RE: Perl script

> We're planning on doing transparent proxying via policy
> routing on our Cisco
> 4700M. We would like to have some safeguards
> in place if the cache goes down though. Some have mentioned
> using a perl
> script to "ping" web pages on the proxy to make sure it's
> alive, then go in
> to the cisco and enable/disable the policy routing

If you have IOS version with WCCP v.1 support, I suggest using WCCP (squid
supports WCCP also), because:

1) WCCP itself supports auto-fallback from transparent cache to normal
routing in case if cache crashes (that is what you need).

2) WCCP runs on your Cisco, and is definitely more reliable than a script
running on any third UNIX box. If Cisco is alive, your network will be alive
also.

3) Old IOSes have a problem with policy-routing: these IOSes redirect to
your cache not only HTTP traffic, but also ALL FRAGMENTED IP PACKETS with
offset!=0 as well. Disregarding of what you write in route-map access-list.
This bug doesn't appear in WCCP.

So set up transparent cache with policy routing (instead of WCCP) only if
you are ABSOLUTELY SURE that there's NO fragmented traffic crossing the
router (you typically have a fragmented traffic if there's a tunnel, VPN,
etc).
And even if there's no fragmented traffic right now, you will be creating a
hidden "bomb" in your network.

This bug is documented:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120cavs/120m
cavs.htm
====================================
Caveats for Cisco IOS 12.0 (also 11.2, 11.3)
IP Routing Protocols
CSCdm44976: IP access lists always permit IP fragments. There is no
workaround.
====================================

I was told that it is fixed since 12.0(11), 12.1(2).
So beware of this bug in earlier IOS versions, especially when using
policy-routing.

Alex
Received on Thu Jul 06 2000 - 06:05:57 MDT