WCCPv2 and Squid-cache v3.1, a nice couple.


WCCP protocol can be much more interesting than the two commands needed for the CCIE exam. In this lab we will deploy a basic end-to-end solution using IOS 15.2S and the well known open-source solution Squid v3.1 as the content engine.

WCCP version2 is deployed in the lab.

1-Topology

wccpv2top1

WCCP enables the router to transparently intercept client traffic destined to Internet and redirect it to a local content engine. Client browsers doesn’t point to the content engine as proxy.

Cisco and the content engine communicate through unidirectional point-to-point tunnels (either layer2 or GRE ).

2-WCCPv2 Interception

wccpv2top2

The tunnel interfaces are automatically created in order to process outgoing GRE-encapsulated traffic for WCCP.
Short definitions of some related concepts:

Forward proxy Filter access to Internet and reduces BW related to Internet static resources like regular updates, big file downloads…
Reverse proxy Allows external users (ex: on Internet) to access internal servers. Generally supports security features as well as caching and load balancing.
WCCP Bypass Packets When the content engine cannot manage the redirected packets appropriately, it returns the packets unchanged to the originating router. These packets are called bypass packets.
Closed service (default = open) WCCP discards packets that do not have a WCCP client registered (external devices) to receive the redirected traffic.

Router configuration

The router configuration is straightforward:

ip cef
ip wccp web-cache password 0 cisco
!
interface FastEthernet0/0
ip wccp web-cache redirect in

We are not using ip wccp web-cache redirect out which is used on interfaces facing outside users trying to connect to inside servers (reverse-proxy)

Fa0/0 is the interface facing internal clients trying to connect to Internet.

Of course, you can add other functionalities like more services or filtering packets to be redirected.

Router verification commands

sh ip int fa0/0
sh ip int brief
sh tunnel in Tunnel0
sh tunnel in Tunnel1
sh ip wccp summary
sh ip wccp global counters
sh ip wccp
sh ip wccp web-cache counters
sh tunnel groups wccp
sh adjacency tunnel 0 detail
sh ip wccp web-cache detail

Here is the outcome


Squid config

The configuration is slightly different depending on what Squid and IOS version/platform you are using, so make sure to refer to appropriate configuration guides.

Enabling wccpv2 protocol on squid to work with your router.

wccp2_router 192.168.1.121wccp2_forwarding_method grewccp2_return_method gre

wccp2_service standard 0 password=cisco

http_port 3128 intercept

wccp2_router 192.168.1.121 Designate the router intercepting the traffic
wccp2_forwarding_method gre Router to squid encapsulation
wccp2_return_method gre Squid to router encapsulation
wccp2_service standard 0 password=cisco Standard service defines http traffic interception, with password protection between squid and the router
http_port 3128 intercept Configure Squid 3.1 to transparent interception

To illustrate the concept squid is configured with permissive strategy (last rule permit everything). As with Cisco ACLs, the first matched rule is applied. With restrictive strategy make sure to put permission rules “allow” before the last “deny all”.

The initial squid configuration file looks very intimidating, so create a version free of comments and empty lines using:

grep -ve ^$ -ve ^# /etc/squid3/squid.conf

Restart Squid after each modification of /etc/squid3/squid.conf
acl manager proto cache_objectacl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.2.0/24
acl alldst dst 0.0.0.0/32
acl SSL_ports port 443acl Safe_ports port 80# httpacl Safe_ports port 21# ftpacl Safe_ports port 443

# httpsacl Safe_ports port 70

# gopheracl Safe_ports port 210

# acl Safe_ports port 1025-65535

# unregistered ports

acl Safe_ports port 280

# http-mgmtacl Safe_ports port 488

# gss-httpacl Safe_ports port 591

# filemakeracl Safe_ports port 777

# multiling http

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny

!Safe_ports

http_access deny CONNECT

!SSL_ports

http_access allow localhost

http_access allow localnet

http_access allow alldst

http_access allow all

#http_access deny all

http_port 3128 intercept

visible_hostname squid31.cciethebeginning.wordpress.com

wccp2_router 192.168.1.121

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0 password=cisco

hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid3

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

Linux verification


Observing IOS-Squid communication through Wireshark

The following Wireshark snapshots illustrates the two communication tunnels established between the router and Squid as well client-to-Internet traffic redirected from the router to Squid.

3-GRE tunnels

gretunnel

4-Redirected traffic

request

This should give you a starting point from which you can dig deeper into Squid and IOS cooperation.

Reference links

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/15-mt/iap-wccp-v2-ipv6.html#GUID-608CB58E-EDD4-4073-A903-784CFB9AADCA

http://www.squid-cache.org/

http://wiki.squid-cache.org/Features/Wccp2

http://www.squid-cache.org/Versions/v3/3.1/cfgman/

Advertisements
%d bloggers like this: