注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

itoedr的it学苑

记录从IT文盲学到专家的历程

 
 
 

日志

 
 

wccp测试案例分析(转析)  

2013-08-03 23:39:56|  分类: wccp使用 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
一、12.X以后的IOS支持WCCP
二、交换机只支持L2转发,不支持GRE,路由器就只支持GRE模式了;
三、交换机只能在in的方向引用,不可在在OUT方向做;
  其实在6509上使用出口方向做wccp重定向一样可以,可读见笔者的在线方案。

wccp会话过程:
1.在启用了wccp的router和内容引擎CE之间,他们通过udp 2048建立会话. 多个router和多个CE可以在一个组内.这个组可以负责重定向专门的流量,比如http,https.
在所有的CE中,将根据每个CE的ip address,选择一个最小ip address的CE作为指定CE.感觉到ospf的DR了吧,呵呵.这个指定CE负责分配流量负担到所有的CE.
2.router和CE之间会定期发送2种报文用于维护会话:"HERE_I_AM","I_SEE_YOU". 前一种报文是CE发出的,用于通知router我准备好了.后一种报文是router发出的,用于确认.
3.客户端无须配置代理.配置好ip,网关和dns即可. 关键点是要让客户的报文经过router,小的网络可以将客户端pc的网关指向router接口ip.
4.当报文经过router时,router会根据配置监听特定的端口,这里是http流量,然后将http流量通过GRE封装,再交给CE处理.
5.CE接到GRE报文后,解包,找到第三层目的ip.然后自己将初始化一个http get的请求到目的地址.如果CE无法直接连接internet,CE上可以配置http proxy实现.
6.internet上的web server接收到报文后,看到的地址应该是CE的地址.而不是真正客户端的ip.
7.报文回到CE,CE 将重写目的ip为真正client.报文路由到client端,显示网页内容.
8.在client端看来,并不知道CE的存在,也不知道流量 被router重定向了.可以通过netstat -an查看.或sniffer.
9.对于没有规定要重定向的流量(通过ACL规定), router将按默认行为路由报文,查表,重写2层,转出口.

路由器配置实例:
1.定义哪些客户端的流量才被wccp重定向.这里有一个子网,流量为http和ftp
access-list 100 permit tcp 172.16.70.0 0.0.0.255 any eq www
access-list 100 permit tcp 172.16.70.0 0.0.0.255 any eq ftp
access-list 100 permit tcp 172.16.70.0 0.0.0.255 any eq ftp-data

2.定义哪些CE会参与wccp会话:这里只有一台.
access-list 22 permit 10.10.70.11

3.将上面两个acl绑定到wccp上:关于服务编号,大家去cisco查一下好了.
ip wccp 80 redirect-list 100 group-list 22

4.接口上定义方向:
interface FastEthernet0/0----------------此为内网口,客户端网络
ip address 172.16.70.28 255.255.255.0
ip wccp 80 redirect in

interface FastEthernet0/1----------------此为连CE的接口
ip address 10.10.70.28 255.255.255.0
ip wccp 80 redirect out

验证,排错命令:
2811#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 172.16.70.28---------------router标识,类似ospf router-id的选取原则
Protocol Version: 2.0--------------------------wccp version 2
Service Identifier: 80
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 1637---------------------命中的http和ftp报文.
Redirect access-list: 100
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: 22
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 4317--------------------正常路由的报文.

2811#sh ip wccp 80
Global WCCP information:
Router information:
Router Identifier: 172.16.70.28
Protocol Version: 2.0
Service Identifier: 80
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 1637
Redirect access-list: 100
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: 22
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 4317

2811#sh ip wccp 80 view
WCCP Routers Informed of:
172.16.70.28
WCCP Cache Engines Visible:
10.10.70.11----------------------------------------这里可以check CE的数量及ip
WCCP Cache Engines NOT Visible:
-none-

2811#sh ip wccp 80 detail
WCCP Cache-Engine information:
Web Cache ID: 10.10.70.11
Protocol Version: 2.0
State: Usable-----------------------------------------------------排错时注意
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)---------------------------------这里对应上面的FFFFFF.类似与令牌.因为这里只有一台 CE.所以它拿到所有的令牌.就是要负责所有的流量.如果有两台CE,这里将是
Packets Redirected: 200 128(50%),可以均衡负载.排错时也是要注意的地方.令牌感觉是router分配的.
Connect Time: 01:32:55----------------------------与router连接的时间,有多个CE时,排错的参考.
Bypassed Packets
Process: 0
Fast: 0
CEF: 4317

2811#debug ip wccp packets
*Mar 16 15:04:39.465: WCCP-PKT80: Received valid Here_I_Am packet from 10.10.70.11 w/rcv_id 00002B84
*Mar 16 15:04:39.465: WCCP-PKT80: Sending I_See_You packet to 10.10.70.11 w/ rcv_id 00002B85

2811#debug ip wccp events 我把CE口down掉了,喝喝.
*Mar 16 15:26:29.501: WCCP-EVNT 80: Built new router view: 0 routers, 1 usable
web caches, change # 0000000F
*Mar 16 15:26:29.501: WCCP-EVNT 80: Router 172.16.70.28 removed.
*Mar 16 15:26:29.501: WCCP-EVNT 80: Built new router view: 0 routers, 0 usable
web caches, change # 00000010
2811#
*Mar 16 15:26:29.501: %WCCP-1-CACHELOST: Web Cache 10.10.70.11 lost

————————————————————————————————————————————————

以下是在CISCO 3750上做的实例:


no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
ip wccp web-cache redirect-list 101 group-list 1
!
!
!
!
crypto pki trustpoint TP-self-signed-512455168
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-512455168
revocation-check none
rsakeypair TP-self-signed-512455168
!
!
crypto pki certificate chain TP-self-signed-512455168
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
......
quit
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 101                      -------接终端用户
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!        
interface GigabitEthernet1/0/7
switchport access vlan 102
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
switchport access vlan 102
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
description CNC-10M
no switchport
ip address 10.10.10.253 255.255.255.252
!
interface GigabitEthernet1/0/23
description CT-4M
no switchport
ip address 10.10.10.249 255.255.255.252
!
interface GigabitEthernet1/0/24
description adsl-3m
no switchport
ip address 10.10.10.1 255.255.255.252
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
shutdown
!
interface Vlan101
ip address 192.168.88.1 255.255.255.0 secondary       ------接终端用户
ip address 192.168.100.1 255.255.255.0
ip wccp web-cache redirect in
!
interface Vlan102                                       --------接SQUID服务器
ip address 192.168.101.1 255.255.255.0

access-list 1 permit 192.168.101.127
access-list 1 permit 192.168.101.233
access-list 101 permit tcp 192.168.88.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any eq www
  评论这张
 
阅读(146)| 评论(2)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017