WCCP?
W
eb Cache Communication Protocol is something that, in the most simple sense, can be referred to as layer 4 routing, just like Policy Based Routing (PBR). I refer to it like that so it’s clear on which layer you’re going to have to think for this article.

PBR has the advantage that you can check incoming traffic on an interface, and depending on the layer 3 and layer 4 source and destination information, you can influence the next hop. WCCP is a specialization and automation of this process: specialization, because it works for proxies (oh, and WAN accelerators) and certain ports only, and automation, because somewhat similar to a routing protocol, the routers and proxies communicate using WCCP.

I assume it’s clear what a proxy is: a server that requests a webpage on behalf of a client computer. The proxy can filter inappropriate content, cache it to speed up other requests to the same website, and some even have an anti-virus scan build in.

While WCCP is developed by Cisco, it’s been adapted by many proxy vendors. I’m going to use the open-source Squid, running on OpenBSD. Since I’m mainly interested in WCCP, I did a basic Squid install, and tweaked the WCCP parameters in the config file (/etc/squid/squid.conf).

Now how does it exactly work? Well, the proxies advertise their proxy capabilities using a WCCP ‘Here I am’ frame. If configured correctly, the routers respond with an ‘I see you’ frame. I’m not making up these names: I’ve uploaded a capture of this on CloudShark. Since it’s possible that the proxy and the router(s) do not share the same subnet, UDP port 2048 is used.

Once a router or multilayer switch and a proxy see each other, the router checks the parameters advertised by the proxy: what can it do? Proxy for http, https, and/or ftp? If it’s considered interesting (matching the desired features), the router starts forwarding traffic for those specific services (ports) towards the proxy. Because the router starts forwarding based on layer 4 information, the clients are unaware of this and don’t need any proxy configured in the browser. It can do forwarding in one of two ways: a GRE tunnel or directly on layer 2. Layer 2 requires the proxy and the router to share a subnet or VLAN, and this method is widely supported by layer 3 switches. The GRE tunnel method is usually supported by routers.

Topology
The topology uses three VLANs: one for the clients, one for the proxy, and one towards the gateway.
WCCPBecause I’m using a multilayer switch as WCCP Router, which only supports layer 2 forwarding of WCCP, the proxy has to be in a different subnet, as the switch somehow refuses to do a MAC address rewrite of the frame on the same interface. The proxy has to have internet access too of course, as it will do the connections to the web servers on behalf of the clients. The connection to the gateway is a third VLAN, or a layer 3 interface on the switch towards the gateway (remember ‘no switchport’?).

Configuration
As said, I’m going to focus mostly on the WCCP Router here. I’m going to use the following parameters: the standard service ‘web-cache’ (which are basic proxy capabilities for http, more advanced configuration require a custom service group with parameters which will be included in the WCCP frames), layer 2 forwarding, and unicast WCCP frames. In the Squid.conf file these are all configurable options, with extra information present in the file itself.
Assuming 192.168.168.0/24 for the clients, and 192.168.163.0/24 for the proxy, with the Squid at .5, the configuration is as following:

WS-C3560-8PC(config)#interface Vlan163
WS-C3560-8PC(config-if)#ip address 192.168.163.1 255.255.255.0
WS-C3560-8PC(config-if)#exit
WS-C3560-8PC(config)#ip access-list standard ACL-WCCP
WS-C3560-8PC(config-std-nacl)#10 permit 192.168.163.5
WS-C3560-8PC(config-std-nacl)#exit
WS-C3560-8PC(config)#ip access-list standard ACL-PROXY
WS-C3560-8PC(config-std-nacl)#10 permit 192.168.168.0 0.0.0.255
WS-C3560-8PC(config-std-nacl)#exit
WS-C3560-8PC(config)#ip wccp web-cache
WS-C3560-8PC(config)#ip wccp web-cache redirect-list ACL-PROXY group-list ACL-WCCP
WS-C3560-8PC(config)#interface Vlan168
WS-C3560-8PC(config-if)#ip address 192.168.168.1 255.255.255.0
WS-C3560-8PC(config-if)#ip wccp web-cache redirect in
WS-C3560-8PC(config-if)#exit

The ACL-WCCP defines the WCCP clients which may be used, and the ACL-PROXY defines the clients that can use the redirect service (you can exclude certain clients this way). Note that both are standard ACLs, using an extended ACL didn’t work.
The discovery of an interesting proxy comes with a nice syslog:

%WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP Client 192.168.163.5

After that the switch starts sending the http frames towards the proxy, who does the rest.

I have to admit, I had a great deal of help from the people of Networking-forum.com, and in particular Steven King who has explained WCCP in great detail.

Advertisements