Re: [squid-users] problem with wccp v2 and cisco

There's only a small number of things you have to do to setup WCCPv2.

* configure/compile squid with the relevant transparent interception option.
  For you its --enable-linux-netfilter IIRC.
* enable ip forwarding in linux
* create gre
* point GRE endpoint at your router's WCCPv2 routerid - use a loopback
  interface on the Cisco for now, that'll make it much, much more predictable
  as the wccpv2 routerid is then always loopback id
* for ease of testing, make sure no iptables rules exist, then add:

iptables -A PREROUTING -i <gre interface> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

Adrian

On Sat, Feb 23, 2008, Ritter, Nicholas wrote:
> I am running a Cisco 2811 with 12.4(15)T3 Advanced Security IOS.
>
> The squid server is a custom built box with the following specs:
>
> Intel Core 2 Duo 2.2GHz
> 800MHz FSB
> 4GB RAM
> 250GB SATAII storage
>
> The squid server is intended to provided target caching of specific
> sites internally and servicing an 10/100 switched ethernet LAN with
> about 30 to 50 computers on it. Topologically the LAN is connected via a
> fractional T1, with the 2811 router serving as the gateway router which
> has a 4 port Etherswitch WIC installed. The LAN is plugged into
> FastEthernet 0/0.1 and the squid server is attached to one of the ports
> on the 4 port etherswitch card in the router. The LAN on FastEthernet
> 0/0.1 is a CIDR /23, and the subnet on the 4 port etherswitch card is a
> CIDR /24. Both subnets are in the same CIDR /16.
>
> I have confirmed so far that:
>
> 1) Redirection to 3128 from 80 from a client in the /23 is working fine.
> This was tested via pointing the browser settings to the squid server
> IP, but on port 80. This was done only after I did the same test on
> 3128.
>
> 2) I am seeing traffic come down the GRE tunnel to the squid server (via
> ifconfig on the squid server), and I am seeing the packets being
> redirected as noted on the router via 'sh ip wccp'
>
> 3) The squid server does not even see the stuff coming in when
> redirected via the router. When I shutoff iptables and run tcpdump, I
> see the traffic redirected from the router, but running tcpdump with
> iptables enabled does not show the traffic.
>
> I am doing the redirection via an 'ip wccp web-cache redirect in'
> interface statement on the FastEthernet0/0.1 interface, although appling
> the same rule to other interfaces and directions has not changed the
> outcome.
>
> I have come to find that many of the transparent squid proxy guides on
> the Internet are either out of date or simply missing steps.
>
> Doesn't iptables need an additional masqurade or mangle rule(s)? Because
> of what I have seen so far, I now think the problems is with iptables.
>
>
> -----Original Message-----
> From: Adrian Chadd [mailto:adrian@creative.net.au]
> Sent: Friday, February 22, 2008 6:35 PM
> To: Ritter, Nicholas
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] problem with wccp v2 and cisco
>
> On Fri, Feb 22, 2008, Ritter, Nicholas wrote:
> > Adrian-
> >
> > Thanks for the info.
> >
> > Question is, if I am listening with squid on port 80, do I still need
> > to run iptables? I thought iptables was only needed to do redirect
> > from port 80 to 3128 if squid was not or could not be un on port 80.
>
> No. The traffic being redirected via WCCPv2 just rewrites the next hop
> in the forwarding path; making it go down a GRE tunnel or rewriting the
> destination MAC address.
>
> The packet arriving at your cache still has the original
> source/destination.
> iptables/etc is needed to redirect packets destined for ANYHOST:80 to
> LOCALHOST:3128 .
>
> > Does any happen to know which Cisco IOS versions work with WCCP v2 and
>
> > squid? I find people saying it is buggy and to start with a known
> > working version and work your way up to a needed release, but I can't
> > seem to confirm a known working version.
>
> Whats your hardware?
>
>
>
>
> Adrian
>
> --
> - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid
> Support -
> - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -