🔗 Traffic Interception with WCCP

WCCP is a forwarding/tunneling method. Since a tunnel could be built using any two devices the configurations have been separated into endpoint configurations.

L2 forwarding is best suited for when the proxy is directly connected to the router, i.e. presists in the same L2-segment of LAN. Since Layer-2 is a level below TCP/IP it can be treated as equivalent to Policy Routing at the IP layer (the difference is PBR is executes on CPU, against true L2 WCCP forwarding, which often executes on control plane level) and requires only routing configuration on the receiving proxy machine. Also note, L2 forwarding most often hardware accelerated and has no additional overhead (because uses L2 header re-writes without increasing packet), so it has best performance in most cases.

GRE tunneling is suitable for setups where the packets need to traverse multiple other devices (hops) before reaching the proxy. This requires a GRE interface configured on the receiving proxy to decapsulate the tunnel in addition to routing configuration on the receiving proxy machine.

Some older Cisco device types (notably ASA) place additional limitations on which method they support. Recent IOS versions may expand them to allow either method - or may not, check your Cisco device documentation carefully.

🔗 Catalog of use cases

• Linux traffic Interception at source using DNAT
• TPROXY v4 with CentOS 5.3
• Policy Routing web traffic on a Cisco 2501 Router
• Configuring a Cisco 3640 with WCCPv2 Interception
• Cisco ASA and Squid with WCCP2
• Configure Cisco IOS 11.x router for WCCP Interception
• Configuring Cisco IOS 12.x for WCCP Interception
• Variant I: Routed DMZ witch WCCPv2
• Configuring a Cisco IOS 12.4(6) T2 with WCCPv2 Interception
• Interceptor Squid on Debian with Redirectors and Reporting
• Configuring Transparent Interception with Fedora Core Linux and WCCPv2
• Intercepting traffic with PF on FreeBSD
• Intercepting traffic with IPFW
• Policy Routing Web Traffic On A Linux Router
• Proxying Web Traffic On A Linux Bridge Server
• Linux traffic Interception using DNAT
• Intercepting traffic with IPFW on Linux
• Linux traffic Interception with Squid and the Browser on the same box
• Linux traffic Interception using REDIRECT
• Intercepting traffic with PF on OpenBSD
• Policy Routing Web Traffic On A FreeBSD Router
• Intercept HTTPS CONNECT messages with SSL-Bump

• SSL-Bump using an intermediate CA

• Linux TPROXY Real Transparent Interception (without NAT)

---

⚠️ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.

Categories: ConfigExample

Navigation: Site Search, Site Pages, Categories, 🔼 go up