RE: [squid-users] problem with wccp v2 and cisco

I am running a Cisco 2811 with 12.4(15)T3 Advanced Security IOS.

The squid server is a custom built box with the following specs:

Intel Core 2 Duo 2.2GHz
800MHz FSB
4GB RAM
250GB SATAII storage

The squid server is intended to provided target caching of specific
sites internally and servicing an 10/100 switched ethernet LAN with
about 30 to 50 computers on it. Topologically the LAN is connected via a
fractional T1, with the 2811 router serving as the gateway router which
has a 4 port Etherswitch WIC installed. The LAN is plugged into
FastEthernet 0/0.1 and the squid server is attached to one of the ports
on the 4 port etherswitch card in the router. The LAN on FastEthernet
0/0.1 is a CIDR /23, and the subnet on the 4 port etherswitch card is a
CIDR /24. Both subnets are in the same CIDR /16.

I have confirmed so far that:

1) Redirection to 3128 from 80 from a client in the /23 is working fine.
This was tested via pointing the browser settings to the squid server
IP, but on port 80. This was done only after I did the same test on
3128.

2) I am seeing traffic come down the GRE tunnel to the squid server (via
ifconfig on the squid server), and I am seeing the packets being
redirected as noted on the router via 'sh ip wccp'

3) The squid server does not even see the stuff coming in when
redirected via the router. When I shutoff iptables and run tcpdump, I
see the traffic redirected from the router, but running tcpdump with
iptables enabled does not show the traffic.

I am doing the redirection via an 'ip wccp web-cache redirect in'
interface statement on the FastEthernet0/0.1 interface, although appling
the same rule to other interfaces and directions has not changed the
outcome.

I have come to find that many of the transparent squid proxy guides on
the Internet are either out of date or simply missing steps.

Doesn't iptables need an additional masqurade or mangle rule(s)? Because
of what I have seen so far, I now think the problems is with iptables.

-----Original Message-----
From: Adrian Chadd [mailto:adrian@creative.net.au]
Sent: Friday, February 22, 2008 6:35 PM
To: Ritter, Nicholas
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] problem with wccp v2 and cisco

On Fri, Feb 22, 2008, Ritter, Nicholas wrote:
> Adrian-
>
> Thanks for the info.
>
> Question is, if I am listening with squid on port 80, do I still need
> to run iptables? I thought iptables was only needed to do redirect
> from port 80 to 3128 if squid was not or could not be un on port 80.

No. The traffic being redirected via WCCPv2 just rewrites the next hop
in the forwarding path; making it go down a GRE tunnel or rewriting the
destination MAC address.

The packet arriving at your cache still has the original
source/destination.
iptables/etc is needed to redirect packets destined for ANYHOST:80 to
LOCALHOST:3128 .

> Does any happen to know which Cisco IOS versions work with WCCP v2 and

> squid? I find people saying it is buggy and to start with a known
> working version and work your way up to a needed release, but I can't
> seem to confirm a known working version.

Whats your hardware?

Adrian

--
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid
Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -