This topic is to discuss the following lesson:
is it possible to use a HSRP pair instead of a single Cisco device? I guess it’s not possible to terminate a GRE on a HSRP VIP …
I haven’t tried it but it seems to be possible. This is from the Cisco website:
When you configure WCCP for use with the Hot Standby Router Protocol (HSRP), you must configure the WAE with the HSRP or the Virtual Router Redundancy Protocol (VRRP) virtual router address as its default gateway, and the WAE WCCP router-list with the primary address of the routers in the HSRP group.
May you help me to create GRE Tunnel on Debian Wheezy 7.2 please.
I try several times but I can’t arrive to set it up.
I don’t see /etc/sysconfig/selinux in debian to set selinux=disabled
Only CentOS uses selinux by default, no need to worry about it in Ubuntu. Configuration of the GRE tunnel is a bit different though.
If you want to create a GRE tunnel from the command-line you can try this:
ip tunnel add wccp0 mode gre remote 192.168.1.254 local 192.168.1.253 dev eth0 ifconfig wccp0 192.168.1.253 netmask 255.255.255.255 up
If you want to make this permanent, you can create an entry in /etc/network/interfaces or put the above lines in a script that runs at startup.
This is a nice article but for the life of me I can’t see the GRE tunnel come up automatically. My setup is based on a CentOS 6.4 distro and the setup is almost exactly the same as what you have here. I may have some settings on my router config which may perhaps clash with the GRE tunnel. WCCP checks appear to be correct however.
I have used tcpdump on the wccp0 interface and doesn’t appear to be any traffic going over it.
I do have an ip nat inside command applied to my router interface and the router does have another ACL which permits the subnet any. I’ve seen other examples of this which appear to use NAT but prefer this method, just wondering how to troubleshoot this further?
WCCP can be a pain to make it work. My plan was to spend 1-2 hours of configuring it so I could write a blogpost on it but it took me a full day to get it to work
If you doubt your router config…please boot up a router in GNS3 with just the minimum configuration required for WCCP, just pick the config that I used. IOS 15 also gives you more show commands for WCCP than 12.4. Did you also check iptables? Making sure it’s not blocking any traffic?
I have a Cisco 2921 with c2900-universalk9-mz.SPA.152-4.M5.bin, i configured wccp to redirect all web traffic through my proxy and is working fine, but now I want to redirect HTTPS through my proxy and can not do this. Can you please provide me with some examples or advice how to do this.
I haven’t tried HTTPS but from what I’ve read you have to enable service 70 to make HTTPS work. Have you tried that?
We have issues setting this WCCP up with vlan’s on a CISCO887VA with Adv IP services IOS and a GNU/Linux machine with squid, is our config correct when applying the ip wccp cmd’s to the vlan ?
interface Vlan10 description finance ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly in interface Vlan20 description warehouse ip address 192.168.20.1 255.255.255.0 ip wccp web-cache redirect in ip nat inside no ip virtual-reassembly in ! interface Vlan30 description office ip address 192.168.30.1 255.255.255.0 ip nat inside ip virtual-reassembly in access-list 10 permit 192.168.0.0 0.0.0.255 access-list 10 permit 192.168.10.0 0.0.0.255 access-list 10 permit 192.168.20.0 0.0.0.255 access-list 10 permit 192.168.30.0 0.0.0.255 access-list 80 permit 192.168.0.203 access-list 120 remark ACL for WCCP proxy access access-list 120 remark Squid proxies bypass WCCP access-list 120 deny ip host 192.168.0.203 any access-list 120 remark LAN clients proxy port 80 only access-list 120 permit tcp 192.168.20.0 0.0.0.255 any eq www access-list 120 remark all others bypass WCCP access-list 120 deny ip any any
Our tunnel is up but we cannot ping the other side of the tunnel …
Our show interface output :
VDSL4#show interfaces tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of Vlan20 (192.168.20.1) MTU 17912 bytes, BW 10000 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 192.168.30.1 Tunnel protocol/transport multi-GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1472 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input never, output never, output hang never Last clearing of "show interface" counters 00:13:40 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max)
What is the difference between the ip of “tunnel source” and “Interface is unnumbered” ip address ? How to modify these ip’s?
We got to ping between the two hosts. What are we doing wrong? Is it necessary to apply a route?
Our show ip wccp cmd output :
VDSL4#show ip wccp Global WCCP information: Router information: Router Identifier: 192.168.30.1 Service Identifier: web-cache Protocol Version: 2.00 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets Redirected: 821 Process: 0 CEF: 821 Service mode: Open Service Access-list: -none- Total Packets Dropped Closed: 0 Redirect access-list: 120 Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total GRE Bypassed Packets Received: 0 Process: 0 CEF: 0 GRE tunnel interface: Tunnel0 VDSL4#show ip wccp web-cache detail WCCP Client information: WCCP Client ID: 192.168.0.203 Protocol Version: 2.00 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Connect Time: 00:32:09 Redirected Packets: Process: 0 CEF: 929 GRE Bypassed Packets: Process: 0 CEF: 0 Hash Allotment: 256 of 256 (100.00%) Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
It is quite confusing to get this work …
What do you suggest we should try to troubleshgoot ?
Thanks in advance for your time !
WCCP is pretty confusing, this tutorial took me about 6 hours from start to finish. I had a lot of troubleshooting to do before this worked…
Your config looks OK and you can see the router is redirecting traffic:
You don’t have to worry about tunnel source and ip unnumbered for the WCCP configuration. When you configure a “normal” GRE tunnel between two routers you have to specify the source + destination of the tunnel yourself, now we don’t have to because WCCP does this for us.
Ip unnumbered is about the IP address on the tunnel itself, here’s an example if you are interested:
The Cisco side looks OK…what about squid? are you 100% sure it is operational?
Thanks for the advise Rene.
We will look into the squid config then.
i don’t think its valid for ccie v5
That’s right, If it was on the list I’ll remove it…it’s not in V5 anymore.
how would you also enable proxy for https?
and if Linux hosts have multiple interfaces/routes, do I need to manipulate them? (to point to proxy facing subnet?)
Hmm good question. I doubt changing the port from 80 to 443 will be enough for this. HTTPS traffic is encrypted so I think some additional config on the squid server is required.
If your hosts have multiple interfaces then you need to make sure they use the router that is configured for WCCP is used as their default gateway yes.
Proxy is working for http proxy as you see below.
s#show adjacency tunnel 0 detail Protocol Interface Address IP Tunnel0 10.4.1.12(3) connectionid 1 16 packets, 1376 bytes epoch 0 sourced in sev-epoch 35 Encap length 28 4500000000000000FF2F0545AC1BFF5E 0A04010C0000883E00000000 Tun endpt Next chain element: IP adj out of GigabitEthernet0/2.10, addr 10.4.1.12
Guides say I need to create CA and do all that SSL proxying. But I don’t need to decrypt or intercept. Can I somehow put 443 behind 80?
Because HTTPS uses certificates and a secure connection you can’t just forward traffic to TCP 443 (HTTPS) to squid like we do with HTTP traffic.
When a user requests a HTTPS website, it will be forwarded by WCCP to squid. The squid server will then create a secure connection with the client and you will need a certificate on the squid server for this. This certificate also has to be installed on your user computer otherwise they’ll get a warning from their browser that the certificate is untrusted.
Squid will then connect to the HTTPS website and fetch whatever the user has requested and then forwards it to the user. Basically the squid server is a “man in the middle” with this setup.
Because corporations have proxy behind 80 or 8080 and not a special one for https/443.
And IT still directs us to dump all https/443 traffic behind 80 proxy without the use of custom 3rd party cert.
I wonder how they do that. Any idea?
So I guess I want squid to act like a L3 router for https/443 traffic?