On Mon, 28 Apr 2008, Wennie V. Lagmay wrote:
A. squid -v
Squid Cache: Version 2.6.STABLE19
configure options: '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/spool/squid' '--sysconfdir=/etc/squid' '--enable-snmp' '--enable-kill-parent-hack' '--enable-delay-pools' '--enable-storeio=aufs,diskd,null' '--enable-removal-policies=heap,lru' '--enable-arp-acl' '--enable-large-files' '--enable-ssl' '--enable-linux-netfilter' '--with-maxfd=16384'
B. ip wccp version 2
ip wccp web-cache
!
interface fastethernet 1/0
description internet connection
ip address 192.168.255.6 255.255.255.252
!
interface fastethernet 3/0
description LAN
ip address xx.xx.184.177
ip wccp web-cache redirect out
either change this line to "ip wccp web-cache redirect in" or
put it in fa1/0.
!
ip route 0.0.0.0 0.0.0.0 192.158.255.5
C. root@cproxy ~]# tcpdump -i wccp0
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
:note that 778 is my ssh port, also there is no log being shown in the access.log
tcpdump
IP 192.168.255.6 > xx.xx.184.178: GREv0, length 56: gre-proto-0x883e
STP 802.1d, Config, Flags [none], bridge-id xxxxxxxxxx, length 43
you should not be seeing the gre packets on wccp0 interface. gre should
already be decrypted in this interface.
D. ifconfig
wccp0 Link encap:UNSPEC HWaddr 4F-62-B8-B2-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:xx.xx.184.178 P-t-P:xx.xx.184.178 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
:note packets received and send
Here's how I've done it.
1. Squid box:
1.1 compile options for squid:
Squid Cache: Version 2.6.STABLE19
configure options: '--enable-snmp' '--prefix=/usr/local/squid'
'--enable-async-io' '--enable-storeio=ufs,aufs,coss,null'
'--enable-removal-policies=lru,heap' '--enable-wccp' '--enable-wccpv2'
'--disable-ident-lookup' '--enable-linux-netfilter' '--enable-epoll'
'--disable-select' '--disable-poll' '--enable-follow-x-forwarded-for'
'--with-maxfd=16384' 'CFLAGS=-march=nocona -O2 -pipe -fomit-frame-pointer
-DNUMTHREADS=150 -funroll-loops -ffast-math -fno-exceptions'
1.2 squid config:
http_port <squid port> transparent
wccp2_router xxx.xxx.xxx.233
1.3 OS:
CentOS 4.5 64-bit kernel version 2.6.23.9 compiled with ip_gre builtin.
1.4 interface:
create gre0 interface:
[root@squid ~]# cat /etc/sysconfig/network-scripts/ifcfg-gre0
DEVICE=gre0
BOOTPROTO=static
BROADCAST=192.168.172.3
IPADDR=192.168.172.2 << use any unused ip for this interface, doesn't matter
NETMASK=255.255.255.252
NETWORK=192.168.172.0
ONBOOT=yes
TYPE=Ethernet
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:14:5E:41:FA:A6
inet addr:xxx.xxx.xxx.234 Bcast:xxx.xxx.xxx.239 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8780435181 errors:0 dropped:0 overruns:0 frame:0
TX packets:9211494941 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4768621410009 (4.3 TiB) TX bytes:6971021118272 (6.3 TiB)
Base address:0x2000 Memory:d0120000-d0140000
gre0 Link encap:UNSPEC HWaddr 00-00-00-00-FF-F8-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.172.2 Mask:255.255.255.252
UP RUNNING NOARP MTU:1476 Metric:1
RX packets:4849085060 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:4269 dropped:0 overruns:0 carrier:0
collisions:4269 txqueuelen:0
RX bytes:735923364221 (685.3 GiB) TX bytes:0 (0.0 b)
tcpdump on eth0:
[root@squid ~]# tcpdump -nn -i eth0 |grep gre-proto
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:23:58.708759 IP xxx.xxx.xxx.226 > xxx.xxx.xxx.234: gre-proto-0x883e
10:23:58.710273 IP xxx.xxx.xxx.226 > xxx.xxx.xxx.234: gre-proto-0x883e
tcpdump on gre0:
[root@squid ~]# tcpdump -nn -i gre0
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gre0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
10:26:18.896768 IP xxx.yyy.zzz.16.1999 > 208.122.6.235.80: . ack 3193965999 win 65535 <nop,nop,sack sack 1 {1461:5841} >
10:26:18.897020 IP xxx.yyy.zzz.123.4098 > 209.216.46.132.80: . ack 586983296 win 17424
10:26:18.897790 IP xxx.yyy.zzz.209.62383 > 203.84.204.69.80: . ack 1194719072 win 65114
10:26:18.897799 IP xxx.yyy.zzz.209.62383 > 203.84.204.69.80: F 0:0(0) ack 1 win 65114
1.5 iptables:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
/sbin/iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp -s <lan network>
--dport 80 -j REDIRECT --to-port <squid port>
/sbin/iptables -A INPUT -i gre0 -p tcp -s <lan network> --dport <squid port> -j ACCEPT
2. Router:
2.1 Router version:
7204VXR npe 300 IOS version 12.2(46a)
2.2 Config
ip wccp version 2
ip wccp web-cache redirect-list SQUID-BYPASS-NEW
interface FastEthernet0/0.128
description Connection to internet
bandwidth 24000
encapsulation dot1Q 128
ip address xxx.xxx.xxx.201 255.255.255.252
ip access-group PORT_BLOCK in
ip access-group PORT_BLOCK out
ip wccp web-cache redirect out
no cdp enable
Router#sh ip wccp web-cache detail
WCCP Cache-Engine information:
Web Cache ID: xxx.xxx.xxx.234
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets Redirected: 1166385116
Connect Time: 3w3d
Router#sh ip wccp web-cache
Global WCCP information:
Router information:
Router Identifier: xxx.xxx.xxx.226
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 553854367
Redirect access-list: SQUID-BYPASS-NEW
Total Packets Denied Redirect: 1050502969
Total Packets Unassigned: 126368
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
### That's it... working great for us.
----- Original Message -----
From: "Manoj_Rajkarnikar" <manoj@xxxxxxxxxxxxx>
To: "Wennie V. Lagmay" <wlagmay@xxxxxxxxxxxxx>
Cc: "squid-users" <squid-users@xxxxxxxxxxxxxxx>
Sent: Monday, April 28, 2008 2:22:34 PM (GMT+0300) Asia/Kuwait
Subject: Re: squid and wccp
On Mon, 28 Apr 2008, Wennie V. Lagmay wrote:
I am trying to configure squid wccp and cisco router but with no luck.
This is what I have done. Please check my procedure and confoguration:
for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178
1. I configure squid with options enable-linux-netfilter
please provide output of "squid -v"
--
