv2 and Squid-cache v3.1, a nice couple.


WCCP protocol can be much more interesting than the two commands needed for the CCIE exam. In this lab we will deploy a basic end-to-end solution using IOS 15.2S and the well known open-source solution Squid v3.1 as the content engine.

WCCP version2 is deployed in the lab.

1-Topology

wccpv2top1

WCCP enables the router to transparently intercept client traffic destined to Internet and redirect it to a local content engine. Client browsers doesn’t point to the content engine as proxy.

Cisco and the content engine communicate through unidirectional point-to-point tunnels (either layer2 or GRE ).

2-WCCPv2 Interception

wccpv2top2

The tunnel interfaces are automatically created in order to process outgoing GRE-encapsulated traffic for WCCP.
Short definitions of some related concepts:

Forward proxy Filter access to Internet and reduces BW related to Internet static resources like regular updates, big file downloads…
Reverse proxy Allows external users (ex: on Internet) to access internal servers. Generally supports security features as well as caching and load balancing.
WCCP Bypass Packets When the content engine cannot manage the redirected packets appropriately, it returns the packets unchanged to the originating router. These packets are called bypass packets.
Closed service (default = open) WCCP discards packets that do not have a WCCP client registered (external devices) to receive the redirected traffic.

Router configuration

The router configuration is straightforward:

ip cef
ip wccp web-cache password 0 cisco
!
interface FastEthernet0/0
ip wccp web-cache redirect in

We are not using ip wccp web-cache redirect out which is used on interfaces facing outside users trying to connect to inside servers (reverse-proxy)

Fa0/0 is the interface facing internal clients trying to connect to Internet.

Of course, you can add other functionalities like more services or filtering packets to be redirected.

Router verification commands

sh ip int fa0/0
sh ip int brief
sh tunnel in Tunnel0
sh tunnel in Tunnel1
sh ip wccp summary
sh ip wccp global counters
sh ip wccp
sh ip wccp web-cache counters
sh tunnel groups wccp
sh adjacency tunnel 0 detail
sh ip wccp web-cache detail

Here is the outcome


Squid config

The configuration is slightly different depending on what Squid and IOS version/platform you are using, so make sure to refer to appropriate configuration guides.

Enabling wccpv2 protocol on squid to work with your router.

wccp2_router 192.168.1.121wccp2_forwarding_method grewccp2_return_method gre

wccp2_service standard 0 password=cisco

http_port 3128 intercept

wccp2_router 192.168.1.121 Designate the router intercepting the traffic
wccp2_forwarding_method gre Router to squid encapsulation
wccp2_return_method gre Squid to router encapsulation
wccp2_service standard 0 password=cisco Standard service defines http traffic interception, with password protection between squid and the router
http_port 3128 intercept Configure Squid 3.1 to transparent interception

To illustrate the concept squid is configured with permissive strategy (last rule permit everything). As with Cisco ACLs, the first matched rule is applied. With restrictive strategy make sure to put permission rules “allow” before the last “deny all”.

The initial squid configuration file looks very intimidating, so create a version free of comments and empty lines using:

grep -ve ^$ -ve ^# /etc/squid3/squid.conf

Restart Squid after each modification of /etc/squid3/squid.conf
acl manager proto cache_objectacl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.2.0/24
acl alldst dst 0.0.0.0/32
acl SSL_ports port 443acl Safe_ports port 80# httpacl Safe_ports port 21# ftpacl Safe_ports port 443

# httpsacl Safe_ports port 70

# gopheracl Safe_ports port 210

# acl Safe_ports port 1025-65535

# unregistered ports

acl Safe_ports port 280

# http-mgmtacl Safe_ports port 488

# gss-httpacl Safe_ports port 591

# filemakeracl Safe_ports port 777

# multiling http

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny

!Safe_ports

http_access deny CONNECT

!SSL_ports

http_access allow localhost

http_access allow localnet

http_access allow alldst

http_access allow all

#http_access deny all

http_port 3128 intercept

visible_hostname squid31.cciethebeginning.wordpress.com

wccp2_router 192.168.1.121

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0 password=cisco

hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid3

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

Linux verification


Observing IOS-Squid communication through Wireshark

The following Wireshark snapshots illustrates the two communication tunnels established between the router and Squid as well client-to-Internet traffic redirected from the router to Squid.

3-GRE tunnels

gretunnel

4-Redirected traffic

request

This should give you a starting point from which you can dig deeper into Squid and IOS cooperation.

Reference links

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/15-mt/iap-wccp-v2-ipv6.html#GUID-608CB58E-EDD4-4073-A903-784CFB9AADCA

http://www.squid-cache.org/

http://wiki.squid-cache.org/Features/Wccp2

http://www.squid-cache.org/Versions/v3/3.1/cfgman/

Advertisements

About ajnouri
Se vi deziras sekure komuniki eksterbloge, jen mia publika (GPG) ŝlosilo: My public key for secure communication: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x41CCDE1511DF0EB8

7 Responses to WCCPv2 and Squid-cache v3.1, a nice couple.

  1. Akshay says:

    I found your post very comprehensive and useful. However, I have one question.
    All the other tutorials showed some “iptables” setting on linux which is not mentioned anywhere in your post.
    Did you miss it or in your OS and your configuration it is not required.
    Please reply.

  2. ajnouri says:

    Hi Akshay. The goal is to introduce the topic step by step in its simplest form, so it is easy to grasp the concept and troubleshoot eventual issues.

    I operated step by step so everything works fine, only then you move forward and add additional services iptables/ipfw.. on top of what already works.

    I hope this helps.

    • Akshay says:

      Hi ajnouri
      Actually I followed your article and did exactly what yo suggested but things just didn’t work.
      I am using Cisco 2921 and Ubuntu 12.04. Then, after some more googing I came to know about the additional configurations that we have to do in order to make WCCP work. Can you please help me out in required Linux setting also. Or maybe share the configurations that you had in place to make it work.

      Thanks for your prompt reply !

      • ajnouri says:

        Hi Akshay,

        Take a look at this page for IOS version
        http://wiki.squid-cache.org/Features/Wccp2

        Step1: Simple Connectivity with just routing and IP addresses configured on router interfaces and linux box (squid host)
        Step validator:
        Make sure you have successful conenctivity between (just with routing and IP addresses configured on interfaces):
        – internal and external
        – internal and squid
        – squid and external

        Step2: WCCPv2 Router configuration

        ip cef
        ip wccp web-cache password 0 sharedpassword
        !
        interface
        ip wccp web-cache redirect in

        Step3: install squid on your linux box, make sure forwarding is enabled and configure /etc/squid3/squid.conf
        wccp2_router
        wccp2_forwarding_method gre
        wccp2_return_method gre
        wccp2_service standard 0 password=sharedpassword
        http_port 3128 intercept

        Step validator:

        – Make sure squid can make a request to Internet by issuing
        squidclient -h your_squid_IP -p 3128 google.com

        – Make sure the router is redirecting the client traffic to Squid using “debug ip wccp packet redirect”

        – Using a traffic analyzer (wireshark for example) you can observe whether squid and the router have formed GRE tunnels

        – On the router
        – check GRE tunnel establishment:
        sh adjacency tunnel 0 detail
        sh ip wccp web-cache detail

        – check WCCP counters
        sh ip wccp summary
        sh ip wccp global counters

  3. Akshay says:

    Although it’s not working right now but I think I am really close.

    Router has 3 interfaces and the config is this:
    !
    ip wccp web-cache password 7 01100F175804
    !
    interface GigabitEthernet0/0
    ip address 187.72.34.82 255.255.255.248
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    !
    interface GigabitEthernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    !
    interface GigabitEthernet0/2
    ip address 172.16.1.1 255.255.255.0
    ip wccp web-cache redirect in
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    !
    ip nat inside source list NATTABLE_HOSTS interface GigabitEthernet0/0 od
    ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
    !
    ip access-list standard NATTABLE_HOSTS
    permit 192.168.0.0 0.0.255.255
    permit 172.16.0.0 0.0.255.255
    permit 10.0.0.0 0.255.255.255

    Squid is compiled with following options:
    configure
    options: ‘–prefix=/usr’ ‘–includedir=/usr/include’
    ‘–datadir=/usr/share’ ‘–bindir=/usr/sbin’
    ‘–libexecdir=/usr/lib/squid’ ‘–localstatedir=/var’
    ‘–sysconfdir=/etc/squid3’ ‘–enable-delay-pools’ ‘–enable-ssl-crtd’
    ‘–enable-linux-netfilter’ ‘–enable-eui’ ‘–enable-snmp’
    ‘–enable-gnuregex’ ‘–enable-icmp’ ‘–with-logdir=/var/log/squid/’
    ‘–enable-referer-log’ ‘–enable-cache-digests’ ‘–enable-wccp’
    ‘–enable-wccpv2’ ‘–enable-ssl’ –enable-ltdl-convenience

    Squid.conf:
    http_port 192.168.1.2:3129 intercept
    http_port 192.168.1.2:3128

    wccp2_router 192.168.1.1
    wccp2_forwarding_method gre
    wccp2_return_method gre
    wccp2_service standard 0 password=cisco

    Cache.log is also without any errors.

    On ubuntu 12.04 I have set the following rules (based on http://wiki.squid-cache.org/Features/Wccp2):
    modprobe ip_gre
    ip tunnel add wccp0 mode gre remote 187.72.34.82 local 192.168.1.2 dev eth0
    ifconfig wccp0 192.168.1.2 netmask 255.255.255.255 up
    echo 0>/proc/sys/net/ipv4/conf/wccp0/rp_filter
    echo 0>/proc/sys/net/ipv4/conf/eth0/rp_filter
    echo 1>/proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT –to-port 3129
    iptables -t nat -A POSTROUTING -j MASQUERADE

    With all this setup, client browser keeps on loading and loading and finally says server taking too long to respond etc.
    On the squid machine, via wireshark, I can see that a lot of “destination unreachable” messages are sent from squid to router when I visit some website on browser.
    From: 192.168.1.2 to 192.168.1.1 [port unreachable]

    When I manually set proxy IP in browser it works(websites open fine).I could also see HereIAm and ISeeYou messages flowing fine.
    What am I missing ?

  4. Crystle says:

    Perform a SWOT analysis and ffind out where you stand in the industry stacked against these
    players. In this information age, it is now easier to start off business enterprise on-line than opening
    up a physical store due to lower startup and fixed costs.
    Working on your business means that you arre trying to grow itt through means oof streamlining business
    processes, coming up with new marketing strategies, and so on.

  5. znac049 says:

    I’ve been fighting with this on and off for a few weeks now. This is a great article but like many others I’ve found skates over or misses out completely the detail around setting up the GRE tunnel at the squid server end. Well, I finally got it working and the stumbling block for me was indeed the GRE tunnel. I made a silly assumption (and you know what they say about that!) – I assumed that the remote address of the tunnel (the Cisco end) would be the address of the interface on which the proxy server was connected. Not the case. The Cisco wccp engine uses the wccp Router Id which can be seen by issuing the command:

    # show ip wccp

    and looking for the “Router Identifier”. It is this ip address that the Cisco uses when adding the GRE encapsulation. It looks like IOS chooses the highest ip address from all of your configured interfaces but that may be just what it did on my router. It’s supposed to be possible to change it with the

    #config ip wccp source-interface

    command by my 12.4 IOS didn’t like that. So once I’d updated by squid server with the correct remote ip address of the Cisco and added a rule to the appropriate acl which allows GRE packets between the Cisco and squid server, everything burst into life.

    Thought I’d share this snippet as I’ve seen no mention of it elsewhere.

    Thanks for a great article.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: