I have a Cisco 7206VXR running 12.4(24)T3 IOS. It is configured with WCCPv2 using L2 mask redirection. I am using service groups and associated extended ACLs to select which subnets I want to redirect port 80 traffic from.
It is working fine for the subnet 192.168.1.0/24....
ip wccp 10 redirect in
ip address 192.168.1.99 255.255.255.0
... however, there is OSPF running between the router and a Mikrotik device directly connected to this interface. The gateway addresses for all the client subnets are on the Mikrotik. Traffic from other subnets, e.g. 192.168.2.0/24, 192.168.3.0/24 come in on this interface and I want to redirect those too. But it appears that the redirection doesn't work for those subnets (I don't see any hits on the relevant ACL for any subnet except 192.168.1.0/24).
It seems like the router only wants to redirect traffic for subnets that it has an IP address in itself. Admittedly, all of the example configs i've found on cisco.com are for redirecting traffic from directly connected subnets but I can't find anything that denies thie possibility of redirecting any traffic that comes in on a given interface.
The question is, is this how WCCPv2 redirection works? i.e., the router must have an IP address in the subnet to be redirected?
I currently have WCCP redirection setup on my ASA 5520 to redirect to an ironport on ip address 10.11.1.10. The ASA inside ip is 10.11.1.1 and the ironport is setup for transparent redirection to that IP. This all works well and the Service Identifier i'm using for WCCP is 95.I am now creating another WCCP group because on my ironport I have 4 interfaces so I wanted to use them for our admin network. So I created an ACL on the ASA for our admin traffic and I want to redirect that using Service Identifier 94 to the ip on the ironport of 10.11.1.22. But I can't get traffic to redirect.
I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN of my catalyst 3750G?I want to filter traffic on port 80 (www) to the users on the LAN side debug on the ASA show me that comunication between that device and Websense is OK, there is Here_I_Am and I_See_You packets
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D
From show WCCP i saw that WCCP engine and ASA were detected
FW# sh wccp Global WCCP information: Router information: Router Identifier: 200.X.X.X Protocol Version: 2.0
I have a ASA5585 running 8.4 that is redirecting Internet http to a websense server via GRE.The integration is working fine, except when a user PC sends a large packet (~1500 bytes).With WCCP/GRE headers, the user packet is too large to be transmitted to websense, so the ASA fragments the packet in two and transmits both to websense.
A sniffer trace confirms that both fragments reach the websense server, but the TCP packet is never acknowledged.User-side TCP retransmits the large packet three times over 15 seconds, and eventually retransmits fine with smaller packets. The 15 second delay is of course not acceptable.Users and Websense server are both on the Inside interface.
We are considering imposing browser proxy to websense (which works fine), but would prefer not, considering the increasing diversity of devices.
I have a 5520 ASA using wccp redirection to our IronPorts on the inside and everything works great for inside users. What I'm trying to do is get VPN users off split tunneling and to filter their traffic through the IronPorts as well but I can't figure out how. When they connect they seem to bypass the Ironport completely.
I have a CAT 3560 connected to a ISR 2911 The 3560 has 2 subnets ( 192.168.1.0 /24 and 10.10.10.0 /24) The 2911 has interface GigabitEthernet0/1 on the 192.168.1.0 /24 and another GigabitEthernet0/0 on a WAN connection 172.16.7.246 I need to NAT both the 192.168.1.0 /24 and the 10.10.10.0 /24 to the single address 172.16.7.246 I have to use route-maps . I have IPSec VPN's and ZBF on the 2911 My problem is the NAT does not work for the 10.10.10.0 /24 network!Why?is my only option to use trunking between the 3560 and 2911 and subinterfaces on the 2911? I want to avoid sub-interfacing.
============================================================= On the Cat 3560=====================!vlan 40name the 192.168.1.0 /24 subnet!vlan 60name the 10.10.10.0 /24 subnet!interface FastEthernet0/7description Connection to Router Gig0/1switchport access vlan 40!interface FastEthernet0/16description Connection pc host on the 10.10.10.0 /24 subnetswitchport access vlan 60!interface Vlan1no ip address!interface Vlan40ip address 192.168.1.4 255.255.255.0!interface Vlan60ip address 10.10.10.10 255.255.255.0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.1.1 =========================
The host on the 10.10.10.0 /24 network has the 10.10.10.10 address as it's default gateway The host can not access the WAN thru NAT....
My Data Center has one single core switch where is connected several servers, one port is the link to the router wan and other port is the link to the FW, my boss wants to install 2 nexus in order to replace the single switch. All my network has only one address, for example 192.168.10.0/24 if I connect two nexus 7010 in VPC and Domain, each nexus is going to has 2 modules with 48 port 10/100/1000 rj45 and i wan to connect servers directly to each nexus, with this figure i'm going to have a group of servers connected in two different nexus, Do they can have the same network 192.168.10.0/24 considering that the nexus are in the same vdc and vlan and have only one gateway for both groups? If the answer is positive, which nexus would be the gate way for that address, the primary or secondary? Or i must have a different address for both group of servers, i mean for example 192.168.10.0/24 and 192.168.12.0/24?thus each nexus would be the gateway for that new address?
To have two nexus connected by VPC in a Domain mean that one computer connected to one nexus can share the same address or vlan with other computer connected to the other nexus????
We have a 3750X VTP Server and the rest of the switches are clients.
Due to cabling issues, we have a switch (Switch F) that we can't connect directly to the 3750X so we have it connected through another switch. Everything is set to VTP client with the correct domain and password but this not-directly-connected switch isn't receiving any VTP VLANs.
Anything I need to do on Switch D so that Switch F can receive the VTP updates?
if a Cisco router or switch can handle wccp redirection enabled for both waas and some other web content filtering appliance using a different service group?
seems like the priority value would come into play determining which service group gets handled first?
we currently do WCCP for WaaS on our 3945s.
I am going to advocate to my customer that we separate this out for CPU load issues, config complexity issues, IOS issues, etc... but the question is going to come up - "can we do WCCP for different applications on our Catalyst 3750 core switch, or our 3945 WAN routers?"
A specific switch port which happens to be part of a 2 switch 3750 Switch Stack is seeing multiple CDP packets from 3 extra switch port interfaces that are not directly connected. Noteworthy is that the far end devices have the correct CDP entries and I physically confirmed at least two of those connections that lead to the switch "upstream to the culprit switch". Tricky part is that its production so room for maneuvering is limited. At some point I disabled all Ports save for the real uplink and the problem momentarily disappeared. Re-enable the interfaces problem resurfaces. Is there an explanation, technique to eliminate the culprit with minimal disruption?
Since last week we started noticing this problem that the branch users started to complain of slow application response.. After verifying it with the ISP and middle network we noticed that if i ping from my machine (ie usernetwork) to the WAN Router interface (facing the ASA) , i get time outs.. which is strange cause this is directly connected to it via ethernet cable.
I have an Cisco 6500 CS and there is a Cisco Unified Communication Manger Server connected directly to the Core Switch.I tried to change duplex and speed ( fix and auto ) for both sides, but the same problem.
I have a Cisco 2600. I would like to know how to redirect traffic going to a certain IP address three hops away to an IP address on a locally connected segment.
Ex. Packet leaves a device with source IP of 10.10.10.10 and destination of 20.20,20.20 When the packet hits the router (10.10.10.1) I want the router to redirect the destination of 22.214.171.124 to 126.96.36.199 (locally connected segment).
The router has two physical interfaces.I am thinking along the lines of creating a VLAN with an ip of 188.8.131.52 and then doing a NAT translation from 184.108.40.206 to 220.127.116.11.
I do not have the option to run sh mls qos commands. I am trying to look at the cos-map on my 7200 router. The code I am running is c7200-p-mz.122- 25.s9.bin.I also do not see the mls qos command listed globally and it is not an available command in config t mode.
I'm setting up a web cache using the wccp protocol on a Catalyst 3750 stack.
Probably missing something real simple here but when I from the global configuration mode are trying to enter the ip wccp command it just says "invalid input" from wccp. There is no such command.. should be supported on my device from IOS 12.2(37)
I am trying to enable wccp on 6509. Its works fine on port 80 but not with https (443). Also i have noticed when i use the following
ip wccp web-cache redirect in similarly adding to interface HTTP works. but when i use the service no 0 instead of web-cache even the HTTP stops working. wccp v2 is enabled in the switch. Both the source & the Squid server are in same V LAN.
I have been tasked to setup a Transparent Squid proxy and do redirection on a Cisco 6513 Switch.I don't have access to the SQUID but think that my config below should be OK. We have setup a TEST user Vlan 13 . Any traffic from this destined for the we on 80 or 443 should be redirected. Vlan 10 is where the Squid proxy is sitting. [code]
I have a Head Quarter and a remote site running over a OC3 circuit. [code]
On the HQ, I have a Cisco VXR7204 running IOS 12.4.15T(10) Advanced IP Serviceand the remote site is a Cisco 2851 also running IOS 12.4.15T(10) Advanced Ip Service. The HQ has a Riverbed Steelhead 5050H capable of delivering 100MbpsWCCP throughput. The remote site has a Riverbed Steelhead 1050H which can deliver 10Mbps WCCP throughput. At the HQ, the LAN network is 192.168.251.0/24.The Steelhead residing on the 192.168.251.0 network.At the remote site, the LAN network is 192.168.103.0/24 and 192.168.211.0/24.The Riverbed resides on the 192.168.103.0/24 network.
When a host on network 192.168.211.0/24 download a file from network192.168.251.0/24 network via http, the CPU on the Cisco 2851 goes to 99% utilization and that it stays there for the duration of the http session. There is very little traffic goes across the WAN whichis the way it should be but the CPU on the 2851 stays at constant at99% CPU utilization.
Why would WCCP consume so much CPU on the Cisco 2851? By the way, I am only getting about 5Mbps download instead of 90Mbps download, I think because of the high CPU on the router?
I have a WCCP Configuration on a Catalyst 3750G and a IronPort Webappliance. I have configured this situation many times before with cisco asa and ironport wsa, but with a switch, this is my first time.
VLAN 147 is a transportation vlan between the cisco switch and a hp coreswitch with the clients and servers behind the hp coreswitch.
VLAN 147 IP Address of the Catalyst is 172.30.47.1
IP of the IronPort Appliance is 172.30.47.10
IP of the HP Coreswitch is 172.30.47.2
Plan is to redirect the webtraffic coming from clients and servers from the 10.0.0.0/8 net behind the hp switch to the ironport wsa. In have configured these settings.
ip wccp web-cache group-list 15 password 7 091D1C5Aip wccp 80 redirect-list 16 group-list 15 password 7 14464058 interface GigabitEthernet1/0/22 description IRONPORT P1 BUWOG switchport access vlan 147 switchport mode access interface Vlan115 ip address 172.30.15.2 255.255.255.0 standby 10 ip 172.30.15.1 standby 10 priority 90 standby 10 preempt standby 10 track Vlan115!interface Vlan147 ip address 172.30.47.1 255.255.255.0 ip wccp web-cache redirect in ip wccp 80 redirect in
I am planning to upgrade BootLoader image of 7206VXR router due to booting issue. The router is not booting .But if I go to rommon and give boot it will boot.So I am upgarding my Boot Loader image. Now the Bootloader image and IOS image are exactly same.Can I upgarde the Bootloader image to latest version without upgarding IOS?
I would like to apply a policy-based route on one of our L3 switches (Cisco 3750) to change the next-hop of a couple of servers only. The VLAN where those servers reside got WCCP enabled on it. When I want to apply the route-policy to that VLAN interface it doesn't let me. When I try to apply the same policy to a VLAN interface without WCCP it does work. Is there any Cisco IOS limitations that would prevent me from doing that?
I want upgrade IOS on my 7206VXR from 12.4(12c) to 15.1(4)M5 , but the CF card only 64M.
-NAME: "disk2", DESCR: "64MB Compact Flash Disk for NPE-G1" -Router#show bootvar
BOOT variable = disk2:c7200-jk9s-mz.124-12c.bin,15.1(4)M5 is almost 40M. So there is not enough space.I want to ask is it ok if I upgrade with normal precedure , With the command " copy tftp: disk2: " ?Does the router will automatically delete the older IOS first and then copy into the new one ? Or Is there something I should pay attention first ?
I’ve been trying a few days now to implement multicast routing on my home network in order to make airplay work between subnets. Specifically between an iphone and a hifi separated by different vlans. Failed, as I have no experience in multicast routing. we have a clean configuration and simple network which consists of two SVIs