02-19-2004 03:48 AM
Hi All,
I've configured a CSS 11800 an a CE 7325 to do reverse proxy caching. I need the origin server to see only the clients IP so I've enabled the "wccp spoof-client-ip enable" to mask the CE requests.
It seems that it's not enough as I see the CE requesting content from the origin web server.
Any idea?
Thanks in advance
Fausto
02-19-2004 05:09 AM
do you have the 'wccp version 2' command in the config as well ?
Gilles.
02-19-2004 06:33 AM
Hi Gilles,
we configured WCCP ver 2 even if the CE is interacting with a CSS and not with a WCCP enabled router.
The ACNS version is 5.0.3 (build b5)
Here is the current configuration:
hostname CE7325-1-LAB-MDV
!
!
http proxy incoming 80
http l4-switch enable
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet 1/0
ip address 10.216.52.50 255.255.255.128
exit
interface GigabitEthernet 2/0
ip address 10.212.4.45 255.255.252.0
exit
!
interface FibreChannel 0/0
exit
!
!
ip default-gateway 10.216.52.126
!
!
!
no auto-register enable
!
!
!
!
!
!
!
!
no bypass load enable
!
!
!
!
!
wccp version 2
wccp spoof-client-ip enable
!
!
rule enable
rule action use-server 10.216.52.200 80 pattern-list 1 protocol all
!
!
transaction-logs enable
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
!
!
!
!
authentication login local enable primary
authentication configuration local enable primary
Thanks in advance
Fausto
02-20-2004 04:40 AM
Hi Gilles,
even after upgrading the CE to the ACNS 5.1.3 we observe the same behaviour. The CE still requests the contents using its own address and not the client's.
Thanks in advance
Fausto
02-21-2004 12:28 PM
Fausto,
apparently with version 5, they introduced a new command
agra(config)#http l4-switch ?
enable Enable L4 switch redirection.
spoof-client-ip Client IP spoofing
Could you give it a try.
Regards,
Gilles.
02-23-2004 03:23 AM
Hi Gilles,
I tried the command you suggested but it seems it doesn't work.
Anoter question: how can you manage the presence of more than one CE, is there a way to configure some sort of cluster?
Thanks
fausto
02-23-2004 04:33 AM
Fausto,
I tested the config myself this week-end and it worked for me.
Could you explain what is not working exactly.
Thanks,
Gilles.
02-23-2004 05:05 AM
Hi Gilles,
in my case I still see requests to the web servers coming with the CE source IP and not the client. It seems the CE doesn't spoof the IP.
Do you think the problem could be in the rule I configured?
rule enable
rule action use-server 10.216.52.200 80 pattern-list 1 protocol all
rule pattern-list 1 dst-ip 62.13.171.20 255.255.255.255
I used this rule to make the CE call the WEB servers in a balanced manner; the vip 10.216.52.200 is managed by the CSS.
Could you please send me your configuration so I can compare it to mine?
Thanks
Fausto
02-23-2004 07:00 AM
indeed, when a rule is enable it seems to break ip spoofing.
I'm not sure yet if this is expected behavior.
I'm checking with our developpers.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide