From: Andy Canizares (ccie@jzr.com)
Date: Fri Jan 23 2004 - 17:05:19 GMT-3
Dave,
Running WCCP via a firewall is not a very easy task.. Because of the
operation of traffic between the WCCP Router and CE you'll run into
several problems.
If you look at the flow of traffic it will make sense.
1. Client sends traffic to Webserver X.
2. a. WCCP router intercepts the traffic.
b. encapsulates the traffic in a GRE like tunnel (can also be L2
rewrite if using a L3 Switch for wccp)
c. sends encapsulated traffic to CE
3. A. Cache Miss
a. CE de-encapsulates the traffic
b. Sends a webpage request to Webserver X with its own IP
address as the source.
c. WebServer X responds to CE request directly.
d. CE forwards the webpage request directly to the client, using
WebserverX's ip address as the source. This traffic is not encapsulated
back to the WCCP router.
**problem with firewall is here**
The problem with using WCCP through a firewall is 2 fold.
First, the client to CE traffic takes 2 different paths. From WCCP
router to CE its encapsulated in GRE-like tunnel. However from CE to
Client traffic travels directly back to the Client without
encapsulation.
Therefore the FW will never see the full flow of traffic, and return
traffic from the CE to the Client will look like an incomplete TCP flow;
hence the client never gets the information.
Secondly, if the CE is on a separate DMZ segment, the firewall will not
allow the CE to send return traffic because the firewall will think that
the CE is spoofing external traffic, which it is; however this is normal
operation. (spoofing could be turned off on that interface)
In addition, the firewall will not inspect inside a GRE-like tunnel, it
will only inspect the tunnel it self. So even if you where able to put
a CE outside of a firewall and pass WCCP through the firewall, your not
necessarily gaining anything by putting the CE behind the firewall
because the traffic to and from the CE and WCCP router would be in a GRE
Tunnel and not inspected!
Place the WCCP router and CE on the same segment. Since you have a 6500
or 3550 you can also use L2 rewrite instead of the GRE method to pass
traffic to the CE. This is configured on the CE, not the Routers. This
is a preferred method because performance can be better. There is a
technote some where on Cisco website for this.
Not going through the firewall will save you the headache; plus you may
not be gaining that much by firewalling the CE.
Last note. Never put a NAT configuration between the WCCP router and the
CE.. This causes other problems!
I hope that helps!
Andy
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cho, David
Sent: Friday, January 23, 2004 2:14 PM
To: ccielab@groupstudy.com
Subject: OT - WCCP through firewall
Hello,,
I know wccp uses udp 2048 port but I am having a bit of problem
communicating with CE through pix. Is there anyone who has an
experience of deploying the web cache between 6509 and 3550 separated by
PIX? TIA, David
XM Satellite Radio Inc.
http://www.xmradio.com
This message contains information that may be confidential or
privileged. The information is intended solely for the recipient and use
by any other party is not authorized. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of
the contents of this information is prohibited. If you have received
this electronic transmission in error, please notify us immediately by
telephone (202.380.4000), fax (202.380.4500) or by electronic mail
(postmaster@xmradio.com).
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:49 GMT-3