Since then, life has been a little crazy. A new job for starters. I've learnt and experienced too much to list here - maybe one day, I'll get around to it. But for now, I thought I'd drop a quick WCCP config in here to reference later.
The scenario is that guest wifi is being rolled out. The guests are tunnelled into the DMZ and once there, they can access the internet. The customer would like some relatively simple transparent proxy or filtering capability and so WCCP was common across both the layer 3 switch and proxy appliance.
I've cut and paste most of this from my own documentation, so apologies if its not 'blog friendly'.
__________________________________________________________________________________________________
What is all this about?
WCCP stands for Web Cache
Communication Protocol. It is a Cisco
developed content-routing protocol that provides the mechanism to redirect
traffic in real-time. In RDaSH’s network
environment, this is used to redirect Guest WiFi traffic to a proxy server –
without the need to manually configure a proxy server in each device
(practically impossible with Guest WiFi access). The technology can work one of two ways;
either redirecting using a GRE tunnel, or rewriting the MAC to that of the
local engine (called Layer 2 redirect).
There are two versions of WCCP (v1 and
v2 surprisingly). Version 1 only
supports HTTP (TCP port 80) traffic flows, whereas v2 supports up to 255
different service groups (such as HTTPs).
Version 2 should be used where possible.
Configuring a Cisco 3750x Layer 3 switch
Ip wccp version 2
Ip wccp web-cache password guest
redirect-list 45 group-list 44
Ip wccp 70 password guest
redirect-list 45 group-list 44
Ip wccp web-cache password guest
Here we are turning on WCCP and
setting the version. We then tell the
device which ‘services’ to run with WCCP.
Normal port 80 traffic is called ‘web-cache’ so we define that. We then define an additional service called
‘70’ which is actually an https-cache service.
We set the password to use with the WCCP service – this is defined on
the proxy/filter as well, so they both have some relatively simple
security. The final parts are
‘redirect-list’ which references an ACL in order to match traffic we want
re-directed. This is typically the client range. The ‘group-list’ also references a different
ACL, which is matching defined cache engines – or in our case, specifying the
proxy/filter.
Int vlan666
Ip wccp web-cache redirect in
Ip wccp 70 redirect in
At this point we need to define the interface
on which WCCP should begin to ‘redirect’ traffic that we’ve asked to be sent to
a proxy. Remembering that ‘inbound’
traffic is the direction specified, as in order to leave VLAN 666, traffic will
be coming into its L3 interface before heading out to the internet. We also define both services to redirect,
that we configured earlier.
access-list 44 permit 192.168.144.4
0.0.0.0
access-list 44 remark **Sophos
appliance for guest WCCP**
access-list 45 permit 192.168.145.0
0.0.0.127
access-list 45 remark **DHCP Guest
WiFi range for WCCP**
The ACL’s as specified earlier contain
the client range to redirect and the address of the appliance/cache engine.
Pitfalls
Unsuprisingly this solution did not
work out of the box on the 3750x and hopefully these pointers may assist
you. I’m not laying the blame totally at
Cisco’s door however, there was some Sophos research required as well.
SDM prefer
By default the 3750x uses ‘desktop default’ template. In short, the Switch Database Management
Template (SDM) doesn’t allocate resources under this default template to do any
form of WCCP (it’s actually PBR via the TCAM which is responsible for
WCCP). Thus you need to change the
template using ‘SDM prefer routing’.
This requires a switch reboot.
IP routing
Obviously make sure IP routing is enabled!
Re-direction method
The 3750x only supports L2 and not GRE – so make sure your
appliance is set to L2.
Things in different subnets
I’d read that you need to have clients, cache servers etc in
different subnets for WCCP re-direction to work – but this seems unfounded, at
least when using L2 as the redirect and return method. Maybe this is only evident when using GRE,
which the 3750x doesn’t support, so I couldn’t test it anyway.
Fast Timers (Headache – take note)
In other words, keepalives – time interval. The Sophos web appliance didn’t like this
feature which I’m informed is standard on cisco firmware later than 2012 or
WCCP v2 rev1. There was no indication
that this was to blame on the switch and no indication on the appliance either.
What you will see, is that traffic isn’t redirected. Instead when issuing ‘show ip wccp’ Total
packets Unassigned will increment. Cisco
documentation just states that this means the ‘cache engine’ can’t be contacted
for whatever reason. Not much to go on.
To fix the problem, you must issue the command (it’s a hidden
command, so using ? won’t help) ‘no ip wccp variable-timers’. As if by magic, it all works fine after
that! Maybe a Sophos related problem….
But there you go.
Further information
When viewing debugs on WCCP you will
see a lot of packets sent with HIA and ISY I the description. If you research these, you’ll see this is the
fundamental way in which WCCP communications is established. HIA = here I am & ISY = I see you.
Should the need arise to create/filter
different WCCP service identifiers then use the table below. YOU MUST also ensure that the filter/proxy/appliance
is capable of reading these identifiers as well, otherwise redirection will not
work.
After several annoying weeks trying to get to the bottom of an identical issue I stumbled across your post. Thanks so much, that hidden command worked a treat!!
ReplyDelete