03-28-2014 07:53 PM - edited 03-07-2019 06:54 PM
I followed this article and configure my router to send all http traffic to a squid proxy. Anyway, I am wondering if my squid server is crashed, all users will not able to access any websites. So can I configure the router to passthru squid server when it crashed?
Solved! Go to Solution.
03-31-2014 07:30 AM
Hello
I cannot comment on the article but the PBR I may be able to shed some light on this for you
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP
At present the above PBR statetment is matching on th acl and setting the next hop towards the squid proxy ip - However if that ip address becomes unavailble the router will NOT be aware and WILL continuously try to PBR the matching traffic to that failed ip address.
This can be change to verify the availability of the next hop or and if applicable specifying an additional nexthop for resiliency.
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP SQUID-PROXY-IP2 SQUID-PROXY-IP3
set ip next-hop verify-availability
(The set ip next-hop verify-availability command above will check for the availability of the next hop via CDP - so if the nexthop isnt a cisco device it will not work) ..however using another feature called Oblect tracking this can be accomplished and if the failed next hop isnt viable it will be routed
normally.
ip sla 2
icmp-echo (source ip) (SQUID-PROXY-IP)
fre 5
ip sla schedule 2 life forever start-time now
track 10 ip sla 2 reachability
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP
set ip next-hop verify-availability SQUID-PROXY-IP 1 track 10
route-map proxy-redirect permit 999
Note the permit 999 is a catch all statement = meaning all NONE matched traffic will be routed normally.
res
Paul
03-29-2014 07:26 AM
The acl in that article seems a bit convoluted.
What traffic are you trying to send to the proxy ie. http but what else. Are there other things like https etc ?
What device are you using ie. a switch or a router ?
If a switch what model and what license are you are running on that switch ?
Have you thought about using WCCP ?
Jon
03-29-2014 09:55 PM
> The acl in that article seems a bit convoluted.
It just reject all traffic except http I believe.
> What traffic are you trying to send to the proxy ie. http but what else. Are there other things like https etc ?
http only at this time. I want to send https traffic but that would involve a lot of work on certification things.
> What device are you using ie. a switch or a router ?
> If a switch what model and what license are you are running on that switch ?
Cisco 7301/7304
> Have you thought about using WCCP ?
A quick overview suggests that WCCP is a very useful solution and I am currently reading some matrials about it. :-)
03-31-2014 06:44 AM
It just reject all traffic except http I believe.
It does but with PBR if the traffic is not matched in the acl it is simply routed normally so you only really need to permit the http traffic you want and nothing else ie. you do not need to deny non http traffic.
Can't say much more without seeing the configuration.
Jon
03-31-2014 07:30 AM
Hello
I cannot comment on the article but the PBR I may be able to shed some light on this for you
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP
At present the above PBR statetment is matching on th acl and setting the next hop towards the squid proxy ip - However if that ip address becomes unavailble the router will NOT be aware and WILL continuously try to PBR the matching traffic to that failed ip address.
This can be change to verify the availability of the next hop or and if applicable specifying an additional nexthop for resiliency.
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP SQUID-PROXY-IP2 SQUID-PROXY-IP3
set ip next-hop verify-availability
(The set ip next-hop verify-availability command above will check for the availability of the next hop via CDP - so if the nexthop isnt a cisco device it will not work) ..however using another feature called Oblect tracking this can be accomplished and if the failed next hop isnt viable it will be routed
normally.
ip sla 2
icmp-echo (source ip) (SQUID-PROXY-IP)
fre 5
ip sla schedule 2 life forever start-time now
track 10 ip sla 2 reachability
route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP
set ip next-hop verify-availability SQUID-PROXY-IP 1 track 10
route-map proxy-redirect permit 999
Note the permit 999 is a catch all statement = meaning all NONE matched traffic will be routed normally.
res
Paul
03-31-2014 12:07 PM
03-31-2014 12:08 PM
(removed)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
Thank you! I believe this is what I am looking for!
I will give it a try some time later this week :-)