From: Scott Morris (swm@emanon.com)
Date: Fri Jan 23 2004 - 17:16:38 GMT-3
GRE and udp/2048.
But Andy's right on the flow!
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Andy
Canizares
Sent: Friday, January 23, 2004 3:05 PM
To: 'Cho, David'; ccielab@groupstudy.com
Subject: RE: OT - WCCP through firewall
Dave,
Running WCCP via a firewall is not a very easy task.. Because of the
operation of traffic between the WCCP Router and CE you'll run into several
problems.
If you look at the flow of traffic it will make sense.
1. Client sends traffic to Webserver X.
2. a. WCCP router intercepts the traffic.
b. encapsulates the traffic in a GRE like tunnel (can also be L2
rewrite if using a L3 Switch for wccp)
c. sends encapsulated traffic to CE
3. A. Cache Miss
a. CE de-encapsulates the traffic
b. Sends a webpage request to Webserver X with its own IP address as
the source.
c. WebServer X responds to CE request directly.
d. CE forwards the webpage request directly to the client, using
WebserverX's ip address as the source. This traffic is not encapsulated back
to the WCCP router.
**problem with firewall is here**
The problem with using WCCP through a firewall is 2 fold.
First, the client to CE traffic takes 2 different paths. From WCCP router
to CE its encapsulated in GRE-like tunnel. However from CE to Client
traffic travels directly back to the Client without encapsulation.
Therefore the FW will never see the full flow of traffic, and return traffic
from the CE to the Client will look like an incomplete TCP flow; hence the
client never gets the information.
Secondly, if the CE is on a separate DMZ segment, the firewall will not
allow the CE to send return traffic because the firewall will think that the
CE is spoofing external traffic, which it is; however this is normal
operation. (spoofing could be turned off on that interface)
In addition, the firewall will not inspect inside a GRE-like tunnel, it will
only inspect the tunnel it self. So even if you where able to put a CE
outside of a firewall and pass WCCP through the firewall, your not
necessarily gaining anything by putting the CE behind the firewall because
the traffic to and from the CE and WCCP router would be in a GRE Tunnel and
not inspected!
Place the WCCP router and CE on the same segment. Since you have a 6500 or
3550 you can also use L2 rewrite instead of the GRE method to pass traffic
to the CE. This is configured on the CE, not the Routers. This is a
preferred method because performance can be better. There is a technote some
where on Cisco website for this.
Not going through the firewall will save you the headache; plus you may not
be gaining that much by firewalling the CE.
Last note. Never put a NAT configuration between the WCCP router and the
CE.. This causes other problems!
I hope that helps!
Andy
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Cho,
David
Sent: Friday, January 23, 2004 2:14 PM
To: ccielab@groupstudy.com
Subject: OT - WCCP through firewall
Hello,,
I know wccp uses udp 2048 port but I am having a bit of problem
communicating with CE through pix. Is there anyone who has an experience of
deploying the web cache between 6509 and 3550 separated by PIX? TIA, David
XM Satellite Radio Inc.
http://www.xmradio.com
This message contains information that may be confidential or privileged.
The information is intended solely for the recipient and use by any other
party is not authorized. If you are not the intended recipient, be aware
that any disclosure, copying, distribution or use of the contents of this
information is prohibited. If you have received this electronic
transmission in error, please notify us immediately by telephone
(202.380.4000), fax (202.380.4500) or by electronic mail
(postmaster@xmradio.com).
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:49 GMT-3