Нужна помощь разобраться с работой WCCP 2 c использованием GRE
1. FreeBSD 8.1 собран с поддержкой PF не работает GRE0!
Код: Выделить всё
#PacketFilter support
device pf
device pflog
device pfsync
#Queuing support (requied by PF)
options ALTQ
options ALTQ_RED
options ALTQ_CBQ
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC
Код: Выделить всё
[server:~] # cat /etc/pf.conf
rdr on gre0 proto tcp from 192.168.41/28 to any port 80 -> 127.0.0.1 port 3128
rdr on gre0 proto tcp from 192.168.42/26 to any port 80 -> 127.0.0.1 port 3128
Код: Выделить всё
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
ether 00:09:6b:b7:94:17
inet 192.168.41.3 netmask 0xfffffff8 broadcast 192.168.41.7
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
...
gre0: flags=b051<UP,POINTOPOINT,RUNNING,LINK0,LINK1,MULTICAST> metric 0 mtu 1476
tunnel inet 192.168.41.3 --> 192.168.41.1
Код: Выделить всё
http_port 3128 transparent
wccp2_router 192.168.41.1
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
Его runn-conf (основные фрагменты)
FA 8 -> ISP
FA 0 -> trunk -> sw SG300 (VLAN 20-VLAN30) IP 192.168.42.x - 192.168.43.x соответсвенно
FA7 -> PROXY (IP: 192.168.43.3) Vlan 10 FreeBSD 8.1+ PF + SQUID 3.1
Используется только ACL_SQUID
Код: Выделить всё
!
ip dhcp excluded-address 192.168.42.1 192.168.42.2
ip dhcp excluded-address 192.168.43.1 192.168.43.2
ip dhcp excluded-address 192.168.40.1 192.168.40.2
ip dhcp excluded-address 192.168.42.62
!
ip dhcp pool LAN-VLAN20
import all
network 192.168.42.0 255.255.255.192
default-router 192.168.42.1
dns-server 192.168.41.3
lease 0 2
!
ip dhcp pool LAN-VLAN30
import all
network 192.168.43.0 255.255.255.240
default-router 192.168.43.1
dns-server 192.168.41.3
lease 0 2
!
....
....
ip wccp web-cache redirect-list SQUID
...
!
interface FastEthernet0
description -=Trunk:vlan1$20$30=-
switchport mode trunk
no ip address
....
.
interface FastEthernet7
description -=DMZ:Vlan10=-
switchport access vlan 10
no ip address
no cdp enable
!
interface FastEthernet8
description -=WAN: ISP1=-
ip address XXXXXXXXX YYYYYYYYYY
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
no keepalive
!
interface Vlan1
description -= Vlan1:ADMIN-USER =-
ip address 192.168.40.1 255.255.255.248
!
interface Vlan10
description -= Vlan10-DMZ:PROXY=-
ip address 192.168.41.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
description -= LAN1-Vlan20=-
ip address 192.168.42.1 255.255.255.192
ip wccp web-cache redirect in
!
interface Vlan30
description -= LAN2-Vlan30=-
ip address 192.168.43.1 255.255.255.240
ip wccp web-cache redirect in
!
...
no ip http server
ip http authentication aaa
ip http secure-server
ip forward-protocol nd
!
!
ip nat inside source list 11 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 XXXX YYYYYY
!
ip access-list extended SQUID
deny ip host 192.168.41.3 any
permit tcp 192.168.42.0 0.0.0.63 any eq www
permit tcp 192.168.43.0 0.0.0.15 any eq www
!
access-list 11 remark -= NAT-LIB =-
access-list 11 permit 192.168.41.0 0.0.0.7
!
!
gateway
timer receive-rtp 1200
!
!
!
..
end
1.Cisco
sh ip wccp web-cache detail
Код: Выделить всё
WCCP Client information:
WCCP Client ID: 192.168.41.3
Protocol Version: 2.00
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Connect Time: 01:06:04
Redirected Packets:
Process: 0
CEF: 42
GRE Bypassed Packets:
Process: 0
CEF: 0
Hash Allotment: 256 of 256 (100.00%)
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Код: Выделить всё
Global WCCP information:
Router information:
Router Identifier: 192.168.43.1
Service Identifier: web-cache
Protocol Version: 2.00
Number of Service Group Clients: 1
Number of Service Group Routers: 2
Total Packets Redirected: 728
Process: 0
CEF: 728
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: SQUID
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
Код: Выделить всё
Extended IP access list SQUID
10 deny ip host 192.168.41.3 any
20 permit tcp 192.168.42.0 0.0.0.63 any eq www (620 matches)
30 permit tcp 192.168.43.0 0.0.0.15 any eq www (108 matches)
Код: Выделить всё
rdr on gre0 inet proto tcp from 192.168.42.0/26 to any port = http -> 127.0.0.1 port 3128
[ Evaluations: 11784 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 439 ]
rdr on gre0 inet proto tcp from 192.168.43.0/28 to any port = http -> 127.0.0.1 port 3128
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 439 ]
cat /var/log/squid/logs/cache.log
Код: Выделить всё
2013/03/20 17:10:29| Reconfiguring Squid Cache (version 3.1.19)...
2013/03/20 17:10:29| FD 13 Closing HTTP connection
2013/03/20 17:10:29| FD 14 Closing WCCPv2 socket
2013/03/20 17:10:29| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2013/03/20 17:10:29| Starting Authentication on port 0.0.0.0:3128
2013/03/20 17:10:29| Disabling Authentication on port 0.0.0.0:3128 (interception enabled)
2013/03/20 17:10:29| User-Agent logging is disabled.
2013/03/20 17:10:29| Referer logging is disabled.
2013/03/20 17:10:29| DNS Socket created at 0.0.0.0, FD 10
2013/03/20 17:10:29| Adding domain zt-reglib.net from /etc/resolv.conf
2013/03/20 17:10:29| Adding nameserver 192.168.41.3 from /etc/resolv.conf
2013/03/20 17:10:29.646| wccp2Init: scheduled 'HERE_I_AM' message to 3routers.
2013/03/20 17:10:29.646| Accepting intercepted HTTP connections at 0.0.0.0:3128, FD 13.
2013/03/20 17:10:29.646| HTCP Disabled.
2013/03/20 17:10:29.646| Accepting WCCPv2 messages on port 2048, FD 14.
2013/03/20 17:10:29.646| Initialising all WCCPv2 lists
2013/03/20 17:10:29.646| Loaded Icons.
2013/03/20 17:10:29.646| Ready to serve requests.
2013/03/20 17:10:30.646| Sending HereIam packet size 160
2013/03/20 17:10:30.646| Sending HereIam packet size 160
2013/03/20 17:10:30.646| Sending HereIam packet size 160
2013/03/20 17:10:30.647| Incoming WCCPv2 I_SEE_YOU length 156.
2013/03/20 17:10:30.647| Incoming WCCP2_I_SEE_YOU Received ID old=0 new=9363.
2013/03/20 17:10:30.647| Unknown capability type in WCCPv2 Packet (4).
2013/03/20 17:10:30.647| Unknown capability type in WCCPv2 Packet (5).
2013/03/20 17:10:30.648| Incoming WCCPv2 I_SEE_YOU length 156.
2013/03/20 17:10:30.648| Incoming WCCP2_I_SEE_YOU Received ID old=9363 new=9364.
2013/03/20 17:10:30.648| Unknown capability type in WCCPv2 Packet (4).
2013/03/20 17:10:30.648| Unknown capability type in WCCPv2 Packet (5).
2013/03/20 17:10:30.648| Incoming WCCPv2 I_SEE_YOU length 156.
2013/03/20 17:10:30.648| Incoming WCCP2_I_SEE_YOU Received ID old=9364 new=9365.
2013/03/20 17:10:30.648| Unknown capability type in WCCPv2 Packet (4).
2013/03/20 17:10:30.648| Unknown capability type in WCCPv2 Packet (5).