Set Up Squid Siblings On CentOS 6.3 With WCCP

This tutorial will help you setting up a couple of outbound Squid proxy sibling servers running on CentOS 6.3 and have them connected to your gateway using WCCP.

1. Prerequisites

You have a Cisco gateway that supports WCCP.

2. Preliminary notes

  • The DNS domain in this will be
  • Server 1 is named with an IP of
  • Server 2 is named with an IP of
  • Local DNS with an address of
  • The Gateway address is
  • The install media used is CentOS 6.3 minimal

3. CentOS setup

First off we need to install CentOS to both servers. Configure the drive(s) anyway you like just as long as you leave enough free space for Squid to run properly. Once the minimal install is complete configure network connectivity on both servers.

vi /etc/sysconfig/network-scripts/ifcfg-eth0

vi /etc/sysconfig/network-scripts/ifcfg-eth0

Both servers

vi /etc/resolv.conf

If you are not running a local DNS server or you cannot register your server addresses then you will need to program the hosts file on each server. If you can register the server eth0 addresses with the DNS, do it now and skip coding the hosts file.

/etc/hosts  localhost
Next get your system current
yum update

And install the basic packages that will be used.
yum install nano squid

I use vi as the primary text editor from this point forth, but you can use whichever particular text editor is your preferred editor.

4. Squid setup

Now that we have the basic servers setup, updated, and have our software installed lets get our Squid siblings talking and ready to take some traffic. Start with the squid.conf file

vi /etc/squid/squid.conf 

#Set ACL for Squid siblings
acl squidPeers
acl squidPeers
http 3128 transparent
wccp_version 4
wccp2_service standard 0
#Set WCCP to use GRE
wccp2_forwarding_method 1
wccp2_return_method 1
#ICP options
icp_port 3130
icp_access allow squidPeers
#Set Squid siblings
cache_peer  sibling 3128 3130 proxy-only

Replace with the appropriate entry. For example the line on would read:
cache_peer sibling 3128 3130 proxy-only

5. Network

The basic configuration for your local IP communication should already be complete. If it wasn’t then your yum update process and installs from above would not have worked. This is going to cover setting up the GRE tunnel for your squid to communicate to the gateway properly.

For the tunnel to get added properly we need to start off by making a modification to one of the ifconfig initialization scripts.
On both servers
vi /etc/sysconfig/network-scripts/ifup-tunnel

# Create the tunnel
# The outer addresses are those of the underlying (public) network.
/sbin/ip tunnel add “$DEVICE” mode “$MODE” \
    ${KEY:+key “$KEY} ${TTL:+ttl “$TTL”}

With that modification we can now create the GRE interface script

vi /etc/sysconfig/network-scripts/ifcfg-gre1

The configuration on is nearly identical

scp /etc/sysconfig/network-scripts/ifcfg-gre1

vi /etc/sysconfig/network-scripts/ifcfg-gre1

The PEER_OUT_IPADDR is the router identifier. On the Cisco gateway this is the first IP programmed in the config. You can easily discover this router ID by running

show ip wccp

Now we have to modify a system filter to ensure that the GRE packets coming to eth0 are not discarded by the system. Add the following lines to the system control file.

On both servers
nano /etc/sysctrl.conf

net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.gre1.ip_filter = 0

6. IPTables

Now we need to make sure that not only will our Squid system be able to communicate with each other and the network, but that the http traffic is reaching the right port.

On both servers
vi /etc/sysconfig/iptables

Under the filter tables add the following
-A INPUT -m udp -p udp --dport 2048 -j ACCEPT 
-A INPUT -m tcp -p tcp --dport 3128 -j ACCEPT 
-A INPUT -m udp -p udp --dport 3130 -j ACCEPT

Now add a nat table to the configuration to direct the web traffic to the Squid port.

-A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

7. Server wrap up

The last thing to do on the server is ensure that everything will startup again on its own in the case of a system reboot.
On both servers 

chkconfig --levels 235 squid on

At this point restart the server and ensure that everything has started up properly
First we’ll check Squid is running
/etc/init.d/squid status

squid is running (pid xxxxxx)

Next ensure the IP tunnel was created successfully
ip tunnel


gre0:  gre/ip  remote any  local any  ttl  inherit  nopmtudisc
gre1: gre/ip  remote  local  dev eth0 ttl inherit


gre0:  gre/ip  remote any  local any  ttl  inherit  nopmtudisc
gre1: gre/ip  remote  local  dev eth0 ttl inherit
ifconfig gre1 | grep inet
inet addr:  P-t-P:  Mask:
inet addr:  P-t-P:  Mask:
Tunnels are up and squid is running. Time to get some traffic directed at the new proxies.

8. Cisco setup

The configuration on the Cisco gateway is very simple. Configuration is minimal thanks to the nature of WCCP. First off create access-list for the squid peers and attach them to the web-cache group. Enter configure mode on the Cisco

access-list 10 permit access-list 10 permit ip wccp web-cache group-ist 10
Next create the redirect rule. This configuration will direct the entire
subnet through the Squid systems, but we have to exclude the Squid 
servers themselves to avoid creating a loop. 
access-list 120 remark ACL for WCCP proxy
access-list 120 remark Squid proxies bypass WCCP
access-list 120 deny ip host
access-list 120 deny ip host
access-list 120 remark Proxy LAN clients port 80 only
access-list 120 permit tcp any eq 80
access-list 120 remark all others bypass WCCP
access-list 120 deny ip any any
ip wccp web-cache redirect-list 120
Before we turn the redirect on on an interface make sure that the Squid 
proxies are advertising their presence to the gateway. Exit from 
configure mode on the Cisco and run the following
show ip wccp web-cache detail
You should see both servers listed and available
Enter back into configure mode and turn on the web-cache for the subnet. The LAN interface in this case is GigabitEthernet 0/0 on VLAN 5.
interface GE0/0.5

ip wccp web-cache redirect in

That’s it. You’re done.
For a quick test: open up a web page from a system that goes through the gateway handling WCCP. You should see the traffic registered in the Squid access log.

 tail /var/log/squid/access.log
Powered by Blogger.