RE: Extremely Transparent Proxy

Yes, I concur.

The patch didn't go clean, so I applied it by hand, and indeed it's
working great. I do have a cavaet though. Let me know if you guys
have any insight.

WCCP seems to only work on outband packets (ie, you apply it to an
oubound interface, and it catches TCP packets with destination ports of
80) on ONE router. So this leaves me with two problems:

My 5505 RSM has 6 VLANs. Workstations and servers are in VLANs 2 and 3.
Our PIX leading to the Internet is over on VLAN 6.

Obviously, if a webbrowser wants information on the Intranet server
(same IP network) it's going to go direct. Thus, no VLAN-changeover
and no proxy. Is there any way around this besides hard-coding the
squid proxy server in to the browsers? That's not too big of a deal here
in the home office (300 PCs or so) .. I can't think of any other way to
do it without retooling the network (putting the server farm on a different
VLAN, etc) which would get a big "NO" from the systems guys. I was hoping
to do this for free (see original question down below) but I can't figure
out a way to pull it off, so I might have to suck it up and set the proxy
server

Second, we utilize Frame Relay for over 70+ branch offices. The two core
routers are in VLANs 2 *AND* 3 (two ethernets interfaces). So traffic is
going to come to the routers, come over to Ethernet0/0 on VLAN2, and go
straight to the Intranet server. No problem, I think, I'll just put ip
wccp commands on the Ethernet 0/0 interfaces--ah, but it seems WCCP v1 only
supports ONE home router per Cache Engine. Know any workarounds to this?
Or
perhaps a rogue WCCP v2 implementation patch of squid (I don't code,
unfortunately ..) Any other ideas? Obviously traffic to the Internet will
get caught (VLAN2-->VLAN6, WCCP, squid, bang ..) .. but for some reason the
boss is big on reverse caching for the Intranet server (I find it hard to
believe the Intranet server can't handle 500 users, but hey, I'm just doing
what I'm asked to do).

: -----Original Message-----
: From: Ahsan Khan [mailto:ahsank@one.net.pk]
: Sent: Thursday, June 01, 2000 4:54 PM
: To: Diegmueller, Jason (I.T. Dept)
: Cc: squid-users@ircache.net
: Subject: Re: Extremely Transparent Proxy
:
:
: No do not use wccp.c module its not practical for me atlease
: i used ip_gre.c
: patch for Linux Kernel available form squid home page.
:
: first apply the patch and make your linux to be ready for
: Transparent proxy.
: and then just compile the squid with wccp support. it will work great.
:
: With Regards
: Ahsan Khan
: Sr. System Admin
: Internet Division (OneNet)
: Sun Communication Pvt. Ltd.
: Pakistan
: http://www.one.net.pk
:
:
: ----- Original Message -----
: From: "Diegmueller, Jason (I.T. Dept)" <diegmuej@stifel.com>
: To: "'Ahsan Khan'" <ahsank@one.net.pk>
: Sent: Friday, June 02, 2000 1:27 AM
: Subject: RE: Extremely Transparent Proxy
:
:
: > Ah, you're right. I like the looks to WCCP, and it doesn't
: > appear to be harming the load on the RSM at all.
: >
: > Question, though: I'm running Linux (2.2.14) and cannot get
: > this damned WCCP module referred to in the FAQ to compile. Is
: > there a precompiled module I could just insert?
: >
: > The problem seems to be in the #include <net/ip.h> (there is
: > not ip.h under /usr/include/ip.h) so I went ahead and changed
: > it to <netinet/ip.h> (where the file really is) and no go.
: >
: > Your thoughts?
: >
: > : -----Original Message-----
: > : From: Ahsan Khan [mailto:ahsank@one.net.pk]
: > : Sent: Wednesday, May 31, 2000 3:56 PM
: > : To: Diegmueller, Jason (I.T. Dept); squid-users@ircache.net
: > : Subject: Re: Extremely Transparent Proxy
: > :
: > :
: > : WCCP Support and bind the squid with Both Interfaces.
: > :
: > :
: > : With Regards
: > : Ahsan Khan
: > : Sr. System Admin
: > : Internet Division (OneNet)
: > : Sun Communication Pvt. Ltd.
: > : Pakistan
: > : http://www.one.net.pk
: > :
: > :
: > : ----- Original Message -----
: > : From: "Diegmueller, Jason (I.T. Dept)" <diegmuej@stifel.com>
: > : To: <squid-users@ircache.net>
: > : Sent: Thursday, June 01, 2000 12:39 AM
: > : Subject: Extremely Transparent Proxy
: > :
: > :
: > : > Squid Users--
: > : >
: > : > I have searched the archives, and can't seem to find anyone
: > : else who has
: > : > looked at doing thing.
: > : >
: > : > I'm reasonably familiar with squid, and extremely familiar
: > : with Linux.
: > : > The other day, I spent a few minutes setting up a
: > : Transparent Proxy. It
: > : > worked great in testing, I'm now looking at things from a
: > : network design
: > : > aspect.
: > : >
: > : > Our company is looking in to putting a squid machine in
: > : front of a HEAVILY
: > : > loaded web server ("Intranet Server"). The web server
: > : connects directly
: > : > to a Cisco Catalyst 5505 switch with both NICs utilizing
: > : HP's EtherChannel
: > : > implementation ("EtherTeaming"). This effectively doubles
: > : bandwidth and
: > : > provides hardware fault tolerance in a way on both the
: > : Catalyst (should a
: > : > port go) and on the server (should a NIC go).
: > : >
: > : > My original plan (before I started really looking to squid as a
: > : transparent
: > : > proxy) was to utilize Linux's bonding driver to achieve
: > : 200Mb to the Linux
: > : > box, and 200Mb to the HP Server (thus, 4 NICs).
: Unfortunately, I'm
: > : limited
: > : > to only one instance of the bonding.o driver. So I'll just
: > : do 200Mb to
: > : the
: > : > switch, and 100Mb to the server. Not too big of a deal.
: > : If someone knows
: > : a
: > : > workaround, let me know.
: > : >
: > : > The question comes in here:
: > : > If I'm using a two-interface solution, obviously I'm going
: > : to have to
: > : route
: > : > between the "outside" and the "inside" interface. If I
: do this, I'm
: > : > seriously
: > : > messing with addressing scheme of things here. I'd have to
: > : create a whole
: > : > new IP network for this Intranet server, and somehow
: > : advetise it to the
: > : rest
: > : > of my network (we use EIGRP, so I'd probably have to
: use zebra and
: > : > redistribute RIPv2 in to EIGRP) .. it would be ugly.
: > : >
: > : > Another option I thought was that I could renumber the
: > : Intranet box, do
: > : > ipmasq, and simply forward every single port to the
: > : Intranet machine. But
: > : > again, that's reasonably "ugly".
: > : >
: > : > So is there any "clean" way to implement an almost
: > : INVISIBLE proxy server?
: > : > Perhaps do bridging between the "outisde" and "inside"
: > : iterfaces, but
: > : still
: > : > have the ability to hijack requests to TCP port 80 and
: > : deliver them to
: > : > squid?
: > : > Has anyone done anything like this before? If so, do
: > : share. If not,
: > : think
: > : > I'm on the right path? Does this sound feasible?
: > : >
: > : > I'd just like to implement a squid proxy WITHOUT having to
: > : redesign a lot
: > : > of things (and in the process piss of the systems team). I
: > : considered
: > : doing
: > : > a route-map on the Cat5505's RSM but when I was playing
: > : around with that
: > : > yesterday load went through the roof (this is an awfully
: > : busy Catalyst).
: > : >
: > : > Insight, thoughts, and expertise is appreciated. Thanks!
: > : >
: > :
: >
:
Received on Thu Jun 01 2000 - 16:17:03 MDT