3750 and WCCP
Hi all
We have a cisco network and in our smaller branch offices, are using 3750 L3 switches as the core. From this switch, we are running WCCP to a pair of WAE-674 WAAS appliances.
This is all working well, and redirection is occuring in hardware on the 3750 (running 12.2(52))
I think I know the answer to this question, but would like validation.
If we apply a redirect list to the WCCP statement in the 3750, and then put a deny in the corresponding ACL, will this deny statement be processed in hardware, or punted to the cpu? My feeling is processed software, but haven't found a rock solid cisco dodument to confirm.
thx in advance
Michael
Michael,
Considering you are running latest code, deny statement will be processed in Software, if ACL is large and has lot of hits, then you may see CPU issues on the switch. Thanks
Ahsan
Similar Messages
-
Is WCCP supported in CAT 3750?
Is WCCP supported in CAT 3750?
Hi,
Yes WCCP is supported with release 12.2 (37) SE in IP Services.Check out the below link from cisco for more information
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/prod_qas09186a00801b0971.html
Hope to Help !!
Ganesh.H
Remember to rate the helpful post -
L2 redirection between a 3750 and WAE 674 WCCP
hi
we are using a WAE 674 on a cisco 3750 in WCCP
WCCP is configured to use L2 redirection
but we saw this on the switch
Global WCCP information:
Router information:
Router Identifier: 192.168.100.1
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 1
Process: 0
CEF: 1
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 62
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 11
Process: 0
CEF: 11
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
switch configuration
vlan 1 and 2 : data
vlan 3 routeurs
vlan 4 : WAE
interface Vlan1
ip address 10.0.0.1 255.255.0.0
ip wccp 61 redirect in
standby 0 preempt
standby 1 ip 10.0.0.6
standby 1 priority 150
standby 1 preempt
standby 1 name hsrp_vlan_1
interface Vlan2
ip address 10.1.0.1 255.255.0.0
ip wccp 61 redirect in
standby 2 ip 10.1.0.6
standby 2 priority 150
standby 2 preempt
standby 2 name hsrp_vlan_2
interface Vlan3
description Routage-FT
ip address 192.168.1.4 255.255.255.0
ip wccp 62 redirect in
standby 3 ip 192.168.1.6
standby 3 priority 150
standby 3 preempt
standby 3 name hsrp_vlan_3
interface Vlan4
description VLAN WCCP
ip address 192.168.100.1 255.255.255.0
WAE configuration
wccp router-list 8 192.168.100.1
wccp tcp-promiscuous mask src-ip-mask 0x1741 dst-ip-mask 0x0
wccp tcp-promiscuous router-list-num 8 l2-redirect mask-assign l2-return
wccp version 2Hi,
This counter on the 3750 is a software counter, but all WCCP redirection should be happening in hardware. Thus, it is expected the number of redirected packets to be zero or very low. The proper way to tell if WCCP is redirecting traffic to your WAE is to issue the command "show wccp gre" on the WAE and look for the line "transparent non-GRE packets received."
Example:
pdi-7341-19#sh wccp gre
Transparent GRE packets received: 0
Transparent non-GRE packets received: 28887345
Transparent non-GRE non-WCCP packets received: 0
Total packets accepted: 26012975
Invalid packets received: 0
Packets received with invalid service: 0
Packets received on a disabled service: 0
Packets received too small: 0
Packets dropped due to zero TTL: 0
----output omitted ------
Cheers,
Mike Korenbaum
Cisco WAAS PDI Help Desk
http://www.cisco.com/go/pdihelpdesk -
802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help
I configured the Switch 3750 and ACS for 802.1x authentication.
when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
What is the most possibly problem?
Thx in advance!!!
The configuration is Sw3750 is:
aaa new-model
aaa authentication login default local
aaa authentication enable default line
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
interface GigabitEthernet1/0/18
description Link to test 802.1x
switchport access vlan 119
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key keepopen0
In the ACS:
Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
user setup -->real name:test1, password: test1.
Attached is the debug informationWhat do you see in acs failed attempts?
-
Comparison between 3750 and 3750-metro
hi folks,
is there any links which will provide me on the comparison between 3750 and 3750-metro? for exapmple, isis is not support on 3750 but it support on 3750-metro. The product information from cisco site is insufficient in term of the main differences :p
rgd
josh.wHi Josh,
The Cisco Catalyst 3750 Metro Series is built for Metro Ethernet access in a customer location, enabling the delivery of more differentiated Metro Ethernet services. These switches feature bidirectional hierarchical QoS and Traffic Shaping, intelligent 802.1Q tunneling with class-of-service (CoS) mutation, VLAN translation, MPLS, EoMPLS, and Hierarchical Virtual Private LAN Service (H-VPLS) support, and redundant AC or DC power. They are ideal for service providers seeking to deliver profitable business services, such as Layer 2, Layer 3, and MPLS VPNs, in a variety of bandwidths and with different SLAs.
The metro switches have the PXF chips (which allow hierarchical QoS on the 2 "WAN" GigE ports, so several logical links can share a connection, and have soft bandwidth limits).
For more details on 3750-M switches have a look at this link
http://www.cisco.com/en/US/products/hw/switches/ps5532/products_qanda_item09186a00801eb822.shtml
HTH
Ankur
*Pls rate all helpfull post -
Interconnecting Catalyst 3750 and 2948G-L3
I am trying to interconnect a Catalyst 3750 and a 2948G-L3 using fiber GBIC. The interfaces where the GBIC and fiber are attached show up as physically down. I have tried different ports and also changed both switches. No Luck. If I connect a 3524 to the 3750 using the same connection it works.
Are 2948G-L3 switches compatible with the 3750?
Thanks,
VTShould have no problem. Can you try the following on the 3750's gig interface:
speed nonegotiate
See of the link comes up.
Please rate all posts. -
Hey All,
I'm attempting to create a trunk between a 3750 and a Cisco 2811 router (with a 16 port switching module NM-16-ESW). I'm using an etherchannel trunk between the two. I'm trying to configure VTP on the 3750 (server) and make the 2811 a client. Below is a copy of the configs and output from relevant commands. Any clue why I'm not seeing vlans on the 2811?
2811 Router Config:
interface Port-channel1
switchport mode trunk
nterface FastEthernet1/14
switchport mode trunk
channel-group 1 mode on
interface FastEthernet1/15
switchport mode trunk
channel-group 1 mode on
MPLS-TEST#sh vlans
No Virtual LANs configured.
MPLS-TEST#sh vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 256
Number of existing VLANs : 6
VTP Operating Mode : Client
VTP Domain Name : VTP
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xE7 0x0F 0xE8 0x89 0x47 0xAE 0x7E 0x7B
Configuration last modified by <IP of 3750> at 3-1-93 00:06:05
3750 Config and Shows:
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet1/0/47
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
sw-upstairs#sh vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
VTP Operating Mode : Server
VTP Domain Name : VTP
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xE7 0x0F 0xE8 0x89 0x47 0xAE 0x7E 0x7B
Configuration last modified by <IP of VLAN 1> at 3-1-93 00:06:05
Local updater ID is 134.178.220.224 on interface Vl1 (lowest numbered VLAN interface found)
sw-upstairs#sh vlan
VLAN Name Status Ports
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/22, Fa1/0/23, Fa1/0/24
Fa1/0/25, Fa1/0/26, Fa1/0/27
Fa1/0/28, Fa1/0/29, Fa1/0/30
Fa1/0/31, Fa1/0/32, Fa1/0/33
Fa1/0/34, Fa1/0/35, Fa1/0/36
Fa1/0/37, Fa1/0/38, Fa1/0/39
Fa1/0/40, Fa1/0/41, Fa1/0/42
Fa1/0/43, Fa1/0/44, Fa1/0/45
Fa1/0/46, Gi1/0/1, Gi1/0/2
Gi1/0/3, Gi1/0/4
5 INTERNET active
I'm baffled why these vlans aren't showing on my 2811. Any ideas?
Thanks,
MikeHey All,
Thanks for the input! I was actually able to solve the issue. It appears that "sh vlans" is different on an IOS router than an IOS switch. On the router it shows sub-interface ISL/dot1q trunks to a switch. This is obviously different for me as I have a switching card. In order to see VTP in action on the router and verify it was working I actually needed to view it through the VLAN database. See below:
MPLS-TEST#vlan database
MPLS-TEST(vlan)#show
VLAN ISL Id: 1
Name: default
Media Type: Ethernet
VLAN 802.10 Id: 100001
State: Operational
MTU: 1500
VLAN ISL Id: 5
Name: INTERNET
Media Type: Ethernet
VLAN 802.10 Id: 100005
State: Operational
MTU: 1500
VLAN ISL Id: 10
Name: INTERNET-DMZ
Media Type: Ethernet
VLAN 802.10 Id: 100010
State: Operational
MTU: 1500
VLAN ISL Id: 20
Name: PRODUCTION
Media Type: Ethernet
VLAN 802.10 Id: 100020
State: Operational
MTU: 1500
VLAN ISL Id: 25
Name: LAPTOPS
Media Type: Ethernet
VLAN 802.10 Id: 100025
State: Operational
MTU: 1500
VLAN ISL Id: 30
Name: NETWORK-DISTRIBUTION
Media Type: Ethernet
VLAN 802.10 Id: 100030
State: Operational
MTU: 1500
VLAN ISL Id: 250
Name: BGP-ROUTING
Media Type: Ethernet
VLAN 802.10 Id: 100250
Certainly is confusing and left me scratching my head. Thanks for the help though! I through this up on my blog too so someone in the future isn't chasing his/her tail
-Mike
http://cs-mars.blogspot.com -
Link between 3750 and 4908 (Lx, monomode fiber)
Hello,
I have a new swtich a C3750 and a 4908 works very well.
I try to link a 3750 and a 4908, my results :
- Port of 3750 and 4908 is up when I put "speed nonegociate" . And juste few packets arrive to the 4908 and I can't ping the 4908.
- Port of 3750 is up with "speed nonegociate", and the port of 4908 stays down....
- Port of 3750 and 4908 stay down without "speed nonegociate" ... :(
You can see the 3750's config in attachments.
Ps : Sorry for my english, i'm a french student :)
Thank in advanceHi
In recent past i had tried interfacing 3750 installed with LX SFP with third party SFPs installed in Lucent DSLAMs with speed nonegotiate on the cisco 3750 side.
We did face some kinda wierd problems after the lucent DSLAMs get rebooted or sometimes even we disconnect and reconnect the fiber it happened that we failed to get the link(connectivity).
So i would suggest to go for an original Cisco SFP make to avoid all these intermittent issues which can result in unecessary downtimes..
regds -
Hello,
I seem to be having a lot of trouble with a very simple implementation. I have 2 routers and a data centre WAE via WCCP. These devices are on the same L2/L3 segment (x.x.x.0/24). The WAN interfaces on the routers are in different networks. The remote WAE is inline. I configured ip wccp 61 redirect in on the LAN interface of each router and ip wccp 62 redirect in on the WAN interface of each router. I get the alarm "WCCP router x.x.x.1(LAN) unusable for service id:61 reason redirection mismatch with router" and "WCCP router x.x.x.1(LAN) unusable for service id:62 reason redirection mismatch with router". For the WAN interfaces I get the alarm they are unreachable for the service ID.
Snadard router config
ip wccp version 2
ip wccp 61
ip wccp 62
int gi0/0
description LAN
ip address x.x.x.1
ip wccp 61 redirect in
int gi0/1
description WAN
ip address y.y.y.1
ip wccp 62 redirect in
Should I only be trapping inbound traffic on the LAN interface ?
The other thing I noticed was these messages from the PIX on the same L2/L3 segment
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER1/2048 on interface outside
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER2/2048 on interface outside
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER1/2048 on interface outside
Dec 20 2011 05:49:52: %PIX-2-106006: Deny inbound UDP from WADMZJA02/2048 to IROUTER2/2048 on interface outside
Access list
access-list outside_access_in extended permit udp host WADMZJA02 host IROUTER1 log notifications
access-list outside_access_in extended permit udp host WADMZJA02 host IROUTER2 log notifications
access-list outside_access_in extended permit udp host IROUTER1 host WADMZJA02 log notifications
access-list outside_access_in extended permit udp host IROUTER2 host WADMZJA02 log notifications
Best regards
Stephen
WAE config
sh run
2011 Dec 20 07:06:27 WADMZJA02 -admin-shell: %WAAS-PARSER-6-350232: CLI_LOG log_cli_command: sh run
! waas-universal-k9 version 4.3.1 (build b6 Nov 13 2010)
device mode application-accelerator
hostname WADMZJA02
clock timezone Europe/Brussels 1 0
ip domain-name fibe.fortis
primary-interface GigabitEthernet 1/0
interface GigabitEthernet 1/0
ip address x.x.x.248 255.255.255.0
exit
interface GigabitEthernet 2/0
shutdown
exit
ip default-gateway x.x.x.4 <== firewall
no auto-register enable
! ip path-mtu-discovery is disabled in WAAS by default
! <== traffic to be rerouted outbound ==>
ip route a.a.a.0 255.255.255.0 x.x.x.1 <== Outbound HSRP
ip access-list extended HK
permit ip any 0.0.0.0 255.255.255.0
exit
logging console enable
logging console priority debug
interception access-list HKWAAS
wccp router-list 1 z.z.z.202 y.y.y.122 x.x.x.1 x.x.x.2 x.x.x.3
wccp tcp-promiscuous router-list-num 1 hash-source-ip hash-destination-ip l2-redirect l2-return
wccp version 2
egress-method negotiated-return intercept-method wccp
ip icmp rate-limit unreachable df 0
directed-mode enable
transaction-logs flow enable
--More--
! [K
inetd enable rcp
sshd allow-non-admin-users
sshd enable
tfo tcp optimized-send-buffer 2048
tfo tcp optimized-receive-buffer 2048
accelerator http metadatacache enable
accelerator http metadatacache https enable
accelerator http dre-hints enable
central-manager address x.x.x.247
cms enable
! End of WAAS configurationHi Stephen,
The "Redirection mismatch" messages indicate that the redirection or return method configured on the WAE is not compatible with the router. Probably, the routers you are using don't support L2 redirection
Moving forward, I would recommend you to change the line "wccp tcp-promiscuous router-list-num 1 hash-source-ip hash-destination-ip l2-redirect l2-return" for "wccp tcp-promiscuous router-list-num 1". This will negotiate hash assignment, as well as GRE redirection and return, which are the parameters supported by most platforms.
As for the firewall messages, it seems that some WCCP negotiation packets (UDP port 2048) are being dropped. Unfortunately, my firewall knowledge is very limited, so I cannot really help you with that part.
Regards
Daniel -
We have the 3750 and 3550 switches installed at our site and we are getting the following errors.
%LINK-3-UPDOWN: Interface GigabitEthernet2/0/13, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/13, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to up
%LINK-3-UPDOWN: Interface GigabitEthernet2/0/11, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/11, changed state to up
%LINK-3-UPDOWN: Interface GigabitEthernet1/0/18, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/18, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/11, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet2/0/11, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet2/0/11, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/11, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/18, changed state to down
What might be causing these errors and what can we do to fix them. Also is there some software out there that can tell us what might be causing the errors, ie... excessive collisions or the such
Thanks
SteveHere is most of the configuration for the 3750, it won't allow me to post all of it
show running
Building configuration...
Current configuration : 5733 bytes
! Last configuration change at 10:02:01 UTC Fri Sep 29 2006 by enable
! NVRAM config last updated at 10:02:01 UTC Fri Sep 29 2006 by enable
version 12.2
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service sequence-numbers
hostname CLO511204
no logging console
enable secret 5 $1$FQBc$HnhMngh.vj1ShB8AclhsX0
aaa new-model
aaa authentication login default local
aaa session-id common
clock timezone UTC -7
clock summer-time UTC recurring
ip subnet-zero
ip domain-name clovisprd
ip name-server 10.17.150.1
ip name-server 10.17.150.11
vtp mode transparent
no file verify auto
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 150
name SWC-CONTROL
interface FastEthernet0/1
description PLC WS00-00
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/2
description PLC BC00-00
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/3
description PLC U300-00
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/4
description PLC P100-00
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/5
description PLC DRY1-00 NuCon
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/6
description PLC EVP1-00
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/7
description PLC DRY1-00
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/8
description PLC DRY1-10
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/9
description PLC DRY1-15
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/10
description SW PFR1-03
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/11
description PV+ PFR1-03 NotUse
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/12
description SW PFR1-02
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/13
description PLC PL20-01
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/14
description PV+ PFR1-02
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/15
description PLC IIC
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/16
description PLC angle
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
interface FastEthernet0/17
description Spare
switchport access vlan 150
switchport mode access
duplex full
spanning-tree portfast
Thanks in advance for any help you can provide -
Trunk configuration (VTP) between 3750 and 2811
Hi,
I have a stack of 6 Cisco Catalyst 3750G with 6 VLANs acting as a VTP server and want to establish a trunk link to my Cisco 2811 router equiped with a switching module 16 ports. Can I set the 2811 as a VTP client to propagate the VLAN info from the 3750 and configure one of the port on the switching module of the 2811 as a trunk encapsulated DOT1q and will I be able to route to the outside world.
Thank youI beleive the switching cards support vtp and that should be possible.
Table 2. Features Supported on Cisco EtherSwitch Modules
EtherSwitch Network Modules (NM-16ESW and NMD-36ESW)
EtherSwitch HWICs (HWIC-4ESW and HWICD-9ESW)
EtherSwitch Service Modules (NME-16ES-1G, NME-16ES-1G-P, NME-X-23ES-1G, NME-X-23ES-1G-P, NME-XD-48ES-2S-P, and NME-XD-24ES-1S-P)
VLANs
Multiple VLANs per Switch
Yes (varies by chassis; maximum of 64 on Cisco 3845)
Yes (maximum of 15 on any chassis)
Yes (maximum of 1,024 per switch or stack)
VLANs in 4,000 Range
No
No
Yes
IEEE 802.1Q Tagged and Untagged VLANs
Yes
Yes
Yes (802.1Q and Inter-Switch Link [ISL])
VLAN Trunking Protocol (VTP) Support for Client, Server, and Transparent Modes
Yes
Yes
Yes -
3750 and Multiple WCCP Devices?
We are going to be setting up a 3750 Layer 3 switch to WCCP-Redirect packets from the Client Subnet to destination devices within rfc1918 subnets to a Silver Peak Wan Optimizer, and Client packets to destination devices within non-rfc-1918 (Internet) addresses to a Websense Web Proxy.
I have a couple of questions.
1) Is it possible to have dual wccp groups on the 3750? If so, could you have say group 50 and 51 for websense, and 52 and 53 for Silver Peak?
2) On the 3750 Switch, Do the Websense and Silver Peak Devices need to be on a separate Vlan on the 3750 from the clients, or can the packets be redirected on the same interface on the 3750 ?
Are there any other caveats to this setup that we may want to know about?
Thanks,
DanYes. The iOS is different for each device.
-
WAAS and WCCP - looping packet detected
Hi,
Has anyone ran into this senario before. Before anyone answers with "move your WAE off the user subnet", it already has been.
I have wccp 61 redirect in on the user subnet (gig0/0.83 of a dot1q trunk). The WAE is on gig0/1. Before I apply wccp62 to the serial link, I attempt to telnet from a user pc to the router (same subnet, clients default gateway), and the telnet fails. I get a "looping packet detected" on the router console. It shows the source of the packet as the router (wccp router id actually), and the destination ip of the WAE, but the packet came in gig0/1 (interface connected to wae). Obviously the WAE returned the packet to the router (with the original GRE headers, (router as source)). I thought WCCP would understand this as "don't redirect this traffic to me anymore", but the router, actually tries to route it back down gig0/1 and then sees it as a looping packet. I believe the WAE is returning the encapsulated packet to the router to indicate it doesn't want the flow, and the router is attempting to route the GRE packet, instead of realizing it should remove the GRE header and route the internal packet. Router is IOS 12.4(12) as recommended by my Cisco engineer. 2821 router.
For kicks, I continue the WCCP setup on the datatcenter side. As expected, it doesn't work. When I apply the WCCP to the datacenter router (only redirecting lab subnet), the entire lab subnet is unreachable via TCP (but icmp still works as expected).
The WCCP configuration isn't very complex, I can't believe its something I'm doing. I think its a code issue.
Any advise?no "out" anywhere. The LAB router has a WAE list to only allow redirect to the lab WAE. I don't even need the 62 in on the WAN side, just applying 61 in on the LAN side breaks telnet to the router.
LOOPING PACKET DETECTION:
from router console
Feb 27 14:56:32.924: %IP-3-LOOPPAK: Looping packet detected and dropped -
src=132.242.11.18, dst=153.61.83.70, hl=20, tl=76, prot=47, sport=0, dport=0
in=GigabitEthernet0/1, nexthop=153.61.83.70, out=GigabitEthernet0/1
options=none -Process= "IP Input", ipl= 0, pid= 77 -Traceback= 0x410F6978 0x415CC960 0x415CDC60 0x415BBB38 0x415BCF18 0x415BD27C 0x415BD2FC 0x415BD4E8
Router configuration:
ip wccp 61 redirect-list REDIRECT-WAAS-SUBNETS-61 group-list remote-waas-box
interface Loopback0
ip address 132.242.11.18 255.255.255.255
h323-gateway voip bind srcaddr 132.242.11.18
interface GigabitEthernet0/0.83
description << data vlan 83 >>
encapsulation dot1Q 83
ip address 153.61.83.3 255.255.255.192
ip helper-address 192.127.250.22
ip helper-address 149.25.1.182
no ip proxy-arp
ip wccp 61 redirect in
standby 83 ip 153.61.83.1
standby 83 priority 200
standby 83 preempt
standby 83 track Serial0/1/0:0.99 100
interface GigabitEthernet0/1
description << WHQ LAB CE connection >>
ip address 153.61.83.65 255.255.255.192
load-interval 30
duplex full
speed 100
ip access-list standard remote-waas-box
permit 153.61.83.70
ip access-list extended REDIRECT-WAAS-SUBNETS-61
permit ip 153.61.83.0 0.0.0.63 any
WAE configuration:
device mode application-accelerator
primary-interface GigabitEthernet 1/0
interface GigabitEthernet 1/0
ip address 153.61.83.70 255.255.255.192
no autosense
bandwidth 100
full-duplex
exit
wccp router-list 1 153.61.83.65
wccp tcp-promiscuous router-list-num 1
wccp version 2
wccp slow-start enable -
WSA redundancy and WCCP questions
Hello! My customer bought a pair of S370 WSA prior to deployment planning. I need to deploy both of them into existing network and I'd like to ask few questions with somebody who knows how to do it.
1. As I know from manuals, WSA doesn't support any clustering but I'd like to use both of my S370 for redundancy. I'm planning to use WCCP only, no explicit proxy mode will be used. What methods can I use to deploy redundant WCCP cache on pair of WSA? If it possible, I'd prefer to use something like Active\Passive but not load balancing scheme. Does it have Centralized management feature like ESA to share configs between devices?
2. I have fusion router which "mixes" traffic from different vrf. Is it possible to configure router such way that every vrf(which corresponds every interface and different subnets) will be seen with its own ip address in internet or all of them will be using just WSA's address like in explicit proxy mode?
3. When I tried to test my WSA in explicit proxy mode prior to configuring WCCP, I found out that I can use it as a proxy without any authentication, just setting it's address and port in my browser. How can I disable explicit proxy mode or set any authentication(no LDAP or NTLM) to prevent unauthorized access to using my proxy?
I'm newbie with IronPorts so I will appreciate any help including links to manualsThe WCCP protocol allows for automatic detection of all connected devices, both proxies and routers/firewalls/switches. When configuring WCCP with multiple WSAs, they're all in the WCCP cluster, with the router doing the load balancing beween the detected proxies. From what I've seen, you can't configure an active/passive scenario.
As you mentioned , WSAs don't support clustering seen in ESAs. You could use a M-series box to provide central management and reporting for multiple WSAs in your enviromment.
Regarding VRFs: WSAs support IP spoofing, which allows you to send out requests with the client's instead of WSA's external address. You could perform PAT of multiple addresses on the edge router/firewall to send the requests out with a different IP address for each VRF for example.
I don't think you can fully disable the explicit proxy on the WSA. You can set up a firewall rule to prevent direct client access to the proxy ports..
Sent from Cisco Technical Support iPad App -
WLC 2500 and WCCP for Wireless Guest Users
Hi there
I would like to redirect web traffic from WLANs on a Wireless LAN Controller 2500 to a proxy server in a remote site. I'm using ironport proxy server and Cisco 3560 Layer 3 switch. Basically current scenario is:
Wireless Guest Users get authenticated by web-auth through Access Point 3501 HREAP configured. Guest client gets an IP address on VLAN 100 in remote site. Once they connect to VLAN 100, I want all web traffic to be redirected to the proxy server. I know PAC file may be the easier solution however our guest clients want seamless solution for internet. I am not sure whether WCCP is supported for this.
You advice will be highly appreciated.
RegardsFor guest wireless traffic redirect to proxy server
https://supportforums.cisco.com/thread/2126486
Maybe you are looking for
-
I am looking for the installation package "AcroPro.msi". I had previously installed Acrobat Pro XI, but it seems to have disappeared, although the computer says it's installed. Where do I find this installation package? I use Acrobat Pro to save do
-
7.0.2 quits when ipod plugged in....???
I just purchased a new shuffle, since my old one died a quick death. Upon mounting it, it forced me to download the new 7.0.2 version of itunes. I did. Now, when I open itunes, it prompts me EVERY TIME to agree with the licensing agreement AND the en
-
Hi, I need to make a report containning all the actions made on a user and the user who made this action. For instance, I need to know WHO creates an account. Do I have an attribute or a table that store this information? I try to see into mxp_audit
-
tried to load pokerstars and it wouldn't do it for itouch. Am i doing something wrong or won't it just load it. JEFF
-
Why can I still not access any of the decent Typekit fonts?
I've been waiting and waiting hoping that Adobe will finally get around to including all of the typekit fonts within Muse. For example I've been after the Prenton font, but notice that it's still not available from within Muse, and the same applies f