• Choose a category
• All
• Classic-Fiction

interface Ethernet0/0

ip policy route-map proxy-redirect

IOS doesn't provide much in the way of debugging for policy routing. However, the show route-map command may be sufficient:

router#show route-map proxy-redirect

route-map proxy-redirect, permit, sequence 10

Match clauses:

ip address (access-lists): 110

Set clauses:

ip next-hop 172.16.102.66

Policy routing matches: 730 packets, 64649 bytes

Web Cache Coordination Protocol

Cisco's answer to layer four switching technology (before they acquired Arrowpoint) is the Web Cache Coordination Protocol (WCCP).[2] WCCP is different from the typical layer four interception in a couple of ways.

First, intercepted packets are encapsulated with GRE (Generic Routing Encapsulation). This simply allows them to traverse subnets, which means Squid doesn't need to be directly connected to the router. Because they are encapsulated, the Squid host must unencapsulate them. Not all Unix systems have the code for unwrapping GRE packets.

The second difference is in how the router decides to spread the load among multiple caches. In fact, the router doesn't make this decision, the cache does. When a router has a group of WCCP-enabled caches, one nominates itself to be the leader. The leader decides how to spread the load and informs the router. This is an extra step that must occur before the router can redirect any connections.

Because WCCP uses GRE, the router may be forced to fragment large TCP packets from HTTP requests. Fortunately, this shouldn't occur very often because most HTTP requests are smaller than the Ethernet MTU size (1500 octets). The default TCP and IP packet headers are 20 octets each, which means an Ethernet frame can carry 1460 octets of actual data. GRE encapsulation adds 20 octets for the GRE header, plus another 20 for the second IP header. Thus a normal 1500-octet TCP/IP packet from the client becomes 1540 octets after encapsulation. This is too large to transmit in a single Ethernet frame, so the router fragments the original packet into two packets.

WCCPv1

The configuration examples in this section were tested on a Cisco 7204 running IOS Version 12.0(5)T. The network configuration is the same as shown in Figure 9-5.

First, enter these two lines in the IOS configuration to enable WCCP for the router:

ip wccp version 1

ip wccp web-cache

Second, you must enable WCCP on individual router interfaces. You should do this only on interfaces where HTTP packets leave the router. In other words, select interfaces that connect to origin servers or your Internet gateway:

interface Ethernet0/1

ip address 172.16.102.129 255.255.255.192

ip wccp web-cache redirect out

Be sure to save your configuration changes.

You may need to use an access list to prevent interception for certain web sites. You can also use the access list to prevent forwarding loops. For example:

! don't re-intercept connections coming from Squid:

access-list 112 deny tcp host 172.16.102.66 any eq www

! don't intercept this broken web site

access-list 112 deny tcp any 192.16.8.7 255.255.255.255 eq www

! allow other HTTP traffic

access-list 110 permit tcp any any eq www

ip wccp web-cache redirect-list 112

The router doesn't send any traffic to Squid until Squid announces itself to the router. I explain how to configure Squid for WCCP in Section 9.5.1.

WCCPv2

The standard Squid distribution currently only supports WCCPv1. However, you can find a patch for WCCPv2 on the http://devel.squid-cache.org/ site. This code is still experimental.

Note that the GRE packets sent from the router to Squid contain an additional four octets. WCCPv2 inserts a redirect header between the GRE header, and the encapsulated IP packet. You may need to modify your kernel code to account for this additional header.

Debugging

IOS provides a couple of commands to monitor and debug WCCP. The show ip wccp web-cache command provides some basic information:

router#show ip wccp web-cache

Global WCCP information:

Router