Cisco WCCP Squid Transparent Proxy

WCCP (Web Cache Communication Protocol) is a Cisco protocol that lets you redirect web traffic from clients to a proxy server. Using a proxy server has several advantages:

  • Caching: Reduces network bandwidth because web traffic that has been requested before can be retrieved from the proxy cache instead of requesting it again from the Internet.
  • Filtering: All web traffic goes through the proxy server first so you can filter certain websites.
  • Monitoring: If you want to know what your users are doing you can track this on the proxy server.

WCCP is used between a Cisco router and a proxy server to communicate. The proxy server will tell the router that it is “alive” and ready to serve webpages. It’s also used as a “hello” message so the router knows when the proxy is down. The router is called the WCCP server, and the proxy is called the WCCP client.

In this lesson, I will first explain the basics of how WCCP forwards traffic to the proxy and then show you the Cisco router’s configuration and the proxy using Squid on Linux.

At the end of this lesson, I also have wireshark captures that show you the exact traffic path from the client to a host on the Internet with the proxy in between. Let’s get started, shall we?

WCCP Transparent Proxy Traffic Flows

To demonstrate this, I will use the following topology: a small network that has a Cisco router, a host that will browse the Internet, and a Squid proxy server:

wccp cisco small network

The router and proxy server are both running WCCP. The squid proxy server will announce itself to the router using UDP port 2048 and the router will respond:

cisco wccp messages between router proxy

When the host wants to browse the Internet it will create a TCP SYN packet for the destination which will end up at the router:

wccp host sending tcp syn

Without WCCP, the TCP SYN would be forwarded to the Internet because we are running WCCP, something else will happen. The router will forward the TCP SYN from the host to the proxy server:

wccp host tcp syn to proxy

To make sure that the original packet does not change it will use a GRE tunnel for this. Normally GRE is used when the proxy server is on another subnet, when the proxy server is on the same subnet you can also use layer 2 redirection. The proxy server will check its cache and see if it has served the requested webpage before:

wccp proxy retrieving http from internet

When it doesn’t have anything in its cache, the proxy server will contact the web server on the Internet and request the webpage that the host was looking for. Once this process is done, it can serve the webpage to the host:

wccp proxy sends syn ack to host

Once the proxy server has the webpage, it will send a TCP SYN ACK to the host that is still waiting for the webpage. The important part here is that the source IP address of this packet is the IP address of the host on the Internet, NOT the proxy server! From the host’s perspective, it thinks that it is talking directly to the web server, and it has no idea that there is a proxy server in the network. This is what we call a transparent proxy.

You now have an idea of how WCCP and proxying work, let’s look at the configuration of the proxy server and the Cisco router. I will use the topology that I just showed you for this demonstration.

Squid Proxy Configuration

Squid is a very popular proxy server that is used by a lot of ISPs. It supports HTTP, HTTPS, FTP, and of course WCCP. In my example, I used Linux CentOS 6.5, but the configuration on Ubuntu or any other Linux distribution is pretty much the same.







The first thing I will do is disable SELinux. It’s a good thing for security, but it can be a pain when you are troubleshooting:

# vim /etc/sysconfig/selinux

Change the line that says “SELINUX=enforcing” to this:

SELINUX=disabled

Just in case, reboot your server and install Squid:

# yum install squid

Squid is in the default repositories so we don’t have to worry about compiling it ourselves. Just to be sure, you should check if your version supports WCCP. You can do this with the following grep command:

# squid -v | grep enable-linux-netfilter | grep enable-wccpv2

If you see some output…good! Your squid version supports WCCP. If not…use another repository or compile it yourself with these options.

Even with a default configuration, squid will work. Let’s start it and see what it does:

# service squid start
Starting squid: ....                                       [  OK  ]

After a reboot, we want to make sure that squid is still running. You can use chkconfig for this:

# chkconfig squid on

You can find all log files for squid in the /var/log folder. Let’s check if squid is having any issues:

# cat /var/log/squid/squid.out

The “squid.out” log file contains all the errors. If you didn’t configure a hostname, it will spam your log with this message:

WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.

Don’t worry about this. We will fix it in a minute. This message doesn’t cause any errors, but it does fill your log.

By default, IPtables will only allow incoming SSH traffic. We need to make a couple of changes here:

# vim /etc/sysconfig/iptables

Squid uses TCP port 3128 by default, I want to make sure that whenever someone connects to port 80 it will be redirected to port 3128. You can do this by adding some NAT rules:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT

In the filter section, you should add a line that allows incoming connections to TCP port 3128:

-A INPUT -m tcp -p tcp --dport 3128 -j ACCEPT

And don’t forget to add an entry that allows GRE traffic between the Cisco router and Squid:

-A INPUT -s 192.168.1.254 -d 192.168.1.253 -p gre -j ACCEPT

To make your life a bit easier, here is what my IPtables configuration looks like:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38:4348]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.254 -d 192.168.1.253 -p gre -j ACCEPT
-A INPUT -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Reboot IPtables when you are done to load the new rules:

# service iptables restart

Squid and IPtables are now ready. This is a good moment to test a few things…we can request a webpage from the proxy server to check if squid is working:

# squidclient -h 192.168.1.253 -p 3128 https://networklessons.com
HTTP/1.0 200 OK
Server: nginx/1.7.1
Date: Wed, 04 Jun 2014 10:52:19 GMT
Content-Type: text/html
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: public
Cache-Control: max-age=3600, public
ETag: f80d592b1d8bbf43428e22e2aa567be7
Age: 18
X-Cache: HIT from localhost
X-Cache-Lookup: HIT from localhost:3128
Via: 1.0 localhost (squid/3.1.10)
Connection: close

You can use squidclient to request a webpage. We now know that we can reach a web server on the Internet and that Squid is checking its cache to see if it can serve the webpage. So far, so good!

Another good method to check if squid is working is to use a host, for example, a Windows 7 computer. Open up your control panel and select Internet Options:

Windows 7 Control Panel

Select the “Connections” tab and hit the “LAN settings” button:

Windows 7 Internet Options LAN Settings

Uncheck the “Automatically detect settings” button and enter the IP address and port of the squid proxy server:

Windows 7 Internet Options Proxy Settings

Click “OK” and open up your web browser, fire up some websites, and check the log file to see what is going on:

# tail /var/log/squid/access.log

You will see something like this:

1401879800.886    993 192.168.1.1 TCP_MISS/200 13273 GET https://networklessons.com/ - DIRECT/95.85.36.216 text/html

The “TCP_MISS” means this webpage wasn’t served from the cache. Anyway, we verified that Squid is working with its default settings. It’s time to make some changes so it supports WCCP. Make sure to remove the proxy server settings from your computer before you continue!

The entire squid configuration is in a single file:

# vim /etc/squid/squid.conf

Look for this line:

http_port 3128

And uncomment it:

#http_port 3128

Now you need to add the following lines:

visible_hostname Squid
http_port 3128 intercept
wccp2_router 192.168.1.254
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

The visible_hostname line is used to give the proxy server a name. Mine is called “Squid”. I did this so the error message I showed you earlier doesn’t show up in the log anymore.  We are still using TCP port 3128, but I added intercept.  The remaining lines are to enable WCCP, configure the IP address of the Cisco router, and to use GRE. Save your configuration and exit, we need to create the GRE interface:

# vim /etc/sysconfig/network-scripts/ifcfg-wccp0

Add the following lines:

DEVICE=wccp0
TYPE=GRE
DEVICETYPE=tunnel
ONBOOT=yes
MY_INNER_IPADDR=192.168.1.253
MY_OUTER_IPADDR=192.168.1.253
PEER_OUTER_IPADDR=192.168.1.254

I called my tunnel “wccp0” but you can pick whatever you like. It also doesn’t matter much what IP address you pick for the inner IP address since it won’t be used. I will show you what I mean once we examine the wireshark captures. Save the configuration and enable the tunnel interface:

# ifup wccp0

CentOS (and probably most Linux distributions) don’t allow IP forwarding by default, so we need to enable it ourselves. Open the following file:

# vim /etc/sysctl.conf

And change the line below from 0 to 1:

net.ipv4.ip_forward = 1

And we need to add two additional lines:

net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.wccp0.rp_filter = 0

CentOS has enabled strict RPF (Reverse Path Forwarding) by default. We need to disable this, or you will see some packet drops.

That’s all you have to configure on the squid proxy server, and it’s a good moment to reboot the entire server. Let’s look at the Cisco router!

Cisco Router Configuration

Configuring WCCP is pretty straightforward. I do have to mention that there are some slight differences between IOS 12.4 and IOS 15.x. Configuration-wise, it’s the same, but there are a few more show commands on IOS 15.x. In my example, I used a 2811 router running IOS 15.1(4)M6.

First, we will enable version 2:

WCCP(config)#ip wccp version 2

I will create two access lists. One to define what proxy servers we allow and another one to select the hosts that we allow. Here’s the proxy server:

WCCP(config)#ip access-list standard SQUID_SERVER 
WCCP(config-std-nacl)#permit 192.168.1.253

And here’s the ACL for the proxy users. The squid proxy server is in the same subnet, so I make sure not to redirect that traffic. All the other traffic from 192.168.1.0 /24 heading towards TCP port 80 will be redirected:

WCCP(config)#ip access-list extended PROXY_USERS
WCCP(config-ext-nacl)#deny tcp host 192.168.1.253 any
WCCP(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 80
WCCP(config-ext-nacl)#deny ip any any

To activate the access lists for WCCP you need to use the following command:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 785 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

1527 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Heya,

    is it possible to use a HSRP pair instead of a single Cisco device? I guess it’s not possible to terminate a GRE on a HSRP VIP …

    Cheers
    Ben

  2. Hi Ben,

    I haven’t tried it but it seems to be possible. This is from the Cisco website:

    When you configure WCCP for use with the Hot Standby Router Protocol (HSRP), you must configure the WAE with the HSRP or the Virtual Router Redundancy Protocol (VRRP) virtual router address as its default gateway, and the WAE WCCP router-list with the primary address of the routers in the HSRP group.

    Rene

  3. May you help me to create GRE Tunnel on Debian Wheezy 7.2 please.
    I try several times but I can’t arrive to set it up.
    I don’t see /etc/sysconfig/selinux in debian to set selinux=disabled

  4. Hi Jam,

    Only CentOS uses selinux by default, no need to worry about it in Ubuntu. Configuration of the GRE tunnel is a bit different though.

    If you want to create a GRE tunnel from the command-line you can try this:

    ip tunnel add wccp0 mode gre remote 192.168.1.254 local 192.168.1.253 dev eth0
    ifconfig wccp0 192.168.1.253 netmask 255.255.255.255 up
    

    If you want to make this permanent, you can create an entry in /etc/network/interfaces or put the above lines in a script that runs at startup.

    Rene

  5. This is a nice article but for the life of me I can’t see the GRE tunnel come up automatically. My setup is based on a CentOS 6.4 distro and the setup is almost exactly the same as what you have here. I may have some settings on my router config which may perhaps clash with the GRE tunnel. WCCP checks appear to be correct however.

    I have used tcpdump on the wccp0 interface and doesn’t appear to be any traffic going over it.
    I do have an ip nat inside command applied to my router interface and the router does have another ACL which permits the subnet any. I’ve s

    ... Continue reading in our forum

17 more replies! Ask a question or join the discussion by visiting our Community Forum