WCCPv2 and Squid-cache v3.1, a nice couple.
May 21, 2013 9 Comments
WCCP protocol can be much more interesting than the two commands needed for the CCIE exam. In this lab we will deploy a basic end-to-end solution using IOS 15.2S and the well known open-source solution Squid v3.1 as the content engine.
WCCP version2 is deployed in the lab.
1-Topology
WCCP enables the router to transparently intercept client traffic destined to Internet and redirect it to a local content engine. Client browsers doesn’t point to the content engine as proxy.
Cisco and the content engine communicate through unidirectional point-to-point tunnels (either layer2 or GRE ).
The tunnel interfaces are automatically created in order to process outgoing GRE-encapsulated traffic for WCCP.
Short definitions of some related concepts:
Forward proxy | Filter access to Internet and reduces BW related to Internet static resources like regular updates, big file downloads… |
Reverse proxy | Allows external users (ex: on Internet) to access internal servers. Generally supports security features as well as caching and load balancing. |
WCCP Bypass Packets | When the content engine cannot manage the redirected packets appropriately, it returns the packets unchanged to the originating router. These packets are called bypass packets. |
Closed service (default = open) | WCCP discards packets that do not have a WCCP client registered (external devices) to receive the redirected traffic. |
Router configuration
The router configuration is straightforward:
ip cef ip wccp web-cache password 0 cisco ! interface FastEthernet0/0 ip wccp web-cache redirect in |
We are not using ip wccp web-cache redirect out which is used on interfaces facing outside users trying to connect to inside servers (reverse-proxy)
Fa0/0 is the interface facing internal clients trying to connect to Internet.
Of course, you can add other functionalities like more services or filtering packets to be redirected.
Router verification commands
sh ip int fa0/0 sh ip int brief sh tunnel in Tunnel0 sh tunnel in Tunnel1 sh ip wccp summary sh ip wccp global counters sh ip wccp sh ip wccp web-cache counters sh tunnel groups wccp sh adjacency tunnel 0 detail sh ip wccp web-cache detail |
Here is the outcome
Squid config
The configuration is slightly different depending on what Squid and IOS version/platform you are using, so make sure to refer to appropriate configuration guides.
Enabling wccpv2 protocol on squid to work with your router.
wccp2_router 192.168.1.121wccp2_forwarding_method grewccp2_return_method gre wccp2_service standard 0 password=cisco http_port 3128 intercept |
wccp2_router 192.168.1.121 | Designate the router intercepting the traffic |
wccp2_forwarding_method gre | Router to squid encapsulation |
wccp2_return_method gre | Squid to router encapsulation |
wccp2_service standard 0 password=cisco | Standard service defines http traffic interception, with password protection between squid and the router |
http_port 3128 intercept | Configure Squid 3.1 to transparent interception |
To illustrate the concept squid is configured with permissive strategy (last rule permit everything). As with Cisco ACLs, the first matched rule is applied. With restrictive strategy make sure to put permission rules “allow” before the last “deny all”.
The initial squid configuration file looks very intimidating, so create a version free of comments and empty lines using:
grep -ve ^$ -ve ^# /etc/squid3/squid.conf
acl manager proto cache_objectacl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 192.168.2.0/24 acl alldst dst 0.0.0.0/32 acl SSL_ports port 443acl Safe_ports port 80# httpacl Safe_ports port 21# ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow localnet http_access allow alldst http_access allow all #http_access deny all http_port 3128 intercept visible_hostname squid31.cciethebeginning.wordpress.com wccp2_router 192.168.1.121 wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 password=cisco hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 |
Linux verification
Observing IOS-Squid communication through Wireshark
The following Wireshark snapshots illustrates the two communication tunnels established between the router and Squid as well client-to-Internet traffic redirected from the router to Squid.
3-GRE tunnels
4-Redirected traffic
This should give you a starting point from which you can dig deeper into Squid and IOS cooperation.
Reference links