configuration of a Catalyst 3750X and Barracuda Web Filter using WCCP protocol.
We used various WCCP protocol settings, unable set to redirect traffic to the Web Filter.
This is the current configuration of 3750X:
ip routing
ip wccp 94 redirect-list 194 group-list 50
ip wccp 95 redirect-list 195 group-list 50
[Code]......
I have a WCCP Configuration on a Catalyst 3750G and a IronPort Webappliance. I have configured this situation many times before with cisco asa and ironport wsa, but with a switch, this is my first time.
VLAN 147 is a transportation vlan between the cisco switch and a hp coreswitch with the clients and servers behind the hp coreswitch.
VLAN 147 IP Address of the Catalyst is 172.30.47.1
IP of the IronPort Appliance is 172.30.47.10
IP of the HP Coreswitch is 172.30.47.2
Plan is to redirect the webtraffic coming from clients and servers from the 10.0.0.0/8 net behind the hp switch to the ironport wsa. In have configured these settings.
ip wccp web-cache group-list 15 password 7 091D1C5Aip wccp 80 redirect-list 16 group-list 15 password 7 14464058
interface GigabitEthernet1/0/22 description IRONPORT P1 BUWOG switchport access vlan 147 switchport mode access
interface Vlan115 ip address 172.30.15.2 255.255.255.0 standby 10 ip 172.30.15.1 standby 10 priority 90 standby 10 preempt standby 10 track Vlan115!interface Vlan147 ip address 172.30.47.1 255.255.255.0 ip wccp web-cache redirect in ip wccp 80 redirect in
[code]....
I have a site to site VPN setup between a 5510 and 5505. All traffic is sent ovet the VPN from the remote site to the home office. Everything is working fine but the remote site "www" traffic is not going to the Barracuda. ISP -> CISCO ASA -> Barracuda -> Internal Switch.The Barracuda is setup "inline" with the internal network.
View 7 Replies View RelatedWe want to filter IP traffic by MAC address on Catalyst 4500. Since we are using bonding (active-backup mode) we need those mac addresses appear on different ports. Below are solutions that we have tried: ACL but it does not work since mac acls only match non ip traffic (We CAN NOT use ip acl). Use a static mac address-table entry to ALLOW specific mac addresses. It does not work either since the same MAC address needs to be seen on a different port. Catalyst 4500 does not support auto-learn option (as e.g. Nexus 5000).
View 3 Replies View RelatedI try to updgrade a stack of two 3750X-48PS to the IOS 15.0-2
Same commande has the twelves others stack I have upgrade lately
archive download-sw /overwrite tftp://x.x.x.x/c3750e-universalk9-tar.150-2.SE.tar
or
archive download-sw /overwrite usbflash0:/3750/c3750e-universalk9-tar.150-2.SE.tar (much faster!)
At the end I have this message :
extracting c3750e-universalk9-mz.150-2.SE/info (511 bytes)
extracting c3750e-universalk9-mz.150-2.SE/c3750e-universalk9-mz.150-2.SE.bin (19842267 bytes)
[Code].....
I have upgraded my Catalyst 3750X-switches to software-version 15.0(2)SE2, but I cannot upgrade the 10G servicemodule to the same version. I use the archive download-sw command to load the c3kx-sm10g-tar.150-2.SE2.tar. The file is loaded to the switch, but when the process starts to transfer the file to the module it fails with the following messages:
Error 2: Unable to transfer image to FRU Modul on switch 1Error: Failed to update FRU Module image
The modules is now running with in-compatible versions as shown below:
Switch# H/W Status (CPU/FPGA) CPU Link Version
-----------------------------------------------------------------
1 OK 77C/71C ver-mismatch 03.00.41
2 OK 73C/73C ver-mismatch 03.00.41
if I read the Datasheet of Catalyst 3750X-Series-Switches it is possible to connect a new X-Switch to an existing and old Catalyst 3750-Series Stack.What kind of requirements are needed? Only same IOS-Version in the hole Stack and if possible same Feature-Set? .... like in a normal NOT mixed Stack?
View 4 Replies View RelatedIs it possible to mix 1 and 10 Gigabit links on a 1/10Giga Network Module of the Cat3750X? I mean porte GE1/1/1 and GE1/1/2 used with SFP and port TE1/1/2 used with SFP+; that makes TE1/1/1 not available as GE1/1/3 and 1/1/4
View 7 Replies View RelatedI work at a hospital and we have 3750X-48P switches in stacks in various locations throughout the hospital. We have noticed that when an EKG machine is plugged into one of the ports on some of these switches and the EKG machines are set manually to 100/Full, the ports are no longer usable until the switch is restarted. The switch is configured for auto. If the EKG machine is set to auto, it will work and not cause problems. The link on the interface will show up/up and there will be output packets increasing. However, there will be no inputs on the link and the port is unusable. Unfortunately, even when the device is removed, the port becomes unusable for any device. Is there any way to fix this problem without rebooting the switch?
View 5 Replies View RelatedAssume I had Catalyst 3560X/3750X with 24 ports. The partnumber is WS-C3560X-24P-LI would like to how is the numbering defined if the switches have a C3KX-NM-10G installed with 4 SFP-GE-L.
View 1 Replies View Relatedthe following information before:
Switch: WS-C3750X-48P (Stack with 2 Members)
IOS: 12.2(58)SE2
Lic: IPBASEK9
uptime: rebooted this night
[code]....
Since i added another Member to the Stack, i'm facing the following problem:When i login with my tacacs user account, i will not be asked for the password.The same thing is for the tacacs account of my colleague, after entering the username he is logged in.It seems for me, that the passwords are cached only for this Switch.
our network is spread over 15 floors and each floor we have 5-6 switches. we are planning to purchase cat3750-x 24 ps poe with C3KX-NM-10G network modules. Each floor has two up links to the core switch with single mode fiber and other being the multimode.Suppose if we are purchasing 75 switches do we have to purchase 75 C3KX-NM-10 G modules.? or can we limit our purchase with 15 C3KX-NM-10G sothat two uplinks from each floor can be made? since network modules are optional cost factor is invovled. Or any issue with stacking ? the SFPs will be LR and LRM MODULES.looking for an answer ? whether the new usb type console cable comes bundled with cat350x or shall we have to order separately?
View 7 Replies View Relatedconvergence time in case of stack master will be switched over to other switch.In my understating, when the stack master will be switched over to other switch based on election algorithm, convergence time will be less than 10 second.
I tried to calculate concersion time during fail over testing but convergence time was 21 second. I think it is too long...
Expected reasons
・I configured Rapid Spanning tree protocol between L3 and L3. (But RSTP's convergence time is 2~3 second..)
When quoting a Catalyst 3750X with PoE (WS-C3750X-48P-E) the Dynamic Configurator Tool allows to include as the secondary power supply option the Catalyst 3K-X 350W AC Secondary Power Supply (C3KX-PWR-350WAC/2), but the default included primary power supply is the Catalyst 3K-X 715W AC Power Supply (C3KX-PWR-715WAC). My questions are the following:
1. Will this combination of power supply work?
2. Will the C3KX-PWR-350WAC/2 be able to power up the switch if the primary power supply of 715W fails?
3. Will the PoE will be lost if the primary power supply fails and only the secondary power supply of 350W keeps working?
4. If this secondary power supply of 350W is not suitable for PoE, why it is available as a secondary power supply option in the Dynamic Configurator Tool for a PoE switch?
I'm trying to work out if I need to order the "IP services" image for a couple of C3750-X. I need to run OSPF on these switches, but find the IOS image requirements on Cisco contradict.
At the top of the data sheet it says: • Open Shortest Path First (OSPF) in IP Base image
On the product info page it says: IP Base: Enterprise Access Layer 3 Switching, including OSPF (Open Shortest Path First) for routed access
But in lots of other places it says you need 'IP services' for OSPF.
As the IP services IOS is quite a bit more expensive I would like to avoid buying it. What image do I need to run OSPF?
Need to clarify if ip sla icmp echo operation is supported in catalyst 3kx switches (ip services)? on the configuration guide, commands are available, but on the feature navigator, i can't find the feature, only ip sla video operation. i don't have a device to test on here.
View 2 Replies View RelatedI want to configure accesslists on my Catalyst 3750X-switches to protect different VLANs/networks. Any best-practices about inbound versus outbound accesslists? In my head it is more readable and easier to understand the config when accesslists are assigned outbound on the VLAN to protect instead of assigning them inbound on all possible source-VLANs. But of course, from a performance point-of-view it is better to use inbound access-lists to avoid un-necessary routing etc.
View 1 Replies View RelatedI am currently trying to enable WCCP between a Cisco ASA 5512 firewall and Barraccuda Webfilter 410 Vx applicance. The ASA firewall is running IOS version 8.6(1)2 and the Barracuda is funning firemware 6.0.0.013. Both the ASA and Barracuda are in the same network and can ping eachother. The ASA has several interfaces, outside, inside, data and dmz. The PCs and barracuda appliance are behind the data interface. ASA data IP 172.16.18.1 Barracuda IP 172.16.18.40 All PCs in the 172.16.18.0/24 subnet use the ASA as the default gateway and should have web requests redirected to the Barracuda.
Below are the respecive bits of my ASA config
interface GigabitEthernet0/0
description Management
speed 1000
[Code].....
I suspect my issue is that the ASA is generating a Router Identifier of 172.21.20.1 which is my inside network and the barracuda cannot communicate with it. how I can get this working ?
the following information before:
Switch: WS-C3750X-48P (Stack with 2 Members)
IOS: 12.2(58)SE2
Lic: IPBASEK9
[Code]....
Since i added another Member to the Stack, i'm facing the following problem: When i login with my tacacs user account, i will not be asked for the password. The same thing is for the tacacs account of my colleague, after entering the username he is logged in. It seems for me, that the passwords are cached only for this Switch.
Is there a way to use 2 redirects inbound on vlan 1?
int vlan 1
ip wccp 80 redirect in
ip wccp 81 redirect in
The reason for this is because we need the return traffic from the firewall to come in on group 81 and the source subnet will go out group 80.
I'm setting up a web cache using the wccp protocol on a Catalyst 3750 stack.
Probably missing something real simple here but when I from the global configuration mode are trying to enter the ip wccp command it just says "invalid input" from wccp. There is no such command.. should be supported on my device from IOS 12.2(37)
I am trying to enable wccp on 6509. Its works fine on port 80 but not with https (443). Also i have noticed when i use the following
ip wccp web-cache redirect in similarly adding to interface HTTP works. but when i use the service no 0 instead of web-cache even the HTTP stops working. wccp v2 is enabled in the switch. Both the source & the Squid server are in same V LAN.
I have been tasked to setup a Transparent Squid proxy and do redirection on a Cisco 6513 Switch.I don't have access to the SQUID but think that my config below should be OK. We have setup a TEST user Vlan 13 . Any traffic from this destined for the we on 80 or 443 should be redirected. Vlan 10 is where the Squid proxy is sitting. [code]
View 3 Replies View RelatedI am trying to configure a 3560 (Version 12.2(55)SE3) with IPServices to run WCCP to two to an Ironport WSA.
I believe everything is setup correctly, however WCCP is still not operational. I have check the debug logs on the switch and I'm presented with a number of messages along the lines of...
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_update_assignment_status: enter
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_update_assignment_status: exit
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_copy_wc_assignment_data: enter
[Code]....
I have a Head Quarter and a remote site running over a OC3 circuit. [code]
On the HQ, I have a Cisco VXR7204 running IOS 12.4.15T(10) Advanced IP Serviceand the remote site is a Cisco 2851 also running IOS 12.4.15T(10) Advanced Ip Service. The HQ has a Riverbed Steelhead 5050H capable of delivering 100MbpsWCCP throughput. The remote site has a Riverbed Steelhead 1050H which can deliver 10Mbps WCCP throughput. At the HQ, the LAN network is 192.168.251.0/24.The Steelhead residing on the 192.168.251.0 network.At the remote site, the LAN network is 192.168.103.0/24 and 192.168.211.0/24.The Riverbed resides on the 192.168.103.0/24 network.
When a host on network 192.168.211.0/24 download a file from network192.168.251.0/24 network via http, the CPU on the Cisco 2851 goes to 99% utilization and that it stays there for the duration of the http session. There is very little traffic goes across the WAN whichis the way it should be but the CPU on the 2851 stays at constant at99% CPU utilization.
Why would WCCP consume so much CPU on the Cisco 2851? By the way, I am only getting about 5Mbps download instead of 90Mbps download, I think because of the high CPU on the router?
I am unable to redirect the HTTPS traffic on my cisco router with WCCP V2
View 2 Replies View RelatedToday, my customer have 1 project that have to deploy Cisco 3750 to redirect wccpv2 to Websense Security Gateway.However, i can't excute "ip wccp redirect out" on Cisco Catalyst 3750.
View 5 Replies View RelatedI would like to apply a policy-based route on one of our L3 switches (Cisco 3750) to change the next-hop of a couple of servers only. The VLAN where those servers reside got WCCP enabled on it. When I want to apply the route-policy to that VLAN interface it doesn't let me. When I try to apply the same policy to a VLAN interface without WCCP it does work. Is there any Cisco IOS limitations that would prevent me from doing that?
Configuration:
route policy config:
access-list 70 permit ip host x.x.x.x (server IP)
route-map PBR1 permit 10
[Code].....
Can i use acl object group with wccp redirect list?My platforms are 6500 and isr 2921
View 1 Replies View RelatedI have a Cisco 7206VXR running 12.4(24)T3 IOS. It is configured with WCCPv2 using L2 mask redirection. I am using service groups and associated extended ACLs to select which subnets I want to redirect port 80 traffic from.
It is working fine for the subnet 192.168.1.0/24....
int gi0/2
ip wccp 10 redirect in
ip address 192.168.1.99 255.255.255.0
... however, there is OSPF running between the router and a Mikrotik device directly connected to this interface. The gateway addresses for all the client subnets are on the Mikrotik. Traffic from other subnets, e.g. 192.168.2.0/24, 192.168.3.0/24 come in on this interface and I want to redirect those too. But it appears that the redirection doesn't work for those subnets (I don't see any hits on the relevant ACL for any subnet except 192.168.1.0/24).
It seems like the router only wants to redirect traffic for subnets that it has an IP address in itself. Admittedly, all of the example configs i've found on cisco.com are for redirecting traffic from directly connected subnets but I can't find anything that denies thie possibility of redirecting any traffic that comes in on a given interface.
The question is, is this how WCCPv2 redirection works? i.e., the router must have an IP address in the subnet to be redirected?
For some port fowarding reasons I have to change my router setting to these:Maximum Ports: 4096TCP Timeout (in seconds): 600UCP Timeout (in seconds): 120I am using a Realtek router ( Family PCI-E Gigabit Ethernet <NDIS 6.20>)This is supposed to be EXTREMELY easy but I lack any general computer knowledge whatsoever. In laymen's term, I am N00B.
View 1 Replies View RelatedI am attempting to filter a specific host(s) from my OSPF routiing table on a ASA 5550 (ABR) using LSA prefix lists. However, when I look at the other routers in that area, I notice that ALL LSA type-3's are being removed (10 hosts are now missing from the routing table). I have verified the filter is working on the ABR, but I can't figure why ALL hosts/routes that were coming into the area are now being filtered instead of the specific one that I want to filter out.
Here is the config on the ABR:
prefix-list pdm_pl_000 seq 10 permit 206.253.180.137/32
!
!
router ospf 1
network 10.0.0.0 255.255.255.0 area 0
network 10.150.10.0 255.255.255.0 area 10
network 10.150.252.0 255.255.255.224 area 10
[code]....
The 206.253.180.137 host is actually coming from Area '3'. Am I doing something that is removing all type-3 LSA's?
We have a lot of IPX traffic flowing through a switched network and we are being asked to filter it from a network standpoint. At one point they were using IPX in their network, but no longer need to, so they still have a lot of machines spewing out IPX traffic. We have removed the IPX routing commands from our distribution switches, (Cisco 6500), but after running a short 10 minute Wireshark capture I'm still getting a good bit of IPX traffic from a lot of different devices.
View 2 Replies View Related
