I am currently trying to enable WCCP between a Cisco ASA 5512 firewall and Barraccuda Webfilter 410 Vx applicance. The ASA firewall is running IOS version 8.6(1)2 and the Barracuda is funning firemware 6.0.0.013. Both the ASA and Barracuda are in the same network and can ping eachother. The ASA has several interfaces, outside, inside, data and dmz. The PCs and barracuda appliance are behind the data interface. ASA data IP 172.16.18.1 Barracuda IP 172.16.18.40 All PCs in the 172.16.18.0/24 subnet use the ASA as the default gateway and should have web requests redirected to the Barracuda.
I recently configured WCCP with a Sophos Web Filter on my network it works good but the problem I am having is I have two 5520s so I am directing the device to look at 2 different IP addresses and since the devices are in an Active/Passive failover. The problem is because the second device is in a passive failover it is not responding which is throwing connection errors to my Sophos device. I know you can have a single management connection for the ASA's but is there a way to have a single IP for the ASAs for the WCCP?
I have a WCCP Configuration on a Catalyst 3750G and a IronPort Webappliance. I have configured this situation many times before with cisco asa and ironport wsa, but with a switch, this is my first time.
VLAN 147 is a transportation vlan between the cisco switch and a hp coreswitch with the clients and servers behind the hp coreswitch.
VLAN 147 IP Address of the Catalyst is 172.30.47.1
IP of the IronPort Appliance is 172.30.47.10
IP of the HP Coreswitch is 172.30.47.2
Plan is to redirect the webtraffic coming from clients and servers from the 10.0.0.0/8 net behind the hp switch to the ironport wsa. In have configured these settings.
ip wccp web-cache group-list 15 password 7 091D1C5Aip wccp 80 redirect-list 16 group-list 15 password 7 14464058 interface GigabitEthernet1/0/22 description IRONPORT P1 BUWOG switchport access vlan 147 switchport mode access interface Vlan115 ip address 172.30.15.2 255.255.255.0 standby 10 ip 172.30.15.1 standby 10 priority 90 standby 10 preempt standby 10 track Vlan115!interface Vlan147 ip address 172.30.47.1 255.255.255.0 ip wccp web-cache redirect in ip wccp 80 redirect in
Is there any tool or script which will automatically generate scripts for routers, switches. I am configuring 100's of cisco 3700 routers and 3500 switches. I want to be consistent with my configuration . I am looking for script that when u run it, it will prompt you step by step to configure router, and switch and generate router config file. I know aobut cisco autoconfig maker but thats not what i am looking for.
i trying to set up a terminal server, 2811 with an HWIC-16A und two octo cables. [code] connect and sometimes not. It seems the connection is established but i don't get a prompt von the target device.The target devices are cisco 2811 and cisco catalysts 3560.
i got a big problem, during a configuration reset i got an electrical blackout. I have set the configuration back after a password reset and send the reset prompt. At the restart of the router the blackout take all for 10 seconds out. When i restart the system an connect the router with the hyper terminal i get the following output:
I think the config was lost but how can i restart the router and enter a new one?
IGMP Snooping configuration for Multicasting on Cisco Catalyst 3020
Our switch model is "Cisco Catalyst Blade Switch 3020 for HP" We are building HA (High Availability) Databases infrastructure. Currently, there are two nodes(hosts- servers) and two above switch for HA.
Oracle said we need to turn off the IGMP Snooping in order to use the multicasting for their interconnect communication. So my question is:
Q1> Is there any way to use Multicasting without turning off IGMP Snooping on Switch side?
Q2> If 'yes', how can we configure the switch for Multicasting ?
Oracle uses 126.96.36.199 & 188.8.131.52 IPs with 42000 range port for Multicasting communication.
So Im trying to learn a little bit more about WCCP so I thought I'd load up a centos VM and just install squid on it. With the base config running I can setup an explicit proxy by configuring my IE session to use the squid IP on port 3128. Proxy works fine and I see entries in the access log on the centos box. Now, since Im only running squid on the box Im going to change the listening port to 80 so I can transparent proxy with WCCP on my ASA. So I set the WCCP2 config on squid as shown.
I'm using a Cisco AG3560 to run my wccp re-direct and have a McAfee for my web gateway. My IP for the web gateway is 10.1.252.19, and my wccp router is 10.1.3.10. For whatever reason the web gateway is able to see the router and the "here i am packets" but I cannot get anything to redirect to it. My wccp config is below.
ip wccp 51 redirect-list 120 ! interface Loopback0 ip address 10.1.254.17 255.255.255.255
I have the Web Gatewy setup with process 51 and my router on the WG is 10.1.252.10.
I currently have WCCP redirection setup on my ASA 5520 to redirect to an ironport on ip address 10.11.1.10. The ASA inside ip is 10.11.1.1 and the ironport is setup for transparent redirection to that IP. This all works well and the Service Identifier i'm using for WCCP is 95.I am now creating another WCCP group because on my ironport I have 4 interfaces so I wanted to use them for our admin network. So I created an ACL on the ASA for our admin traffic and I want to redirect that using Service Identifier 94 to the ip on the ironport of 10.11.1.22. But I can't get traffic to redirect.
ip wccp 0 redirect-list wccp_acl group-list 10 password 0 ourpassword
Received this error:
MDT: %COMMON_FIB-3-FIBIDBINCONS2: An internal software error occurred. WCCP:0 linked to wrong idb Loopback0 (xyz node name)
When the following was issued 10 minutes later:
ip wccp 70 redirect-list wccp_acl group-list 10 password 0 ourpassword
No error msg (but now wccp was active)WCCP appears to be working but we are ** having problems connecting ** with our websense (7.6) box via GRE.Websense is connected to the 6509 which is connected this 3750 switch.
I’m currently trying to work out what router we need to do WCCP redirections to some WAN optimizers. We plan that there will 100-200Mbps worth of traffic that needs to be redirected.
We currently have a 7200 with NPE-G2 which already runs at 30% cpu without WCCP redirection. (From shaping and QoS.) I’m worried that this will not be powerful enough for the redirections.
We would like to upgrade, but I want to do some research beforehand.I have looked everywhere and I cannot find any WCCP performance figures for the devices below.
-7200 with NPE-G2 -ASR1000 -3800 -3750 -6500 I am aware that the catalyst and the ASR can do the redirecting in hardware, so these means there is no real CPU hit until we exhaust the TCM? We plan to use in bound redirection and the redirect ACL is only 20 lines.
My problem is, it doesn’t seem like packets are making it to the linux/squid caching device, based on cache logs. Workstations that are being redirected in the router have no web browser access (they can ping 184.108.40.206 and google.com)
I have a linux box running squid successfully, which supports GRE WCCP. For the sake of argument, I will say that I am confident I have successfully configured that machine.
What’s really strange is this morning I came in and hind sight my test workstation looked like it may had restarted from an update. (maybe had internet access). The first thing I did was tweak the cisco config, as I was reading last night and saw:
“Be warned that if you are using NAT you MUST use the inbound interface otherwise the router only sees the NATted IP address as the source of your clients. This is bad, because the router is also therefore unable to see your cache engine and it will redirect the cache engine requests back upon itself.”
So I turned <ip cef> on and removed the <ip wccp web-cache redirect out> (I had in fa0/1 and out fa0/0 on overnight).
Then I proceeded to check the workstation and saw it had network access, I tested to see if it was in fact filtered by the proxy, and it was! (verified by cache logs aswell)
After some further successful testing, I made sure I saved any unsaved configuration changes, I rebooted the linux box and the router. Sadly the outcome was not good, I am back to where I was last night.
My router does routing/NAT and has two interfaces and is currently not running CEF
ip wccp web-cache redirect-list SQUID_PROXY ! interface FastEthernet0/0 description WAN ip address 220.127.116.11 255.255.255.248 ip nat outside ip virtual-reassembly max-reassemblies 64 speed 100 full-duplex(code)
I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN of my catalyst 3750G?I want to filter traffic on port 80 (www) to the users on the LAN side debug on the ASA show me that comunication between that device and Websense is OK, there is Here_I_Am and I_See_You packets
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D
From show WCCP i saw that WCCP engine and ASA were detected
FW# sh wccp Global WCCP information: Router information: Router Identifier: 200.X.X.X Protocol Version: 2.0
I'm testing WCCP in a lab environment (Another checkbox on my way to CCIE).The setup- a WS-C3560-8PC switch running IOS 15.0(1), IP Services with crypto.- Two client computers connected by wire to the switch, running Windows 7.- A virtual machine in bridged mode running on one of the machines, running OpenBSD 5.0 with Squid 2.7 installed and running.- Everything in the same subnet: 192.168.163.0/24, the OpenBSD is at .5, the switch at .3 and functions as the default-gateway for the computers with no ICMP redirects (the real gateway is at .1 but the switch forwards everything).Squid seems to work, albeit inefficient, but that's not the issue.illing in the IP of the OpenBSD in the browser as proxy with the proper port works.Since the 3560 does only support WCCP over layer 2 adjacencies and masks, not hash buckets, I've configured these options on both the Squid and the 3560.
I'm setting up a config to have WCCP with Blue Coat WAN Optimizer. I have following sinple setup at the moment. Cisco 6500 <----> Firewall. How should my topology should be. Should I have whe WAN-Optimizer in between (in path of switch and firewall on the same VLAN) or have different vlan hanging off the 6500 and have WCCP redirect traffic?
I´m trying to config a wccp web-proxy in a ISR 2811 at branch network. I have an Iron Port at Head-Quarter.
The idea is that the users at branch network, transparently forward http traffic to Iron Port at Central-Office and from them go to Internet.
The communication between sites is over DMVPN. I have two GRE tunnels running OSPF.
The Iron Port is configured as wccp v2 transparent redirection with forwarding method L2 or GRE an retunr method as L2 or GRE.
I receive packets on the branch router "Here I Am" but it get a message on debug:
Nov 21 19:26:07.067 GMT-2: WCCP-EVNT:D10: Here_I_Am packet from 172.16.10.10 w/bad fwd method L2, received indirectly via Tunnel1Nov 21 19:26:07.067 GMT-2: WCCP-EVNT:D10: Here_I_Am packet from 172.16.10.10 with incompatible capabilites
Nov 21 19:46:07.035 GMT-2: WCCP-PKT:D10: Sending I_See_You packet to 172.16.10.10 w/ rcv_id 0000004F
I have a web cache server, and I redirect all the HTTP request to it using WCCP.
Everything works without a problem, however I have a monitoring system that every minute tests the access to some customer sites that are hosted inside our infra-strutcture.
As soon as I configured the WCCP the monitoring system complains of timeouts accessing those sites, about 20% of the requests start to fail (timeout).
I don't think it is the fault of the cache because in the WCCP ACL I exclude all traffic that comes from my monitoring system. However as soon as I turn of WCCP the monitoring system never ever gives timeouts accessing those sites.
Is there anything I should do in WCCP to tweak it? I have WCCP configured in my core gateway that is a CISCO 3750.
I'm setting up a web cache using the wccp protocol on a Catalyst 3750 stack.
Probably missing something real simple here but when I from the global configuration mode are trying to enter the ip wccp command it just says "invalid input" from wccp. There is no such command.. should be supported on my device from IOS 12.2(37)
I am trying to enable wccp on 6509. Its works fine on port 80 but not with https (443). Also i have noticed when i use the following
ip wccp web-cache redirect in similarly adding to interface HTTP works. but when i use the service no 0 instead of web-cache even the HTTP stops working. wccp v2 is enabled in the switch. Both the source & the Squid server are in same V LAN.
I have been tasked to setup a Transparent Squid proxy and do redirection on a Cisco 6513 Switch.I don't have access to the SQUID but think that my config below should be OK. We have setup a TEST user Vlan 13 . Any traffic from this destined for the we on 80 or 443 should be redirected. Vlan 10 is where the Squid proxy is sitting. [code]