Francisco Obispo wrote:
> Joe Cooper wrote:
>> Worth noting: Francisco is using WCCP. This presents the additional
>> problem of how to get past the router without the packet being
>> redirected back to the cache in a theoretical infinite loop, because
>> the IP when routing through the cache machine will remain the client
>> IP. The only way around this I know of is to use policy routing on the
>> router, wherein the last-hop is checked and WCCP is bypassed if the
>> cache is the last hop. As I understand it, the ability to route based
>> on last-hop is not a common feature on most Ciscos and requires an
>> upgrade to an advanced policy routing module (I don't know enough
>> about Cisco routers or the various IOS branches to know the specifics
>> of this).
>
>
> Well... I wonder how Cisco Cache Engine Deals with this... because
> according to
> http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/net_cach.htm#xtocid13
>
>
> <CiscoSite>
> if the server responds to the cache engine with certain HTTP error
> return codes (such as 401-Unauthorized request, 403-Forbidden, or
> 503-Service Unavailable), the cache engine will invoke the dynamic
> client bypass feature. The cache engine will dynamically store a client
> IP-destination IP address bypass pair, so that future packets with this
> IP address pair will bypass the cache engine. The cache engine sends an
> automatic HTTP retry message to the client's browser.
>
> </CiscoSite>
>
>
> it doesn't say anything about the router being involved in the
> process... also, the Cisco Cache Engine will send and automatic HTTP
> retry message, which has to be sent in this case by squid which has the
> active conection with the client.
>
> I don't see an easy solution to this... except acls in the router, which
> will lead to mantain a very very large list of sites with ip-based
> authentication. :^/
Actually, there is one easy solution (which Henrik pointed out in a
private email) which is to put the cache on another network interface
which is not redirected via WCCP. This has its own potential pitfalls
(minor and easily worked around, assuming you have a spare interface you
can put your Squid machine on), but makes bypassing in the cache very
easy. Using last-hop policy routing also works around it and prevents
you from needing the access list to be maintained on the router. In
these two cases (which are reasonable in many environments, but not all)
all decisions for bypassing can be handled in the cache itself.
Otherwise it gets complicated...and the situations where it gets
complicated are the most common, in my experience.
-- Joe Cooper <joe@swelltech.com> Web caching appliances and support. http://www.swelltech.comReceived on Wed Jul 17 2002 - 14:34:16 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:17 MST