RE: [squid-users] more cisco than squid but someone here might know answer

Chad,

Check out this link:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configur
ation_guide_chapter09186a00800ca671.html#1003017

Summary:
Command: Router(config)# access-list access-list permit ip host
host-address [destination-address | destination-host | any ]
Purpose: Creates an access list that enables or disables traffic
redirection to the cache engine.

The access-list only tells the router which traffic to redirect to the
proxy. The following lines will only redirect 172.16.0.0 to the
web-cache. Any traffic that does not match against the access-list will
be forwarded without redirection. This should not block any traffic
from reaching web servers, but will prevent them from reaching the cache
engine. Your commands (slightly modified) are listed below and should
work,

access-list 101 permit tcp 172.16.0.0 0.0.255.255 any
access-list 101 deny tcp any any
ip wccp web-cache redirect-list 101

but look a little further down for some reading and my suggestion...

The following example was cut from:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura
tion_guide_chapter09186a00800da707.html#14219 and demonstrates that
anything that does not match the access-list will bypass the cache:

"To disable caching for certain clients, servers, or client/server
pairs, you can use WCCP access lists. The following example shows that
any requests coming from 10.1.1.1 to 12.1.1.1 will bypass the cache and
that all other requests will be serviced normally:

Router(config)# ip wccp web-cache redirect-list 120
Router(config)# access-list 120 deny tcp host 10.1.1.1 any
Router(config)# access-list 120 deny tcp any host 12.1.1.1
Router(config)# access-list 120 permit ip any any "

In looking at this, it may make sense for you to do the following:

ip wccp web-cache redirect-list 101
access-list 101 deny tcp 192.168.0.0 0.0.1.255 any
access-list 101 permit ip any any

This would effectively tell the router to forward all traffic to the
cache except for the 192.168.0.0/23 network. Let me know if this
helps...

-Jeremy

-----Original Message-----
From: Chad Whitten [mailto:cwhitten@nexband.com]
Sent: Tuesday, March 04, 2003 11:30 AM
To: squid-users@squid-cache.org
Subject: [squid-users] more cisco than squid but someone here might know
answer

i have a cisco 3640 router doing wccp redirection to a squid proxy
server. is
there some way i can restrict the redirection to a certain set of
networks -
ie

networks served by router

172.16.0.0/16
192.168.0.0/23

right now all http requests get redirected to proxy. i would like for
http
requests from 172.16.0.0/16 to be redirected to proxy and http requests
from
192.168.0.0/23 not to be redirected to proxy. im thinking i could do
something with access-lists and such but not quite sure about syntax.

i know this much: i need the following
ip wccp web-cache redirect-list 101
and then an acl 101 like
????????????????????????????????????????????????????????
access-list 101 permit ip 172.16.0.0 0.0.255.255 any access-list 101
deny ip any any

or

access-list 101 deny ip 192.168.1.0 0.0.254.255 any
access-list 101 permit ip any any

????????????????????????????????????????????????????????

but would doing that keep the 192.168.1.0 network from getting to the
web.

router has two ethernet interfaces and i have config as

ip wccp version 1
ip wccp web-cache

interface Ethernet0/0
 ip address yyy.yyy.yyy.yyy
 ip access-group 120 in

interface Ethernet0/1
 ip address xxx.xxx.xxx.xxx
 ip access-group 120 in
 ip wccp web-cache redirect out

eth0/1 is outward facing interface, eth0/0 is inward facing

-- 
Chad Whitten
Network/Systems Administrator
neXband Communications
cwhitten@nexband.com
601-944-4801