Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 867
  • Last Modified:

cisco router and squid

Hi there,
Ive applied the following commands on a cisco router to work with squid ...

ip wccp version 2
access-list 101 permit ip any any
ip wccp web-cache redirect-list 101

and question is, which direction and which interface should i apply it in ?
Is it on the outbound interface of the router or inbound, and which direction ... ?
drawing.JPG
0
nabeel92
Asked:
nabeel92
  • 10
  • 5
  • 2
1 Solution
 
nabeel92Author Commented:
Given below is an output of wccp:

r2_core#sh ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   172.16.2.20
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Service Group Clients:     0
        Number of Service Group Routers:     0
        Total Packets s/w Redirected:        0
          Process:                           0
          Fast:                              0
          CEF:                               0
        Service mode:                        Open
        Service access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                181
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
0
 
nabeel92Author Commented:
r2_core#sh ip wccp web-cache detail
WCCP Client information:
        WCCP Client ID:          10.0.9.11
        Protocol Version:        2.0
        State:                   NOT Usable
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      00000000000000000000000000000000
                                 00000000000000000000000000000000
        Hash Allotment:          0 (0.00%)
        Packets s/w Redirected:  0
        Connect Time:            00:00:23
        Bypassed Packets
          Process:               0
          Fast:                  0
          CEF:                   0
          Errors:                0
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
nabeel92Author Commented:
that doesnt answer my question ... thanks ;)
0
 
nabeel92Author Commented:
it doesnt which interface is fa 0/0 ... inside interface of the router or outside interface ?
0
 
DonbooCommented:
Sorry I didnt notice that the link refering to ciscos WCCP guide in the article was broken. I found the site to where it was moved.

http://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd305.html
0
 
nabeel92Author Commented:
Can you check out the output below ? why is it showiing wccp client not usable ?

r2_core#sh ip wccp web-cache detail
WCCP Client information:
        WCCP Client ID:          10.0.9.11
        Protocol Version:        2.0
        State:                   NOT Usable
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      00000000000000000000000000000000
                                 00000000000000000000000000000000
        Hash Allotment:          0 (0.00%)
        Packets s/w Redirected:  0
        Connect Time:            00:00:23
        Bypassed Packets
          Process:               0
          Fast:                  0
          CEF:                   0
          Errors:                0
0
 
JFrederick29Commented:
Apply the redirect inbound on the interface connected to the PC's (not the squid box).  You can also apply the redirect outbound on the Internet interface but then you would have to exclude the squid box from being redirected so I would apply it inbound on the PC/LAN interface.

As far as it not being useable, your Squid WCCP configuration is most likely incorrect as the router WCCP config is basic.  You are using GRE forwarding/return or L2?  Using Hash or Mask assignment?  Try GRE/Hash and specify 172.16.2.20 as the home router IP address.
0
 
nabeel92Author Commented:
ok, so now ive applied on the inside interface (connected to pcs) as follow

ip wccp version 2

access-list 181 permit ip 10.152.0.0 0.0.0.255 any
access-list 181 deny ip any any

ip wccp web-cache redirect-list 181

interface vlan 10
 ip wccp web-cache redirect in
 ip inspect urlfilter in

Above is my configuration on router for wccp ...

You are using GRE forwarding/return or L2?  Using Hash or Mask assignment
From where I can find out ...

Try GRE/Hash and specify 172.16.2.20 as the home router IP address.
Squid is on this linux box, can you please mention which file can i check the home router I.P address
0
 
JFrederick29Commented:
Sorry, I'm no Squid expert.  You might want to check linux forums for squid and wccp.  The router configuration is good.  The Squid config is what you can focus on now.
0
 
nabeel92Author Commented:
Ok, thanks for that ... ive made a post in linux forum ... just one quick question though, when i did

r2_core#sh ip wccp web-cache view
    WCCP Routers Informed of:
        -none-

    WCCP Clients Visible:
        10.0.9.11

    WCCP Clients NOT Visible:
        -none-

The field where it says  WCCP Routers Informed of:-none- ? what does this mean ! just curious ...

0
 
JFrederick29Commented:
You should see the router WCCP ID there when the session establishes.
0
 
nabeel92Author Commented:
ok,
when i browsed on different forums, ive seen
ip wccp web-cache redirect out (and not in ) ... in what scenario do they use out direction ? logically firs time when i looked at it, i thought that it should be in 'IN' Direction of the 'Inside' Interface but some documents are suggesting that it should be connected to the outside interface (interface connecting to the internet) in out direction  ...
I mean i was just curious as to why and in which scenarios would they be doing that !
0
 
JFrederick29Commented:
You would use the out if you had numerous inside interfaces so you only have to redirect in one place but the thing to note is that you need to deny your proxy IP from being redirected (in your case).

Doing out on the internet interface and in on the inside interface accomplish the exact same thing.  In your case, it is better to do inbound if you only have one inside interface and the proxy hangs off a different interface.  If you had a ton of inside interfaces, redirected out might make more sense.
0
 
nabeel92Author Commented:
ok, on my current setup, although i have one inside interface but all the branch sites (about 50 of them) go out to the internet through that inside interface ... is that ok ?
0
 
JFrederick29Commented:
Yeah, just make sure their subnets are included in your redirect list (or remove the redirect list if you want all inside traffic to be redirected).
0
 
nabeel92Author Commented:
Excellent and precise, to the point information ...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

  • 10
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now