CE and IP Spoofing

f.franceschini · ‎02-19-2004

Hi All,

I've configured a CSS 11800 an a CE 7325 to do reverse proxy caching. I need the origin server to see only the clients IP so I've enabled the "wccp spoof-client-ip enable" to mask the CE requests.

It seems that it's not enough as I see the CE requesting content from the origin web server.

Any idea?

Thanks in advance

Fausto

Gilles Dufour · ‎02-19-2004

do you have the 'wccp version 2' command in the config as well ?

Gilles.

f.franceschini · ‎02-19-2004

Hi Gilles,

we configured WCCP ver 2 even if the CE is interacting with a CSS and not with a WCCP enabled router.

The ACNS version is 5.0.3 (build b5)

Here is the current configuration:

hostname CE7325-1-LAB-MDV

!

http proxy incoming 80

http l4-switch enable

!

interface GigabitEthernet 1/0

ip address 10.216.52.50 255.255.255.128

exit

interface GigabitEthernet 2/0

ip address 10.212.4.45 255.255.252.0

exit

!

interface FibreChannel 0/0

exit

!

ip default-gateway 10.216.52.126

!

no auto-register enable

!

no bypass load enable

!

wccp version 2

wccp spoof-client-ip enable

!

rule enable

rule action use-server 10.216.52.200 80 pattern-list 1 protocol all

!

transaction-logs enable

!

username admin password 1 bVmDmMMmZAPjY

username admin privilege 15

!

authentication login local enable primary

authentication configuration local enable primary

Thanks in advance

Fausto

f.franceschini · ‎02-20-2004

Hi Gilles,

even after upgrading the CE to the ACNS 5.1.3 we observe the same behaviour. The CE still requests the contents using its own address and not the client's.

Thanks in advance

Fausto

Gilles Dufour · ‎02-21-2004

Fausto,

apparently with version 5, they introduced a new command

agra(config)#http l4-switch ?

enable Enable L4 switch redirection.

spoof-client-ip Client IP spoofing

Could you give it a try.

Regards,

Gilles.

f.franceschini · ‎02-23-2004

Hi Gilles,

I tried the command you suggested but it seems it doesn't work.

Anoter question: how can you manage the presence of more than one CE, is there a way to configure some sort of cluster?

Thanks

fausto

Gilles Dufour · ‎02-23-2004

Fausto,

I tested the config myself this week-end and it worked for me.

Could you explain what is not working exactly.

Thanks,

Gilles.

f.franceschini · ‎02-23-2004

Hi Gilles,

in my case I still see requests to the web servers coming with the CE source IP and not the client. It seems the CE doesn't spoof the IP.

Do you think the problem could be in the rule I configured?

rule enable

rule action use-server 10.216.52.200 80 pattern-list 1 protocol all

rule pattern-list 1 dst-ip 62.13.171.20 255.255.255.255

I used this rule to make the CE call the WEB servers in a balanced manner; the vip 10.216.52.200 is managed by the CSS.

Could you please send me your configuration so I can compare it to mine?

Thanks

Fausto

Gilles Dufour · ‎02-23-2004

indeed, when a rule is enable it seems to break ip spoofing.

I'm not sure yet if this is expected behavior.

I'm checking with our developpers.

Gilles.