dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Introduction

To increase security, there might be need to intercept (proxy) any typical outbound Internet traffic such as web (http), https/ssl, ftp, IM (Instant Messenger), and Bittorrent (P2P or Peer-to-Peer). One way to setup such interception is to introduce proxy server or similar appliance.

Traditionally, such proxy server or appliance is setup as (physical) inline, or bridge mode like the following.

1. Single Firewall and Single Router/MSFC

Internet
|
Firewall
|
Proxy Server
|
Router/MSFC
|
LAN

2. Dual Firewall and Dual Router/MSFC as Active/Standby

Internet
| Failover connection
Firewall Primary ----------------------- Firewall Secondary
| |
Proxy Server |
| Failover connection |
Router/MSFC 1 ----------------------- Router/MSFC 2
| |
+---------------- LAN -----------------+

With introduction of WCCP (Web Cache Communication Protocol) technology from Cisco, there is an alternate setup as following which is typically called Transparent mode.

Dual Firewall and Dual Router/MSFC as either Active/Standby or as Active/Active

Internet
| Failover connection
Firewall Primary ----------------------- Firewall Secondary
| |
| |
| Failover connection |
Router/MSFC 1 ----------------------- Router/MSFC 2
| | | |
| +---------- Proxy Server ---------+ |
| |
+------------------- LAN --------------------+

Between WCCP or Bridge Mode

As you may notice, bridge mode requires direct physical connection between the Internet and the LAN. In some network topology where there are redundancies of a lot of things (either routing or physical devices), this bridge mode design is undesirable. Therefore typically only small or simple network topology implement bridge mode design.

This FAQ discusses WCCP implementation as noted on FAQ title.

WCCP Support on Routers and Switches

Since WCCP is Cisco technology, typically Cisco routers are needed to redirect the outbound Internet traffic to the proxy server or proxy appliance. When the network has Catalyst 6000/6500 switch MSFC, you can also utilize these MSFC as the WCCP redirect routers.

There are some WCCP support on lower-end switches such as Catalyst 4500 and 3550. However, these switches only support ip wccp redirect in command. There is no support of ip wccp redirect out command on those lower-end switches unlike routers or MSFC.

This command support is essential in how the WCCP mechanism work on specific network topology, especially those with multiple VLAN or multiple broadcast domains. With ip wccp redirect in command implementation, there might be a complex WCCP design since you need to consider both internal inter-VLAN traffic and outbound Internet traffic. With ip wccp redirect out command implementation, the WCCP design would be much simpler.

Sample Configuration

On this sample configuration, the proxy appliance used is Blue Coat ProxySG running SGOS firmware version 5.2.4.8. The WCCP redirect device is Cisco router. The network setup is the Dual Firewall and Dual Router/MSFC as either Active/Standby or as Active/Active as shown above.

Following is setup list
* WCCP version used is version 2
* GRE tunnel is used to deliver the WCCP session between Router 1, Router 2, and the ProxySG appliance; as indicated on the forwarding-type GRE command
* ProxySG port 0 (interface 0:0) terminates at Router 1 and ProxySG port 1 (interface 1:0) terminates at Router 2
* The ProxySG has two service group ID, which are 10 and 20 as indicated on the service-group commands. This ID must match with what the Router 1 and Router 2 use, as indicated on the ip wccp commands.
* ProxySG Home Router 1 IP address is 192.168.66.1 (Router 1 interface Loopback0 IP address) and ProxySG Home Router 2 IP address is 192.168.66.2 (Router 2 interface Loopback0 IP address)
* Intercepted protocol is Protocol number 6 which is TCP as indicated on protocol command
* Intercepted ports are 80, 21, 443, 554, 5004, 5005, 1755, and 8554 as indicated on ports command. In other words, the intercepted outbound Internet traffic are TCP port 80 (web), TCP port 21 (FTP), TCP port 443 (https/ssl), TCP port 554 (Real Time Streaming Protocol or RTSP), TCP port 5004 (RTP media data), TCP port 5005 (RTP control protocol), TCP port 1755 (MS streaming), and TCP port 8554 (RTSP Alternate).

The objective of the sample configuration is to maintain stable WCCP session between the Router 1, Router 2, and the ProxySG appliance. The key of maintaining a stable WCCP session is to keep the same Home Router IP address for every WCCP session. This way, any WCCP session initiated from Router 1 always use Router 1 as the Home Router. Similarly, any WCCP session initiated from Router 2 always use Router 2 as the Home Router.

Blue Coat ProxySG configuration

1. Interface

interface 0:0
IP Address : 172.17.101.6
Subnet Mask : 255.255.255.0
Default Gateway: 172.17.101.2

interface 1:0
IP Address : 172.17.102.6
Subnet Mask : 255.255.255.0
Default Gateway: 172.17.102.2

2. WCCP

wccp enable
wccp version 2
service-group 20
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 80 80 80 80 80 80 80
interface 0:0
interface 1:0
home-router 192.168.66.1
home-router 192.168.66.2
forwarding-type GRE
end
service-group 10
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 21 443 554 5004 5005 1755 8554
interface 0:0
interface 1:0
home-router 192.168.66.1
home-router 192.168.66.2
forwarding-type GRE
end

3. Static Routes for Home Router IP Address Reachability

192.168.66.1 255.255.255.255 172.17.101.2
192.168.66.2 255.255.255.255 172.17.102.2

WCCP Router configuration

Router 1

ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
description Blue Coat ProxySG Home Router 1
ip address 192.168.66.1 255.255.255.255
!
interface FastEthernet0
description Facing Internet Firewall Primary
ip address 172.17.0.2 255.255.255.0
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet1
description Blue Coat ProxySG interface 0:0 gateway
ip address 172.17.101.2 255.255.255.0
!
interface FastEthernet2
description LAN
ip address 172.17.5.2 255.255.255.0
!
router rip
version 2
network 172.17.0.0
default-information originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 172.17.0.4 name Internet_Firewall_Primary_IP_Address

Router 2

ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
description Blue Coat ProxySG Home Router 2
ip address 192.168.66.2 255.255.255.255
!
interface FastEthernet0
description Facing Internet Firewall Secondary
ip address 172.17.0.3 255.255.255.0
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet1
description Blue Coat ProxySG interface 1:0 gateway
ip address 172.17.102.2 255.255.255.0
!
interface FastEthernet2
description LAN
ip address 172.17.5.3 255.255.255.0
!
router rip
version 2
network 172.17.0.0
default-information originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 172.17.0.5 name Internet_Firewall_Secondary_IP_Address

Apply WCCP-based Interception Only On Specific Subnet

Typically you want all LAN machines or everything behind the Internet firewall to be intercepted by the proxy server or appliance. In some cases, there might be some LAN machines that should not be intercepted or cached by the proxy.

You can accomplish the intercept/cache exception through either the proxy server itself or WCCP. When you decide to have the proxy server to do the intercept/cache exception, typically you need to create some kind of intercept/cache policy that contains all machine IP addresses to be intercept/cache excluded while other policy intercepts/caches all other machines.

Should you decide to let WCCP to do the intercept/cache exception, you can accomplish it by applying ACL on the ip wccp commands as following.

Router 1

ip wccp version 2
ip wccp 10 redirect-list 60
ip wccp 20 redirect-list 60
!
interface Loopback0
description Blue Coat ProxySG Home Router 1
ip address 192.168.66.1 255.255.255.255
!
interface FastEthernet0
description Facing Internet Firewall Primary
ip address 172.17.0.2 255.255.255.0
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet1
description Blue Coat ProxySG interface 0:0 gateway
ip address 172.17.101.2 255.255.255.0
!
interface FastEthernet2
description LAN
ip address 172.17.5.2 255.255.255.0
!
router rip
version 2
network 172.17.0.0
default-information originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 172.17.0.4 name Internet_Firewall_Primary_IP_Address
!
access-list 60 remark WCCP interception/cache exception
access-list 60 deny 10.0.0.0 0.255.255.255
access-list 60 permit any

In the above sample configuration, all machine IP addresses of 10.x.x.x will be WCCP interception/cache excluded while other machines IP addresses will be intercepted/cached.

Further Info

ProxySG TechBrief Implementing WCCP With ProxySG
How to Configure a Cache Engine for Reverse-Proxy Caching Using WCCP with Layer 3 GRE
Configuring WCCP Layer 2 Redirects on a Cisco Content Engine and Catalyst 6000 Switch
WCCP Troubleshooting for Transparent Caching
Troubleshooting Reverse Transparent Caching for WCCP

Feedback received on this FAQ entry:
  • does redirecting outbound have a negative performance impact on the traffic and/or the 6500 switch? cisco recommends redirecting inbound, however like you mentioned, that can be complex or not feasible in certain environments. i'd be curious to hear any thoughts, experiences, etc regarding redirecting outbound on a 6500

    2011-04-21 18:37:12

  • Awesome!!! after a day of struggling with a pair of 6509s and a S510 following your guide on using the router identifier IP and explicit routes solved my WCCP woes! Thanks, Gav.

    2009-06-03 11:40:06



Expand got feedback?

by aryoba See Profile
last modified: 2009-06-25 08:57:00