ACL on 3750

please help me to solve this issue file attafched to this mail

Can you change ACLs 102 and 104 to read like the following:
access-list 102 permit ip 192.168.2.0 0.0.0.255 10.2.9.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 102 permit ip 192.168.16.0 0.0.0.255 10.2.9.0 0.0.0.255
access-list 102 permit ip 192.168.16.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 102 permit ip 192.168.16.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.16.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 permit ip 10.2.9.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 10.2.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.16.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 10.2.9.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 104 permit ip 10.2.1.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.16.0 0.0.0.255
Pls do remember to rate posts.
Paresh

Similar Messages

  • WCCP Deny and permit ACL on 3750

    Hi everyone,
    I have configured 3750 switch as WCCP.
    I am redirecting only inside traffic.
    Switch has direct connection to Mcafee Gateway.
    Our internal LAN subnets are 172.16.x.x and 192.168.0.0.
    Need to confirm if i want internal users to access the internet then under permit ACL i can say
    permit 172.16.0.0 to any?
    If i want some users traffic should not be redirected to Mcafee gateway then i can say
    deny 172.16.10.10 any?
    Regards
    MAhesh

    Hi Reuben,
    Yes IOS version is higher than 12.2(58)SE.
    Thanks for reply.
    Regards
    MAhesh

  • Port-ACL's on a 3750 - question

    I have a 3750 that is connected to another network via a layer-2 type connection. I have a specific set of tcp and udp ports that I want to allow access to via this switch. In taking a look at the documentation I see that I can apply Port ACL's directly to layer-2 interfaces, but that it will only work "inbound" to the switch.
    Will this work:
    If I have (bad ascii net diagram):
    [hosta]--[rtr]--[switcha]-WAN-[switchb]
    I want to put an ACL on the l2 uplink from switchB to the wan (WAN is a metro-ethernet type l2 wan extension - rtr is a router) that only allows hosta to hit tcp ports 1000,2000 and 3000 on hosts sitting on switchb. I want to allow hosts on switchb to do whatever they want to hosta. Is it as simple as:
    ip access-list 101 permit tcp any any eq 1000
    ip access-list 101 permit tcp any any eq 2000
    ip access-list 101 permit tcp any any eq 3000
    and then applying that ACL onto the l2 uplink interface on switchb? Thinking that since Port ACL's only affect "inbound" direction - allowing inbound connections on the l2 uplink gets the packets onto my hosts on switchb, and there is nothing preventing the return traffic or new tcp connections from hosts on switchb -> hosta...?
    Thanks!
    -Frank

    Yes frank, Your idea seems to be okei.
    As per document, You can configure only one type of per-user ACLs on a Catalyst 3750 switch port: router ACLs or port ACLs. Router ACLs apply to Layer 3 interfaces, and port ACLs apply to Layer 2 interfaces. If a port is configured with a port-based ACL, the switch rejects any attempt to configure a router-based ACL on the same port. However, if a port is configured with a router-based ACL and then a port-based ACL, the port-based ACL overwrites the router ACL.
    while applying to the interface connecting to l2 port give "in" direction, but anyway out is not supported in l2 interfaces.
    so nothing looks preventig the return traffic.

  • Catalyst 3750 , ACS and Downloadable IP ACL

    Hi,
    We installed a ACS v4.1 , we were trying to limit the access to authenticated users by using Downloadable IP ACL in a Catalyst 3750 with IOS version ipbasek9-mz.122-25.SEE4. The authentication part works fine with a external database (Wins AD) , but we want to limit the access to the network of some groups.
    This can be done using Downloadable IP ACL ?
    Thanks for any help

    Yes, DACL's can be user here. To use a downloadable IP ACL on a particular AAA client, the AAA client must:
    .Use RADIUS for authentication.
    .Support downloadable IP ACLs.
    Examples of Cisco devices that support downloadable IP ACLs are:
    .PIX Firewalls
    .VPN 3000-series concentrators, ASA and PIX devices
    .Cisco devices running IOS version 12.3(8)T or greater
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs
    40/user/c.htm#wp696809
    Please note that downloadable ACLs are not supported on cat based switches.
    If downloadable ACL's through shared profile doesn't work, define a cisco av-pair to create the downloadable acls.
    Give this a try and see if it works. The format for the av-pair ACL is:
    ex
    ip:inacl#1=permit ip 1.1.1.0 0.0.0.255 9.9.9.0 0.0.0.255
    Regards,
    ~JG
    Do rate helpful posts.

  • WCCP ACL on Catalyst 3750

    Hi
    I have a stack of 3750s with IP Services and 2 WAAS appliances connected to the stack. I am running wccp in the stack and redirecting traffic to the WAAS appliances using a redirect acl. I read in the command guide for the 3750 that ONLY permit entries are supported. I have a appox 20 vlans and there are local traffic flowing between some of them.
    My questions is if I can`t use deny entries in the redirect acl in the switch, how can I stop the local traffic between the vlans getting redirected unnecessarly. The local traffic will be redirected to the WAAS appliance and then just go bypass and go back to the switch stack or does WCCP handle this in someway so only the first packets for each session gets redirected?
    BR
    CJ Ekman

    Hey CJ,
    Option 1: another option you might consider is intercepting closer to the WAN edge, if that's an available option for you.
    Again, like Patrick mentioned it depends on your network / IP design but if you intercept closer to the WAN edge you should be able to avoid engineering a redirect ACL altogether.
    Option 2: depending on the 3750 platform and code upgrade options, some of the latest 3750 IOS versions include support for deny entries for WCCP redirect ACLs. Check out these release notes (look at the very last bullet point in this list):
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/release/notes/OL24338.html#wp1009434
    Hope this helps!
    -Chet

  • ACL not working on 3750 Switch Stack on a trunk port

    I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port.  For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk.  I have tried standard and extended list, but neither seem to work.
    What am I doing wrong?
    Access-List:
    Standard IP access list 10
        10 deny   10.101.15.13 log
        20 permit any log
    Access-List Interface:
    interface GigabitEthernet7/0/10
     description ESX Trunk
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 1,2,60-63
     switchport mode trunk
     ip access-group 10 in
    Mac-Address on the Switch Port:
    63    0050.569a.6d9f    DYNAMIC     Gi7/0/10
    Windows Machine MAC:
    Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
    Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
    Windows Connection (which should be denied):
     TCP    10.20.63.4:3389        10.101.15.13:21289     ESTABLISHED     InHost

    PACL only apply to an L2 interface.  On an L2 interface the only direction that can be applied is INBOUND.  On an L3 interface INBOUND or OUTBOUND can be specified.
    In any case, I have worked around the issue by applying VACLs. Marking this as resolved.

  • Catalyst 3750 and ACL

    Hello. We have the next Settings in our SW. We crate an ACL and aplied to a SVI for Incomming Traffic, I understand that is not necesasry to allow the returning traffic in ACL, but we can't access to rdp for example when we add the ACL, if we remove it, the acces is ok, buet when we add again the access is deny, even we have a log entry, and the ACL i just for Incomming traffic. There is no another ACL. What should we check?  What are we missing here?
    Please see attached file
    Thanks in Advance
    interface Vlan64
    ip address 10.147.64.254 255.255.255.0
    ip access-group 134 in
    access-list 134 permit udp any any eq bootpc log
    access-list 134 permit udp any any eq bootps log
    access-list 134 permit ip any 172.30.146.0 0.0.0.255
    access-list 134 permit ip any 172.23.146.0 0.0.0.255
    access-list 134 permit ip any 10.146.137.0 0.0.0.63
    access-list 134 permit ip any 10.146.137.128 0.0.0.63
    access-list 134 permit ip any host 10.146.81.240 log
    access-list 134 permit ip any host 10.146.46.250
    access-list 134 permit ip any host 10.146.46.157
    access-list 134 permit ip 10.147.64.0 0.0.0.255 host 10.146.46.228
    access-list 134 permit ip 10.147.64.0 0.0.0.255 host 10.146.137.99
    access-list 134 deny   ip any 192.168.0.0 0.0.255.255
    access-list 134 permit tcp any host 172.27.72.27 eq www
    access-list 134 deny   ip any 172.16.0.0 0.15.255.255
    “The next entry generates a log when I try RDP from 10.146.40.29 to 10.147.64.39”
    access-list 134 deny   ip any 10.0.0.0 0.255.255.255 log
    access-list 134 deny   ip any host 98.139.60.248 log
    access-list 134 permit ip any any
    access-list 134 permit icmp any any
    "This is the log showed"
    25w6d: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.147.64.38(3389) -> 10.146.40.
    29(1150), 1 packet

    What you are missing is a statement in the access list to permit traffic to the subnet of 10.146.40.0. Since there is no statement to permits this traffic then the line access-list 134 deny   ip any 10.0.0.0 0.255.255.255 log denies the traffic as it should.
    To fix this problem you need to add a statement in the access list before that line to permit the traffic. The line might look something like this:
    access-list 134 permit ip any 10.146.40.0 0.0.0.255
    HTH
    Rick

  • Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

    Hi Guys,
    I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
    Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
    For some odd reason, I am able to ping the following, with no issues.
    Cisco 3750 SVI (192.168.1.3)
    CentOS web server (connected directly to the Cisco ASA 5505)
    I have checked and enable the following:
    Nat Exemption
    Sysopt connection permit-vpn
    ACL's
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    Added ICMP in the inspection policy
    Packet-capture - Only getting echo requests.
    Thanks in advance!

    Hi,
    I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
    object network acvpnpool
    subnet <anyconnect VPN Subnet>
    object network insidelan
    subnet <inside lan subnet>
    nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
    Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
    Regards
    Karthik

  • Benefits to summarizing these routes on a 3750 sw stack?

    We have 8 Cisco 3750's (1 is a G and 3 are X's the rest are regular 3750v2's) in a stack.  This is the center of the routing at a main office.  There are remote branches and depending on the ISP or how many interfaces were on the router, the routes have to go to either 10.1.0.1 or 10.1.0.2.  I know the IP's are not contiguous enough to summarize this even better, however if I summarize these would it be worth the time.
    I will include a screen shot to show what I mean.  But basically  taking 8 ip route statements down to 3.  

    Hey Keith,
    Summarizing is always a good practice for many reasons. In your case you may check the sdm template you are using and if it's desktop default so i believe its a good option to summarize as many routes as you can because with this sdm template which is basically how hardware TCAM is allocated to all the resources, namely IPv4, QoS, ACl, etc.
    Use the command "show sdm prefer" to check the current sdm template.
    HTH.
    Regards,
    RS.

  • High CPU usage - 3750 X stack

    Support Community
    We recently configured a stack of four 48 port 3750-x switches . We are noticing high CPU usage. "Hulc LED process" seems pretty high.
    This has coincided with VMware servers getting slow and non-responsive at times, perhaps a coincidence, not sure.
    Below I provided some outputs that might help to diagnose it
    Thanks
    John
    System image file is "flash:/c3750e-ipbasek9-mz.122-58.SE2/c3750e-ipbasek9-mz.122-58.SE2.bin"
    Show inventory output
    NAME: "1", DESCR: "WS-C3750X-48"
    PID: WS-C3750X-48T-S   , VID: V02  ,
    NAME: "Switch 1 - Power Supply 0", DESCR: "FRU Power Supply"
    PID: C3KX-PWR-350WAC   , VID: V02L ,
    NAME: "2", DESCR: "WS-C3750X-48"
    PID: WS-C3750X-48T-S   , VID: V02 
    NAME: "Switch 2 - Power Supply 0", DESCR: "FRU Power Supply"
    PID: C3KX-PWR-350WAC   , VID: V02D ,
    NAME: "3", DESCR: "WS-C3750X-48"
    PID: WS-C3750X-48T-S   , VID: V02 
    NAME: "Switch 3 - Power Supply 0", DESCR: "FRU Power Supply"
    PID: C3KX-PWR-350WAC   , VID: V02L ,
    NAME: "4", DESCR: "WS-C3750X-48"
    PID: WS-C3750X-48T-S   , VID: V02 
    NAME: "Switch 4 - Power Supply 0", DESCR: "FRU Power Supply"
    PID: C3KX-PWR-350WAC   , VID: V02L ,
    SWITCH#sh processes cpu sorted
    CPU utilization for five seconds: 61%/5%; one minute: 50%; five minutes: 49%
    PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
    168   260466386    44948517       5794 14.53% 13.98% 13.70%   0 Hulc LED Process
    231    97586088    27253906       3580  4.95%  4.73%  4.64%   0 Spanning Tree
    213    63106121   154928892        407  4.15%  3.89%  3.91%   0 IP Input
    284    70113217    34537588       2030  3.51%  3.98%  4.17%   0 RARP Input
       4     6663412      421278      15817  3.03%  0.43%  0.32%   0 Check heaps
    374     9872291    10805181        913  3.03%  0.77%  0.62%   0 IP SNMP
    376    11142951     5370604       2074  3.03%  0.73%  0.66%   0 SNMP ENGINE
      12    35389011    32152175       1100  2.87%  2.08%  2.20%   0 ARP Input
    128    34962407     3622140       9652  2.07%  1.69%  1.63%   0 hpm counter proc
      85    49034286     8536062       5744  1.91%  2.44%  2.44%   0 RedEarth Tx Mana
    107    25127806    46459053        540  1.27%  1.10%  0.93%   0 HLFM address lea
    174        2412        1714       1407  0.95%  0.39%  0.25%   1 SSH Process
    220     6423643    12634764        508  0.79%  0.70%  0.56%   0 ADJ resolve proc
    181     6913179     2890070       2392  0.63%  0.31%  0.36%   0 HRPC qos request
    375     1681949     5000777        336  0.47%  0.08%  0.07%   0 PDU DISPATCHER
      84    10180707    12623537        806  0.47%  0.30%  0.37%   0 RedEarth I2C dri
            1
          666666096996666666666666659666667666666666666666666766676666666656666666
          249363098992351145264823289455360612252332233522344115537230141392553343
      100       ** **               *
       90       ** **               *
       80       ** **               *
       70   * * *****  *   * * *    * ** ***   *       *     * ****         **
       60 **********************************************************************
       50 ######################################################################
       40 ######################################################################
       30 ######################################################################
       20 ######################################################################
       10 ######################################################################
         0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
                   0    5    0    5    0    5    0    5    0    5    0    5    0
                       CPU% per hour (last 72 hours)
                      * = maximum CPU%   # = average CPU%
          455555555554444444444555554444455555555555555555555444444444
          922222111118888866666000009999911111555554444422222444448888
      100
       90
       80
       70
       60                                     *****
       50 ***************************************************     **
       40 **********************************************************
       30 **********************************************************
       20 **********************************************************
       10 **********************************************************
         0....5....1....1....2....2....3....3....4....4....5....5....6
                   0    5    0    5    0    5    0    5    0    5    0
                   CPU% per second (last 60 seconds)
          565756555555555555555555555555555556555555555555565555565556
          518841757869248569271526666733778330496833777819929379701861
      100
       90
       80    *
       70    *
       60 **** *******  **** * * *****  ***  * ***  **** **** **** *
       50 ##########################################################
       40 ##########################################################
       30 ##########################################################
       20 ##########################################################
       10 ##########################################################
         0....5....1....1....2....2....3....3....4....4....5....5....6
                   0    5    0    5    0    5    0    5    0    5    0
                   CPU% per minute (last 60 minutes)
                  * = maximum CPU%   # = average CPU%

    Thanks to all for your replies.
    Jeff
    I was aware of the many ACLs however we used to have the same ACLs in a previous 3750G stack about 2 weeks ago and we never had this issue. I agree I need to optimize them and do somehing because it is reaching its max before the CPU starts processing them but I am not certain this is what is causing the issue.
    Nikolay,
    I am trying to understand "interrupts" with the analysis of the outputs I posted. Here is another output deom the link you provided. Please post your thoughts if you can.
    This switch also serves as a gateway(L3 role)  for many systems. Would it make sense to offload that responsability from this switch and let an actual router do it?
    Thanks
    Johnny
    show controllers cpu-interface
    ASIC    Rxbiterr   Rxunder    Fwdctfix   Txbuflos   Rxbufloc   Rxbufdrain
    ASIC0     0          0          0          0          0          0
    ASIC1     0          0          0          0          0          0
    ASIC2     0          0          0          0          0          0
    HOL Fix Counts
    No Fixes:          0 Added:          0 In Use:          0 Both:          0
    CPU Heartbeat Statistics
    Tx Success Tx Fail    1st Thr    2nd Thr    Unthr      RetryCtMax
      37139562          0          0          0          0          1
    Rx Delay
             0          1          2          3          4
      37139562          0          0          0          0
    AddlDelay AdvanceCnt
             0          0
    Rx Retries by RetryCount
             0          1          2          3          4          5          6
      37139562          0          0          0          0          0          0
             7          8          9
             0          0          0
    AddlRetry
             0
    cpu-queue-frames  retrieved  dropped    invalid    hol-block  stray
    rpc               104077409  0          0          0          0
    stp               19189469   0          0          0          0
    ipc               11093838   0          0          0          0
    routing protocol  141021559  0          0          0          0
    L2 protocol       230347     0          0          0          0
    remote console    17         0          0          0          0
    sw forwarding     257436702  0          0          0          0
    host              21146276   0          0          0          0
    broadcast         332154608  0          0          0          0
    cbt-to-spt        0          0          0          0          0
    igmp snooping     2796987    0          0          0          0
    icmp              90752156   0          0          0          0
    logging           0          0          0          0          0
    rpf-fail          0          0          0          0          0
    dstats            0          0          0          0          0
    cpu heartbeat     37139562   0          0          0          0
    cpu-queue         static inuse static added
    rpc               0            0
    stp               0            0
    ipc               0            0
    routing protocol  0            0
    L2 protocol       0            0
    remote console    0            0
    sw forwarding     0            0
    host              0            0
    broadcast         0            0
    cbt-to-spt        0            0
    igmp snooping     0            0
    icmp              0            0
    logging           0            0
    rpf-fail          0            0
    dstats            0            0
    cpu heartbeat     0            0
    Supervisor ASIC receive-queue parameters
    queue 0 maxrecevsize 7E0 pakhead 5505A88 paktail 54655A8
    queue 1 maxrecevsize 7E0 pakhead 5689164 paktail 5687F54
    queue 2 maxrecevsize 7E0 pakhead 5547AA4 paktail 554719C
    queue 3 maxrecevsize 7E0 pakhead 5DC233C paktail 5DBA4CC
    queue 4 maxrecevsize 7E0 pakhead 56A7198 paktail 56A7AA0
    queue 5 maxrecevsize 7E0 pakhead 5D61304 paktail 5D72F80
    queue 6 maxrecevsize 7E0 pakhead 5D856D4 paktail 5D989E4
    queue 7 maxrecevsize 7E0 pakhead 5BDE29C paktail 5BDC784
    queue 8 maxrecevsize 7E0 pakhead 5CC00A8 paktail 5CB3574
    queue 9 maxrecevsize 7E0 pakhead 59DD86C paktail 59DD86C
    queue A maxrecevsize 7E0 pakhead 59BF43C paktail 59C13D8
    queue B maxrecevsize 7E0 pakhead 5DD18A0 paktail 5DCE6F4
    queue C maxrecevsize 7E0 pakhead 59E9CBC paktail 5A049B8
    queue D maxrecevsize 7E0 pakhead 59D8EA0 paktail 59DD25C
    queue E maxrecevsize 0 pakhead 0 paktail 0
    queue F maxrecevsize 7E0 pakhead 59A7080 paktail 59A6BFC
    Supervisor ASIC exception status
    Receive overrun    00000000   Transmit overrun 00000000
    FrameSignatureErr  00000000   MicInitialize    00000002
    BadFrameErr        00000000   LenExceededErr   00000000
    BadJumboSegments   00000000
    Supervisor ASIC Mic Registers
    MicDirectPollInfo               80000200
    MicIndicationsReceived          00000000
    MicInterruptsReceived           00000009
    MicPcsInfo                      0000001F
    MicPlbMasterConfiguration       00000000
    MicRxFifosAvailable             00000000
    MicRxFifosReady                 0000BFFF
    MicTimeOutPeriod:       FrameTOPeriod: 00000EA6 DirectTOPeriod: 00004000
    MicTransmFramesCopied           00000003
    MicTxFifosAvailable             0000000E
    MicConfiguration:       Conf flag: 00000110     Interrupt Flag: 00000008
    MicReceiveFifoAssignmen Queue 0 - 7: 33333333   Queue 8 - 15:33333333
    MicReceiveFramesReady:  FrameAvailable: 00000181        frameAvaiMask: 00000000
    MicException:
            Exception_flag  00000000
            Message-1       00000000
            Message-2       00000000
            Message-3       00000000
    MicIntRxFifo:
            ReadPtr         000005C0        WritePtr        000005C0
            WHeadPtr        000005C0        TxFifoDepth     C0000800
    MicIntTxFifo:
            ReadPtr         00000728        WritePtr        00000728
            WHeadPtr        00000728        TxFifoDepth     C0000800
    MicDecodeInfo:
    Fifo0:  address:        03FF4000 asic_num:      00000100
    Fifo1:  address:        03FF4400 asic_num:      00000101
    MicTransmitFifoInfo:
    Fifo0:   StartPtrs:     0E2CE800        ReadPtr:        0E2CEBE8
            WritePtrs:      0E2CEBE8        Fifo_Flag:      8A800800
            Weights:        001E001E
    Fifo1:   StartPtrs:     0E02D000        ReadPtr:        0E02D138
            WritePtrs:      0E02D138        Fifo_Flag:      89800400
            Weights:        000A000A
    MicReceiveFifoInfo:
    Fifo0:  StartPtr:       0E4AF000        ReadPtr:        0E4AF2A8
            WritePtrs:      0E4AF308        Fifo_Flag:      8B000FA0
            writeHeaderPtr: 0E4AF308
    Fifo1:  StartPtr:       0E78C000        ReadPtr:        0E78C2E8
            WritePtrs:      0E78C2E8        Fifo_Flag:      89800400
            writeHeaderPtr: 0E78C2E8
    Fifo2:  StartPtr:       0E744800        ReadPtr:        0E744A70
            WritePtrs:      0E744A70        Fifo_Flag:      89800400
            writeHeaderPtr: 0E744A70
    Fifo3:  StartPtr:       0EBD1000        ReadPtr:        0EBD13B8
            WritePtrs:      0EBD13B8        Fifo_Flag:      89800400
            writeHeaderPtr: 0EBD13B8
    Fifo4:  StartPtr:       0E7D3800        ReadPtr:        0E7D3A58
            WritePtrs:      0E7D3A58        Fifo_Flag:      89800400
            writeHeaderPtr: 0E7D3A58
    Fifo5:  StartPtr:       0EB40600        ReadPtr:        0EB40688
            WritePtrs:      0EB40688        Fifo_Flag:      88800200
            writeHeaderPtr: 0EB40688
    Fifo6:  StartPtr:       0EB87400        ReadPtr:        0EB874F0
            WritePtrs:      0EB874F0        Fifo_Flag:      89800400
            writeHeaderPtr: 0EB874F0
    Fifo7:  StartPtr:       0E880000        ReadPtr:        0E880E20
            WritePtrs:      0E881520        Fifo_Flag:      8C001900
            writeHeaderPtr: 0E881520
    Fifo8:  StartPtr:       0EB1A600        ReadPtr:        0EB1A770
            WritePtrs:      0EB1A780        Fifo_Flag:      880001F0
            writeHeaderPtr: 0EB1A780
    Fifo9:  StartPtr:       0E2E0CD8        ReadPtr:        0E2E0CD8
            WritePtrs:      0E2E0CD8        Fifo_Flag:      82800008
            writeHeaderPtr: 0E2E0CD8
    Fifo10: StartPtr:       0E81D000        ReadPtr:        0E81D1D8
            WritePtrs:      0E81D1D8        Fifo_Flag:      88800200
            writeHeaderPtr: 0E81D1D8
    Fifo11: StartPtr:       0E4AEF00        ReadPtr:        0E4AEF60
            WritePtrs:      0E4AEF60        Fifo_Flag:      86800080
            writeHeaderPtr: 0E4AEF60
    Fifo12: StartPtr:       0E84A000        ReadPtr:        0E84A300
            WritePtrs:      0E84A000        Fifo_Flag:      89000100
            writeHeaderPtr: 0E84A000
    Fifo13: StartPtr:       0E4AEE00        ReadPtr:        0E4AEE00
            WritePtrs:      0E4AEE00        Fifo_Flag:      86800080
            writeHeaderPtr: 0E4AEE00
    Fifo14: StartPtr:       00000000        ReadPtr:        00000000
            WritePtrs:      00000000        Fifo_Flag:      00800000
            writeHeaderPtr: 00000000
    Fifo15: StartPtr:       0E02CEC0        ReadPtr:        0E02CED0
            WritePtrs:      0E02CED0        Fifo_Flag:      84800020
            writeHeaderPtr: 0E02CED0
    ===========================================================
    Complete Board Id:0x00B2
    ===========================================================

  • 3750 stack won't sync with NTP server

    Any help greatly appreciated with this one - I can't for the life of me figure out what's going wrong here.
    I'm working on a 3750 stack in Singapore (UTC +8) and I'm trying to get it to sync its clock with 3.sg.pool.ntp.org.
    This is the weird part - "sh ntp associations" shows that it is syncing:
      address         ref clock       st   when   poll reach  delay  offset   disp
    *~199.195.193.200 203.117.180.36   2     52     64   377 80.936 -13895.  1.771
    * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
    And "sh ntp associations de" shows that it's happy:
    199.195.193.200 configured, our_master, sane, valid, stratum 2
    ref ID 203.117.180.36, time D691F63E.C4B691CD (17:26:22.768 UTC Tue Jan 28 2014)
    our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
    root delay 196.39 msec, root disp 592.71, reach 377, sync dist 944.69
    delay 80.93 msec, offset -13895.2686 msec, dispersion 2.65
    precision 2**20, version 4
    org time D691FA8F.5FF29003 (17:44:47.374 UTC Tue Jan 28 2014)
    rec time D691FA9D.5041E9C7 (17:45:01.313 UTC Tue Jan 28 2014)
    xmt time D691FA9D.3B3524C8 (17:45:01.231 UTC Tue Jan 28 2014)
    filtdelay =    82.20   80.93   82.17   81.49  155.78   81.08   84.67   82.09
    filtoffset = -13897. -13895. -13899. -13900. -13901. -13872. -13876. -13876.
    filterror =     0.00    0.99    1.98    2.94    3.94    4.92    5.87    6.81
    minpoll = 6, maxpoll = 10
    But the clock is stubbornly remaining unsynchronised ("sh ntp st"):
    Clock is unsynchronized, stratum 16, reference is 199.195.193.20
    nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
    reference time is 00000000.00000000 (08:00:00.000 UTC Mon Jan 1 1900)
    clock offset is -13895.2686 msec, root delay is 0.00 msec
    root dispersion is 14.62 msec, peer dispersion is 3.26 msec
    loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
    system poll interval is 64, never updated.
    NTP-relevant config is as follows (no ACLs, outbound UDP 123 allowed on perimeter firewall):
    clock timezone UTC 8 0
    ntp server 3.sg.pool.ntp.org
    I have configured a pair of stacks in Hong Kong for NTP (though that was a couple of months ago and I recall that those were a pain at the time as well) and those are working fine.

    Much to my annoyance, the switch stack is now synchronised.  No  configuration changes were made in the interim; it just looks like it  needed a long time (well over an hour in this case) to start syncing  properly.

  • WAAS Configuration for 3750 Switch

    I am configuring a 3750 switch with 12.2(52)SE according to:
    (from https://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/3750_scg.pdf )
    This example shows how to configure SVIs and how to enable the web cache service with a multicast group list. VLAN 299 is created and configured with an IP address of 175.20.20.10. Gigabit Ethernet port 1 is connected through the Internet to the web server and is configured as an access port in VLAN 299. VLAN 300 is created and configured with an IP address of 172.20.10.30. Gigabit Ethernet port 2 is connected to the application engine and is configured as an access port in VLAN 300. VLAN 301 is created and configured with an IP address of 175.20.30.50. Fast Ethernet ports 3 to 6, which are connected to the clients, are configured as access ports in VLAN 301. The switch redirects packets received from the client interfaces to the application engine.
    Note Only permit ACL entries are being used in the redirect-list; deny entries are unsupported.
    Switch# configure terminal
    Switch(config)# ip wccp web-cache 80 group-list 15
    Switch(config)# access-list 15 permit host 171.69.198.102
    Switch(config)# access-list 15 permit host 171.69.198.104
    Switch(config)# access-list 15 permit host 171.69.198.106
    Switch(config)# vlan 299      WEB  SERVER
    Switch(config-vlan)# exit
    Switch(config)# interface vlan 299
    Switch(config-if)# ip address 175.20.20.10 255.255.255.0
    Switch(config-if)# exit
    Switch(config)# interface gigabitethernet1/0/1
    Switch(config-if)# switchport mode access
    Switch(config-if)# switchport access vlan 299
    Switch(config)# vlan 300 WAE
    Switch(config-vlan)# exit
    Switch(config)# interface vlan 300
    Switch(config-if)# ip address 171.69.198.100 255.255.255.0
    Switch(config-if)# exit
    Switch(config)# interface gigabitethernet1/0/2
    Switch(config-if)# switchport mode access
    Switch(config-if)# switchport access vlan 300
    Switch(config-if)# exit
    Switch(config)# vlan 301 CLIENTS
    Switch(config-vlan)# exit
    Switch(config)# interface vlan 301
    Switch(config-if)# ip address 175.20.30.20 255.255.255.0
    Switch(config-if)# ip wccp web-cache redirect in
    Switch(config-if)# exit
    Switch(config)# interface gigabitethernet1/0/3 - 6
    Switch(config-if-range)# switchport mode access
    Switch(config-if-range)# switchport access vlan 301
    Switch(config-if-range)# exit
    ===================================================================
    Question:  How do I configure my WAE to play nicely with this switch?

    Hi James,
    Here is the link to WCCP config part on WAE:
    http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v441/configuration/guide/traffic.html#wp1041742
    In your case, if my understanding is right, VLAN300 is where you want to connect WAE and WAE is also L2 adjacent. if that is true, here is the config you need on WAE:
    wccp router-list 1 171.69.198.100
    wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign l2-return
    wccp version 2
    Please note that 3750 supports L2 redirection only with redirect IN statements on 3750 interfaces connected to servers and clients.
    Hope this helps.
    Regards.

  • Netgear L3 Switch and ACLs

    Hello,I've deployed a Netgear M5300 series L3 switch underneath of a Sonicwall NSA2600 with stateful HA. Under the switch, there's another 20+ L2 switches at various locations.The issue I'm currently dealing with is there is now a requirement that all VLANs (20 or so) MUST be segregated from each other fully. This normally wouldn't be much of an issue, because you'd just turn off routing and cut the switch down to L2 functionality, but the L3 switch is handling DHCP to 15 of these VLANs.As far as I'm aware, you can't assign ACLs to virtual interfaces on Netgear switches, so I'm under the belief that the only course of action I currently have is to remove all L3 functionality from the Switch and allow the NSA2600 to take the DHCP requests; Set up the L3 with a few tagged (trunk) ports back to the Sonicwall, and just let the Sonicwall...
    This topic first appeared in the Spiceworks Community

    How many vlans are you going to be hosting on those switches?  If you wish to firewall off intervlan communication, then what you can do is take the 3750 and use it as a layer 2 device and put the gateways onto the ASA firewalls.   You can create sub-interfaces under one physical interface (a sub-interface per vlan) or you can split this over more (I believe the 5525s come with 4x 1GE copper interfaces???).   In this situation the firewall would have to be in routed mode.
    The concern is valid.   Since this is public facing, any attacker externally, or a compromised machine internally in your network could generate a large connection attack and eat up the state table of the ASA.   This concern applies for any appliance, or server.

  • Traffic monitoring on 3750

    Hi Folks,
    Greetings and happy new year!! I have a network core which is on a stacked 3750g, that has several SVIs for network segmantation. Some of the SVIs have ACLs applied on them. I need to help in determining whan tools to use to be able to see inter-VLAN traffic on the 3750's, we need this to determine how lockdown the network. I just realized that ip accounting and netflow is not supported on the 3750s.
    Thank you in advanced.
    JP

    Kyle,
    On a 3750, I think you can do WCCP if you have the right software load on it.
    http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/prod_qas09186a00801b0971.html
    There are limitations to the 3750...  it only does L2 redirection (no GRE) and assignment must be mask. 
    and you have to have SDM set to prefer routing....
    sdm prefer routing     
    Then turn on WCCP for dynamic service group 90 (so you can set what ports you need on the WSA)
    Switch(config)# ip wccp 90 group-list 15
    Create an ACL to keep traffic to internal servers from being redirected to your WSA
    Switch(config)# access-list 15 deny any 10.90.0.0 255.255.0.0       <--add whatever networks you need.
    Switch(config)# access-list 15 permit any any
    Assuming the VLAN you have the WSA and the DSL router on is 301
    Switch(config)# interface vlan 301
    Switch(config-if)# ip wccp 90 redirect in
    This will catch inbound traffic to the VLAN an hand it to the WSA, assuming it doesn't match the ACL.   If the WSA is down, it routes it as normal...
    Here's the docs I pulled that from (near the bottom for doing a vlan instead of a port...)
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_58_se/configuration/guide/swwccp.html#wp1031033
    The WSA should negotiate the L2 vs GRE & mask vs. hash issues...
    Hope that helps.
    Ken

  • WCCP ACL on 4506 switch

    Hi ,
    We have a cisco 4506 switch with the IOS version of 12.2-50.SG1. I would like to know whether any latest IOS version will support redirect ACL with the deny statement for WCCP on a client interface.
    Switch details:
    cisco WS-C4506-E (MPC8245) processor (revision 7) with 524288K bytes of memory.
    Processor board ID FOX1407G5P7
    MPC8245 CPU at 333Mhz, Supervisor IV
    Last reset from Reload
    5 Virtual Ethernet interfaces
    192 FastEthernet interfaces
    26 Gigabit Ethernet interfaces
    403K bytes of non-volatile configuration memory.
    Regards,
    Bala

    Hey CJ,
    Option 1: another option you might consider is intercepting closer to the WAN edge, if that's an available option for you.
    Again, like Patrick mentioned it depends on your network / IP design but if you intercept closer to the WAN edge you should be able to avoid engineering a redirect ACL altogether.
    Option 2: depending on the 3750 platform and code upgrade options, some of the latest 3750 IOS versions include support for deny entries for WCCP redirect ACLs. Check out these release notes (look at the very last bullet point in this list):
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/release/notes/OL24338.html#wp1009434
    Hope this helps!
    -Chet

Maybe you are looking for

  • On Demand sub report not printing in IE and Other Browsers

    Hi All, We have developed Crystal report for our web application with version 13.0 and Visual Studio 2010. When we run our web app in IIS report display fine in All web browser and when we print report in ActiveX mode in IE 9+ for main report it prin

  • Start up with gray screen

    I have a iMac G4 flat panel, I had a kernal panic and the computer told me to restart. I dod and now all I get is a gray screen with no apple... is there anything I can do, soes it sound like a hardware or software issue??? thanks Jarrod

  • Access from an external network

    Hi everyone! I'm trying to give support to a client who has an OBIEE application. Here's the problem: The software is installed on the network of the developer's company. This server is connected to the client's network through a firewall. This firew

  • WANTED  NEW PRICE  IN INVOICE

    Dear Friends,I have one requirement. Price has changed from order time to billing time.system is picking old condition record instead of new one at the time of billing. When i go for pricing analysis,the condition record value is showing as new price

  • ECN Export to cFolder along with Affected item

    Hi Experts, We have a requirement to export ECN along with all the affected item and history of ECN  in PDX format. I am using cFolder to export the BOM in PDX format. There is no option to export the ECN from SAP to cFolder using CFE02 transaction.