I am trying to enable wccp on 6509. Its works fine on port 80 but not with https (443). Also i have noticed when i use the following
ip wccp web-cache redirect in similarly adding to interface HTTP works. but when i use the service no 0 instead of web-cache even the HTTP stops working. wccp v2 is enabled in the switch. Both the source & the Squid server are in same V LAN.
I am unable to redirect the HTTPS traffic on my cisco router with WCCP V2
View 2 Replies View RelatedIs there a way to use 2 redirects inbound on vlan 1?
int vlan 1
ip wccp 80 redirect in
ip wccp 81 redirect in
The reason for this is because we need the return traffic from the firewall to come in on group 81 and the source subnet will go out group 80.
I'm setting up a web cache using the wccp protocol on a Catalyst 3750 stack.
Probably missing something real simple here but when I from the global configuration mode are trying to enter the ip wccp command it just says "invalid input" from wccp. There is no such command.. should be supported on my device from IOS 12.2(37)
I have been tasked to setup a Transparent Squid proxy and do redirection on a Cisco 6513 Switch.I don't have access to the SQUID but think that my config below should be OK. We have setup a TEST user Vlan 13 . Any traffic from this destined for the we on 80 or 443 should be redirected. Vlan 10 is where the Squid proxy is sitting. [code]
View 3 Replies View RelatedI am trying to configure a 3560 (Version 12.2(55)SE3) with IPServices to run WCCP to two to an Ironport WSA.
I believe everything is setup correctly, however WCCP is still not operational. I have check the debug logs on the switch and I'm presented with a number of messages along the lines of...
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_update_assignment_status: enter
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_update_assignment_status: exit
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_copy_wc_assignment_data: enter
[Code]....
I have a Head Quarter and a remote site running over a OC3 circuit. [code]
On the HQ, I have a Cisco VXR7204 running IOS 12.4.15T(10) Advanced IP Serviceand the remote site is a Cisco 2851 also running IOS 12.4.15T(10) Advanced Ip Service. The HQ has a Riverbed Steelhead 5050H capable of delivering 100MbpsWCCP throughput. The remote site has a Riverbed Steelhead 1050H which can deliver 10Mbps WCCP throughput. At the HQ, the LAN network is 192.168.251.0/24.The Steelhead residing on the 192.168.251.0 network.At the remote site, the LAN network is 192.168.103.0/24 and 192.168.211.0/24.The Riverbed resides on the 192.168.103.0/24 network.
When a host on network 192.168.211.0/24 download a file from network192.168.251.0/24 network via http, the CPU on the Cisco 2851 goes to 99% utilization and that it stays there for the duration of the http session. There is very little traffic goes across the WAN whichis the way it should be but the CPU on the 2851 stays at constant at99% CPU utilization.
Why would WCCP consume so much CPU on the Cisco 2851? By the way, I am only getting about 5Mbps download instead of 90Mbps download, I think because of the high CPU on the router?
I have a WCCP Configuration on a Catalyst 3750G and a IronPort Webappliance. I have configured this situation many times before with cisco asa and ironport wsa, but with a switch, this is my first time.
VLAN 147 is a transportation vlan between the cisco switch and a hp coreswitch with the clients and servers behind the hp coreswitch.
VLAN 147 IP Address of the Catalyst is 172.30.47.1
IP of the IronPort Appliance is 172.30.47.10
IP of the HP Coreswitch is 172.30.47.2
Plan is to redirect the webtraffic coming from clients and servers from the 10.0.0.0/8 net behind the hp switch to the ironport wsa. In have configured these settings.
ip wccp web-cache group-list 15 password 7 091D1C5Aip wccp 80 redirect-list 16 group-list 15 password 7 14464058
interface GigabitEthernet1/0/22 description IRONPORT P1 BUWOG switchport access vlan 147 switchport mode access
interface Vlan115 ip address 172.30.15.2 255.255.255.0 standby 10 ip 172.30.15.1 standby 10 priority 90 standby 10 preempt standby 10 track Vlan115!interface Vlan147 ip address 172.30.47.1 255.255.255.0 ip wccp web-cache redirect in ip wccp 80 redirect in
[code]....
Today, my customer have 1 project that have to deploy Cisco 3750 to redirect wccpv2 to Websense Security Gateway.However, i can't excute "ip wccp redirect out" on Cisco Catalyst 3750.
View 5 Replies View RelatedI would like to apply a policy-based route on one of our L3 switches (Cisco 3750) to change the next-hop of a couple of servers only. The VLAN where those servers reside got WCCP enabled on it. When I want to apply the route-policy to that VLAN interface it doesn't let me. When I try to apply the same policy to a VLAN interface without WCCP it does work. Is there any Cisco IOS limitations that would prevent me from doing that?
Configuration:
route policy config:
access-list 70 permit ip host x.x.x.x (server IP)
route-map PBR1 permit 10
[Code].....
I currently have a couple of 6509 chassis (router/switches) with the following hardware blades:
x3 48 ports
x1 NAM
x2 Sup720
Running 12.2(18)SXF3
I am keeping the four Sup720 modules and have purchased new versions of the others blades including two new 6509-E chassis?Can I take my stand-by Sup720 out of the production machine and insert it into the new chassis?
I currently have a couple of 6509 chassis (router/switches) with the following hardware blades:
x3 48 ports
x1 NAM
x2 Sup720
Running 12.2(18)SXF3.I am keeping the four Sup720 modules and have purchased new versions of the others blades including two new 6509-E chassis. Can I take my stand-by Sup720 out of the production machine and insert it into the new chassis?
configuration of a Catalyst 3750X and Barracuda Web Filter using WCCP protocol.
We used various WCCP protocol settings, unable set to redirect traffic to the Web Filter.
This is the current configuration of 3750X:
ip routing
ip wccp 94 redirect-list 194 group-list 50
ip wccp 95 redirect-list 195 group-list 50
[Code]......
Can i use acl object group with wccp redirect list?My platforms are 6500 and isr 2921
View 1 Replies View RelatedI have a Cisco 7206VXR running 12.4(24)T3 IOS. It is configured with WCCPv2 using L2 mask redirection. I am using service groups and associated extended ACLs to select which subnets I want to redirect port 80 traffic from.
It is working fine for the subnet 192.168.1.0/24....
int gi0/2
ip wccp 10 redirect in
ip address 192.168.1.99 255.255.255.0
... however, there is OSPF running between the router and a Mikrotik device directly connected to this interface. The gateway addresses for all the client subnets are on the Mikrotik. Traffic from other subnets, e.g. 192.168.2.0/24, 192.168.3.0/24 come in on this interface and I want to redirect those too. But it appears that the redirection doesn't work for those subnets (I don't see any hits on the relevant ACL for any subnet except 192.168.1.0/24).
It seems like the router only wants to redirect traffic for subnets that it has an IP address in itself. Admittedly, all of the example configs i've found on cisco.com are for redirecting traffic from directly connected subnets but I can't find anything that denies thie possibility of redirecting any traffic that comes in on a given interface.
The question is, is this how WCCPv2 redirection works? i.e., the router must have an IP address in the subnet to be redirected?
I have a ace board(Acsm) in my switch 6509.I need provide access for clients over https, my scenario looks like this post [URL] .But, i have only one interface, and need to configure nat for inbound clients, to access the server with ip address of the interface vlan of my ace(if i set ace gateway in a rserver, the ssl termination works). The Topology is: Client(https) -> Ace(Https) -> Ace(http) -> rserver (http). Need to configuring this nat? I need that external clients arrive at the server with the ip of the same network as him, he did not right back the packet to the default gateway, but the origin of the same network as him, so that the communication function successfully, end order.
View 1 Replies View RelatedWhen i try logging by HTTPS on a router i have next errors.
%HTTPS: http ssl get context fail (-41104)
HTTP: ssl get context failed (-40407)
I have a 2821 router with
c2800nm-advipservicesk9-mz.124-15.T1.bin ios
I configured 2960S switch as http server. I'm unable to access the switch GUI with non privilege 15 user, with privilege 15 user it's working.
View 7 Replies View RelatedI have a customer who wants his new ASA-5520 to load balance out-going traffic between 2 ISPs, fairly normal request. Now here's the twist. He wants to separate traffic based upon the protocol used, http to one ISP, https to the other.
View 3 Replies View Relatedwe've had an issue with our network, we have 2 6509 connected with redundancy, which are connected with 2 x 4900 Switches, from which are connected to a ESX Chassis for visualization, the thing is that the ESX stopped working, and the 4900 switches, and the main core were suffering from overload, they hang on it very well, in order to stop the overload, one of the links to the ESX Chassis were disconnected from one of the 4900 switches. The CPU usage from the 4900 and the core(6509) went down below 40%, and then they started to migrate the virtual servers from the chassis to another 2 chassis that were added right after. They were actually working well, but suddenly the 6509 changed to the other supervisor after everything was OK. We were wondering what could have been the cause of this, maybe the virtual servers migrations, maybe the overload from the ESX ? We also had a few question, is there any need to reload the cores every few months as a planned task ? Because the cores have been up for more than 1 year. And also is there any kind of of tool to monitor the CPU status, or the status overall from the cores or the switches ?
View 3 Replies View RelatedThe have around 80 staff and I think the current infrastructure is overkill for the size of the company. The current kit is old and they have no GB ethernet ports. They currently have:-
Core Switch:
1x Cisco c6509with a 48 port fast ethernet module (WS-X6248-RJ-45)
and an 8 port fibre module (WS-X6408A-GBIC)
I'm looking to replace this with something with 72 ethernet ports and 8 fibre ports
Access Switches:
2x 3500Replacement needs at least 48 ports and 2 fibre modules each
and 2x 5500Replacement needs at least 72 ports and 2 fibre modules each.
If client gateway = 192.168.64.9 then next-hop = 192.168.64.8 else use default-route 0.0.0.0
I know it's possible to do a route-map match ip-address ACL list. But is it possible to match on gateway?
Some info about hardware and config:
6509-E in VSS (IOS 12.2(17r)SX5) withVS-S720-10G supervisor.
All routes are static, IP for 192.168.64.9 is on SVI vlan.
I have two ISPs. Each is on it's own subnet connected to the 6509 MSFC/Switch. FW1 is on 100.1.100.0/30 and FW2 is on 200.1.200.0/30 subnet. My goal is route all traffice going to the Internet from subnet 10.133.3.0/24 to FW1 and all other subnets across the organization to FW2. I am not sure if I need to use ACL / Static route combo, or just a static routes or ACLS?
View 5 Replies View RelatedWe have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
View 11 Replies View RelatedI would like to ask you if it's possibile to block routing between some Vlan for just once of them.
Maybe I can explain better:
I've got a Cisco 6509 with 4 configured vlan interfaces
Int Vlan 10 10.10.1.0/24
Int Vlan 20 10.10.2.0/24
Int Vlan 30 10.10.3.0/24
Int Vlan 40 10.10.4.0/24
Vlan "10" is the phone voip Vlan and it must not talk with the others Vlan. The others Vlan can comunicate normally except with Vlan "10".
Pratically Vlan "10" needs to be isolated from the others.
This equirement comes becouse Vlan 10 is wireless and has the WEP key encryption (very weak protocol). Some Phone couldn't support the WPA2 key and I need to avoid an unauthorized external client, cracking the WEP key and connecting to this WiFi, could have free access to the others Vlan.
I have a problem on my catalyst 6509 on which I would like to do the following things :
I have some Vlans in which multicast is enabled.
In tose Vlan theres is a router which is default router for equipements.
I had enabled multicast routing because some Vlan needs to exchange multicast informations, but I wolud like to make difference between Multicast traffic. For example I have 5 vlans:
Vlan 1 and 2 need to exchange Multicast informations but the don't need multicast information from Vlan 3 and 4
Vlan 3 and 5 need to exchange Multicast informations but the don't need multicast information from Vlan 1 and 2
Vlan 5 is independant Vlan but doesn't need to have multicast information from all others vlan.
Last problem, equipement on differents vlan can use the same Mulkticast group address. In this case, Multicast routing is not working between Vlan 1 to Vlan 2 and Vlan 3 to Vlan 4.
I need to setup my 6509 with PBR going to two different Firewalls. The 6509 has vlans and multiple serial interfaces. What/where do I install the policy-maps? I want to direct one of the vlans to one firewall and the other vlans and wan subnets to the other firewall.
View 26 Replies View RelatedI am migrating from Cisco 6509 IOS (12.2) to Nexus 7000 NX-OS (5.1(1)).I am looking for a equivalente NX-OS command for permit ipinip on IOS.
View 2 Replies View RelatedI have 2 6509-E chassis with SUP-720-VSS and classic line cards :-(. on October 2011 the switch reached 100% CPU on both devices and the entire network went down. Customer restarted the core so we lost all the log files and couldnt find out any root cause on the same. TAC engineer suggested to have some script configured on the system in case of CPU shooting up above 70%, it will create a file in flash and keep appending the logs to the same. Last week i got call from customer saying that the CPU again went high for around a minute on both the cores. Last time i added CoPP also on the switch in order to prevent the CPU reaching 100%. Still it went high and from the captured logs i saw that the process created the high CPU was Port Manager Per and SSH process. Attached the file created by the netdr capture command.
View 1 Replies View RelatedI have a customer that has a Catalyst 6509 with two Supervisor VSS capable and my Sales team sell another 6509 with just one Supervisor VSS capable. Simple question: Will VSS configuration will recognize that I have three Supervisors? It will work as QUAD-SUP solution or as a normal VSS solution?
View 7 Replies View RelatedWe are trying to migrate from 1g to 10G, couldn't find any module on 6509-E which supports 10G on SFP+ ...I can see X2 and Xenpacks .. but not SFP + .what exactly this Xenpack means ?
View 3 Replies View RelatedWe have connected a single F5 box with dual links to 2 different Cisco Catalyst switches using 802.1Q trunks. F5 is configured with RSTP mode and on Cisco Switch RPVST+ is configured.STP root bridge is hardcoded on the Cisco side. Loop Guard is globally enabled.On F5 STP link type is Auto, STP Edge port is disabled since that port is connected to the cisco switch.When we are failing over the F5 primary link to the secondary link we see 'Loop Inconsistent' on the cisco switch and things dont work after the failover.We have tried configuring the F5 as STP passthrough but that doesn't fix out the issue.I have checked out the forums and found out following recommendations
1. Configuring MSTP bw F5 and Cisco for better compatibility (Not possible from Cisco side because of a major change in large production setup)
2. Configuring VSS in Cisco switches (not possible due to hardware limitation)
3. Connecting F5 using single links to each switch (redundancy compromised)
I am wondering that on which default vlan does the F5 STP instance0 sends the STP BPDUs ? the term used on Cisco side is native vlan and others use PVIDs; that F5 default vlan should match the native vlan on cisco trunk side.
Tonight we were performing an IOS upgrade on our 6509 VSS to 122-33.SXI6. Both 6509's have dual Supervisor cards installed. Initially we had problems with switch 2 slot 5 supervisor returning to rommon however switch 2 slot 6 supervisor loaded correctly. After manually setting the boot var in rommon, switch 2 slot 5 supervisor reloaded correctly.
After all supervisor's were online we noticed when looking at " show switch virtual redundancy" that sw 1 & 2 slot 6 supervisors were running the correct IOS version but sw 1 & 2 slot 5 were running different IOS versions, however when looking at the show version we are running on the upgraded IOS??? See output below...
Why the active supervisor has loaded the incorrect IOS the VSS is running on the upgraded IOS? I have verified the IOS was copied correctly to each supervisor bootdisk, I see no issues.
My Switch Id = 1 Peer Switch Id = 2 Last switchover reason = none Configured Redundancy Mode = sso Operating Redundancy Mode = sso
Switch 1 Slot 5 Processor Information :----------------------------------------------- Current Software state = ACTIVE Uptime in current state = 3 hours, 38 minutes Image Version = Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI9, RELEASE SOFTWARE (fc2)Technical Support:
[code].....