ACL on 3750
please help me to solve this issue file attafched to this mail
Can you change ACLs 102 and 104 to read like the following:
access-list 102 permit ip 192.168.2.0 0.0.0.255 10.2.9.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 102 permit ip 192.168.16.0 0.0.0.255 10.2.9.0 0.0.0.255
access-list 102 permit ip 192.168.16.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 102 permit ip 192.168.16.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.16.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 permit ip 10.2.9.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 10.2.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.16.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 10.2.9.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 104 permit ip 10.2.1.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.16.0 0.0.0.255
Pls do remember to rate posts.
Paresh
Similar Messages
-
WCCP Deny and permit ACL on 3750
Hi everyone,
I have configured 3750 switch as WCCP.
I am redirecting only inside traffic.
Switch has direct connection to Mcafee Gateway.
Our internal LAN subnets are 172.16.x.x and 192.168.0.0.
Need to confirm if i want internal users to access the internet then under permit ACL i can say
permit 172.16.0.0 to any?
If i want some users traffic should not be redirected to Mcafee gateway then i can say
deny 172.16.10.10 any?
Regards
MAheshHi Reuben,
Yes IOS version is higher than 12.2(58)SE.
Thanks for reply.
Regards
MAhesh -
Port-ACL's on a 3750 - question
I have a 3750 that is connected to another network via a layer-2 type connection. I have a specific set of tcp and udp ports that I want to allow access to via this switch. In taking a look at the documentation I see that I can apply Port ACL's directly to layer-2 interfaces, but that it will only work "inbound" to the switch.
Will this work:
If I have (bad ascii net diagram):
[hosta]--[rtr]--[switcha]-WAN-[switchb]
I want to put an ACL on the l2 uplink from switchB to the wan (WAN is a metro-ethernet type l2 wan extension - rtr is a router) that only allows hosta to hit tcp ports 1000,2000 and 3000 on hosts sitting on switchb. I want to allow hosts on switchb to do whatever they want to hosta. Is it as simple as:
ip access-list 101 permit tcp any any eq 1000
ip access-list 101 permit tcp any any eq 2000
ip access-list 101 permit tcp any any eq 3000
and then applying that ACL onto the l2 uplink interface on switchb? Thinking that since Port ACL's only affect "inbound" direction - allowing inbound connections on the l2 uplink gets the packets onto my hosts on switchb, and there is nothing preventing the return traffic or new tcp connections from hosts on switchb -> hosta...?
Thanks!
-FrankYes frank, Your idea seems to be okei.
As per document, You can configure only one type of per-user ACLs on a Catalyst 3750 switch port: router ACLs or port ACLs. Router ACLs apply to Layer 3 interfaces, and port ACLs apply to Layer 2 interfaces. If a port is configured with a port-based ACL, the switch rejects any attempt to configure a router-based ACL on the same port. However, if a port is configured with a router-based ACL and then a port-based ACL, the port-based ACL overwrites the router ACL.
while applying to the interface connecting to l2 port give "in" direction, but anyway out is not supported in l2 interfaces.
so nothing looks preventig the return traffic. -
Catalyst 3750 , ACS and Downloadable IP ACL
Hi,
We installed a ACS v4.1 , we were trying to limit the access to authenticated users by using Downloadable IP ACL in a Catalyst 3750 with IOS version ipbasek9-mz.122-25.SEE4. The authentication part works fine with a external database (Wins AD) , but we want to limit the access to the network of some groups.
This can be done using Downloadable IP ACL ?
Thanks for any helpYes, DACL's can be user here. To use a downloadable IP ACL on a particular AAA client, the AAA client must:
.Use RADIUS for authentication.
.Support downloadable IP ACLs.
Examples of Cisco devices that support downloadable IP ACLs are:
.PIX Firewalls
.VPN 3000-series concentrators, ASA and PIX devices
.Cisco devices running IOS version 12.3(8)T or greater
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs
40/user/c.htm#wp696809
Please note that downloadable ACLs are not supported on cat based switches.
If downloadable ACL's through shared profile doesn't work, define a cisco av-pair to create the downloadable acls.
Give this a try and see if it works. The format for the av-pair ACL is:
ex
ip:inacl#1=permit ip 1.1.1.0 0.0.0.255 9.9.9.0 0.0.0.255
Regards,
~JG
Do rate helpful posts. -
Hi
I have a stack of 3750s with IP Services and 2 WAAS appliances connected to the stack. I am running wccp in the stack and redirecting traffic to the WAAS appliances using a redirect acl. I read in the command guide for the 3750 that ONLY permit entries are supported. I have a appox 20 vlans and there are local traffic flowing between some of them.
My questions is if I can`t use deny entries in the redirect acl in the switch, how can I stop the local traffic between the vlans getting redirected unnecessarly. The local traffic will be redirected to the WAAS appliance and then just go bypass and go back to the switch stack or does WCCP handle this in someway so only the first packets for each session gets redirected?
BR
CJ EkmanHey CJ,
Option 1: another option you might consider is intercepting closer to the WAN edge, if that's an available option for you.
Again, like Patrick mentioned it depends on your network / IP design but if you intercept closer to the WAN edge you should be able to avoid engineering a redirect ACL altogether.
Option 2: depending on the 3750 platform and code upgrade options, some of the latest 3750 IOS versions include support for deny entries for WCCP redirect ACLs. Check out these release notes (look at the very last bullet point in this list):
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/release/notes/OL24338.html#wp1009434
Hope this helps!
-Chet -
ACL not working on 3750 Switch Stack on a trunk port
I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port. For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk. I have tried standard and extended list, but neither seem to work.
What am I doing wrong?
Access-List:
Standard IP access list 10
10 deny 10.101.15.13 log
20 permit any log
Access-List Interface:
interface GigabitEthernet7/0/10
description ESX Trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,60-63
switchport mode trunk
ip access-group 10 in
Mac-Address on the Switch Port:
63 0050.569a.6d9f DYNAMIC Gi7/0/10
Windows Machine MAC:
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
Windows Connection (which should be denied):
TCP 10.20.63.4:3389 10.101.15.13:21289 ESTABLISHED InHostPACL only apply to an L2 interface. On an L2 interface the only direction that can be applied is INBOUND. On an L3 interface INBOUND or OUTBOUND can be specified.
In any case, I have worked around the issue by applying VACLs. Marking this as resolved. -
Hello. We have the next Settings in our SW. We crate an ACL and aplied to a SVI for Incomming Traffic, I understand that is not necesasry to allow the returning traffic in ACL, but we can't access to rdp for example when we add the ACL, if we remove it, the acces is ok, buet when we add again the access is deny, even we have a log entry, and the ACL i just for Incomming traffic. There is no another ACL. What should we check? What are we missing here?
Please see attached file
Thanks in Advance
interface Vlan64
ip address 10.147.64.254 255.255.255.0
ip access-group 134 in
access-list 134 permit udp any any eq bootpc log
access-list 134 permit udp any any eq bootps log
access-list 134 permit ip any 172.30.146.0 0.0.0.255
access-list 134 permit ip any 172.23.146.0 0.0.0.255
access-list 134 permit ip any 10.146.137.0 0.0.0.63
access-list 134 permit ip any 10.146.137.128 0.0.0.63
access-list 134 permit ip any host 10.146.81.240 log
access-list 134 permit ip any host 10.146.46.250
access-list 134 permit ip any host 10.146.46.157
access-list 134 permit ip 10.147.64.0 0.0.0.255 host 10.146.46.228
access-list 134 permit ip 10.147.64.0 0.0.0.255 host 10.146.137.99
access-list 134 deny ip any 192.168.0.0 0.0.255.255
access-list 134 permit tcp any host 172.27.72.27 eq www
access-list 134 deny ip any 172.16.0.0 0.15.255.255
“The next entry generates a log when I try RDP from 10.146.40.29 to 10.147.64.39”
access-list 134 deny ip any 10.0.0.0 0.255.255.255 log
access-list 134 deny ip any host 98.139.60.248 log
access-list 134 permit ip any any
access-list 134 permit icmp any any
"This is the log showed"
25w6d: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.147.64.38(3389) -> 10.146.40.
29(1150), 1 packetWhat you are missing is a statement in the access list to permit traffic to the subnet of 10.146.40.0. Since there is no statement to permits this traffic then the line access-list 134 deny ip any 10.0.0.0 0.255.255.255 log denies the traffic as it should.
To fix this problem you need to add a statement in the access list before that line to permit the traffic. The line might look something like this:
access-list 134 permit ip any 10.146.40.0 0.0.0.255
HTH
Rick -
Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN
Hi Guys,
I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
For some odd reason, I am able to ping the following, with no issues.
Cisco 3750 SVI (192.168.1.3)
CentOS web server (connected directly to the Cisco ASA 5505)
I have checked and enable the following:
Nat Exemption
Sysopt connection permit-vpn
ACL's
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Added ICMP in the inspection policy
Packet-capture - Only getting echo requests.
Thanks in advance!Hi,
I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
object network acvpnpool
subnet <anyconnect VPN Subnet>
object network insidelan
subnet <inside lan subnet>
nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
Regards
Karthik -
Benefits to summarizing these routes on a 3750 sw stack?
We have 8 Cisco 3750's (1 is a G and 3 are X's the rest are regular 3750v2's) in a stack. This is the center of the routing at a main office. There are remote branches and depending on the ISP or how many interfaces were on the router, the routes have to go to either 10.1.0.1 or 10.1.0.2. I know the IP's are not contiguous enough to summarize this even better, however if I summarize these would it be worth the time.
I will include a screen shot to show what I mean. But basically taking 8 ip route statements down to 3.Hey Keith,
Summarizing is always a good practice for many reasons. In your case you may check the sdm template you are using and if it's desktop default so i believe its a good option to summarize as many routes as you can because with this sdm template which is basically how hardware TCAM is allocated to all the resources, namely IPv4, QoS, ACl, etc.
Use the command "show sdm prefer" to check the current sdm template.
HTH.
Regards,
RS. -
Support Community
We recently configured a stack of four 48 port 3750-x switches . We are noticing high CPU usage. "Hulc LED process" seems pretty high.
This has coincided with VMware servers getting slow and non-responsive at times, perhaps a coincidence, not sure.
Below I provided some outputs that might help to diagnose it
Thanks
John
System image file is "flash:/c3750e-ipbasek9-mz.122-58.SE2/c3750e-ipbasek9-mz.122-58.SE2.bin"
Show inventory output
NAME: "1", DESCR: "WS-C3750X-48"
PID: WS-C3750X-48T-S , VID: V02 ,
NAME: "Switch 1 - Power Supply 0", DESCR: "FRU Power Supply"
PID: C3KX-PWR-350WAC , VID: V02L ,
NAME: "2", DESCR: "WS-C3750X-48"
PID: WS-C3750X-48T-S , VID: V02
NAME: "Switch 2 - Power Supply 0", DESCR: "FRU Power Supply"
PID: C3KX-PWR-350WAC , VID: V02D ,
NAME: "3", DESCR: "WS-C3750X-48"
PID: WS-C3750X-48T-S , VID: V02
NAME: "Switch 3 - Power Supply 0", DESCR: "FRU Power Supply"
PID: C3KX-PWR-350WAC , VID: V02L ,
NAME: "4", DESCR: "WS-C3750X-48"
PID: WS-C3750X-48T-S , VID: V02
NAME: "Switch 4 - Power Supply 0", DESCR: "FRU Power Supply"
PID: C3KX-PWR-350WAC , VID: V02L ,
SWITCH#sh processes cpu sorted
CPU utilization for five seconds: 61%/5%; one minute: 50%; five minutes: 49%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
168 260466386 44948517 5794 14.53% 13.98% 13.70% 0 Hulc LED Process
231 97586088 27253906 3580 4.95% 4.73% 4.64% 0 Spanning Tree
213 63106121 154928892 407 4.15% 3.89% 3.91% 0 IP Input
284 70113217 34537588 2030 3.51% 3.98% 4.17% 0 RARP Input
4 6663412 421278 15817 3.03% 0.43% 0.32% 0 Check heaps
374 9872291 10805181 913 3.03% 0.77% 0.62% 0 IP SNMP
376 11142951 5370604 2074 3.03% 0.73% 0.66% 0 SNMP ENGINE
12 35389011 32152175 1100 2.87% 2.08% 2.20% 0 ARP Input
128 34962407 3622140 9652 2.07% 1.69% 1.63% 0 hpm counter proc
85 49034286 8536062 5744 1.91% 2.44% 2.44% 0 RedEarth Tx Mana
107 25127806 46459053 540 1.27% 1.10% 0.93% 0 HLFM address lea
174 2412 1714 1407 0.95% 0.39% 0.25% 1 SSH Process
220 6423643 12634764 508 0.79% 0.70% 0.56% 0 ADJ resolve proc
181 6913179 2890070 2392 0.63% 0.31% 0.36% 0 HRPC qos request
375 1681949 5000777 336 0.47% 0.08% 0.07% 0 PDU DISPATCHER
84 10180707 12623537 806 0.47% 0.30% 0.37% 0 RedEarth I2C dri
1
666666096996666666666666659666667666666666666666666766676666666656666666
249363098992351145264823289455360612252332233522344115537230141392553343
100 ** ** *
90 ** ** *
80 ** ** *
70 * * ***** * * * * * ** *** * * * **** **
60 **********************************************************************
50 ######################################################################
40 ######################################################################
30 ######################################################################
20 ######################################################################
10 ######################################################################
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
455555555554444444444555554444455555555555555555555444444444
922222111118888866666000009999911111555554444422222444448888
100
90
80
70
60 *****
50 *************************************************** **
40 **********************************************************
30 **********************************************************
20 **********************************************************
10 **********************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
565756555555555555555555555555555556555555555555565555565556
518841757869248569271526666733778330496833777819929379701861
100
90
80 *
70 *
60 **** ******* **** * * ***** *** * *** **** **** **** *
50 ##########################################################
40 ##########################################################
30 ##########################################################
20 ##########################################################
10 ##########################################################
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%Thanks to all for your replies.
Jeff
I was aware of the many ACLs however we used to have the same ACLs in a previous 3750G stack about 2 weeks ago and we never had this issue. I agree I need to optimize them and do somehing because it is reaching its max before the CPU starts processing them but I am not certain this is what is causing the issue.
Nikolay,
I am trying to understand "interrupts" with the analysis of the outputs I posted. Here is another output deom the link you provided. Please post your thoughts if you can.
This switch also serves as a gateway(L3 role) for many systems. Would it make sense to offload that responsability from this switch and let an actual router do it?
Thanks
Johnny
show controllers cpu-interface
ASIC Rxbiterr Rxunder Fwdctfix Txbuflos Rxbufloc Rxbufdrain
ASIC0 0 0 0 0 0 0
ASIC1 0 0 0 0 0 0
ASIC2 0 0 0 0 0 0
HOL Fix Counts
No Fixes: 0 Added: 0 In Use: 0 Both: 0
CPU Heartbeat Statistics
Tx Success Tx Fail 1st Thr 2nd Thr Unthr RetryCtMax
37139562 0 0 0 0 1
Rx Delay
0 1 2 3 4
37139562 0 0 0 0
AddlDelay AdvanceCnt
0 0
Rx Retries by RetryCount
0 1 2 3 4 5 6
37139562 0 0 0 0 0 0
7 8 9
0 0 0
AddlRetry
0
cpu-queue-frames retrieved dropped invalid hol-block stray
rpc 104077409 0 0 0 0
stp 19189469 0 0 0 0
ipc 11093838 0 0 0 0
routing protocol 141021559 0 0 0 0
L2 protocol 230347 0 0 0 0
remote console 17 0 0 0 0
sw forwarding 257436702 0 0 0 0
host 21146276 0 0 0 0
broadcast 332154608 0 0 0 0
cbt-to-spt 0 0 0 0 0
igmp snooping 2796987 0 0 0 0
icmp 90752156 0 0 0 0
logging 0 0 0 0 0
rpf-fail 0 0 0 0 0
dstats 0 0 0 0 0
cpu heartbeat 37139562 0 0 0 0
cpu-queue static inuse static added
rpc 0 0
stp 0 0
ipc 0 0
routing protocol 0 0
L2 protocol 0 0
remote console 0 0
sw forwarding 0 0
host 0 0
broadcast 0 0
cbt-to-spt 0 0
igmp snooping 0 0
icmp 0 0
logging 0 0
rpf-fail 0 0
dstats 0 0
cpu heartbeat 0 0
Supervisor ASIC receive-queue parameters
queue 0 maxrecevsize 7E0 pakhead 5505A88 paktail 54655A8
queue 1 maxrecevsize 7E0 pakhead 5689164 paktail 5687F54
queue 2 maxrecevsize 7E0 pakhead 5547AA4 paktail 554719C
queue 3 maxrecevsize 7E0 pakhead 5DC233C paktail 5DBA4CC
queue 4 maxrecevsize 7E0 pakhead 56A7198 paktail 56A7AA0
queue 5 maxrecevsize 7E0 pakhead 5D61304 paktail 5D72F80
queue 6 maxrecevsize 7E0 pakhead 5D856D4 paktail 5D989E4
queue 7 maxrecevsize 7E0 pakhead 5BDE29C paktail 5BDC784
queue 8 maxrecevsize 7E0 pakhead 5CC00A8 paktail 5CB3574
queue 9 maxrecevsize 7E0 pakhead 59DD86C paktail 59DD86C
queue A maxrecevsize 7E0 pakhead 59BF43C paktail 59C13D8
queue B maxrecevsize 7E0 pakhead 5DD18A0 paktail 5DCE6F4
queue C maxrecevsize 7E0 pakhead 59E9CBC paktail 5A049B8
queue D maxrecevsize 7E0 pakhead 59D8EA0 paktail 59DD25C
queue E maxrecevsize 0 pakhead 0 paktail 0
queue F maxrecevsize 7E0 pakhead 59A7080 paktail 59A6BFC
Supervisor ASIC exception status
Receive overrun 00000000 Transmit overrun 00000000
FrameSignatureErr 00000000 MicInitialize 00000002
BadFrameErr 00000000 LenExceededErr 00000000
BadJumboSegments 00000000
Supervisor ASIC Mic Registers
MicDirectPollInfo 80000200
MicIndicationsReceived 00000000
MicInterruptsReceived 00000009
MicPcsInfo 0000001F
MicPlbMasterConfiguration 00000000
MicRxFifosAvailable 00000000
MicRxFifosReady 0000BFFF
MicTimeOutPeriod: FrameTOPeriod: 00000EA6 DirectTOPeriod: 00004000
MicTransmFramesCopied 00000003
MicTxFifosAvailable 0000000E
MicConfiguration: Conf flag: 00000110 Interrupt Flag: 00000008
MicReceiveFifoAssignmen Queue 0 - 7: 33333333 Queue 8 - 15:33333333
MicReceiveFramesReady: FrameAvailable: 00000181 frameAvaiMask: 00000000
MicException:
Exception_flag 00000000
Message-1 00000000
Message-2 00000000
Message-3 00000000
MicIntRxFifo:
ReadPtr 000005C0 WritePtr 000005C0
WHeadPtr 000005C0 TxFifoDepth C0000800
MicIntTxFifo:
ReadPtr 00000728 WritePtr 00000728
WHeadPtr 00000728 TxFifoDepth C0000800
MicDecodeInfo:
Fifo0: address: 03FF4000 asic_num: 00000100
Fifo1: address: 03FF4400 asic_num: 00000101
MicTransmitFifoInfo:
Fifo0: StartPtrs: 0E2CE800 ReadPtr: 0E2CEBE8
WritePtrs: 0E2CEBE8 Fifo_Flag: 8A800800
Weights: 001E001E
Fifo1: StartPtrs: 0E02D000 ReadPtr: 0E02D138
WritePtrs: 0E02D138 Fifo_Flag: 89800400
Weights: 000A000A
MicReceiveFifoInfo:
Fifo0: StartPtr: 0E4AF000 ReadPtr: 0E4AF2A8
WritePtrs: 0E4AF308 Fifo_Flag: 8B000FA0
writeHeaderPtr: 0E4AF308
Fifo1: StartPtr: 0E78C000 ReadPtr: 0E78C2E8
WritePtrs: 0E78C2E8 Fifo_Flag: 89800400
writeHeaderPtr: 0E78C2E8
Fifo2: StartPtr: 0E744800 ReadPtr: 0E744A70
WritePtrs: 0E744A70 Fifo_Flag: 89800400
writeHeaderPtr: 0E744A70
Fifo3: StartPtr: 0EBD1000 ReadPtr: 0EBD13B8
WritePtrs: 0EBD13B8 Fifo_Flag: 89800400
writeHeaderPtr: 0EBD13B8
Fifo4: StartPtr: 0E7D3800 ReadPtr: 0E7D3A58
WritePtrs: 0E7D3A58 Fifo_Flag: 89800400
writeHeaderPtr: 0E7D3A58
Fifo5: StartPtr: 0EB40600 ReadPtr: 0EB40688
WritePtrs: 0EB40688 Fifo_Flag: 88800200
writeHeaderPtr: 0EB40688
Fifo6: StartPtr: 0EB87400 ReadPtr: 0EB874F0
WritePtrs: 0EB874F0 Fifo_Flag: 89800400
writeHeaderPtr: 0EB874F0
Fifo7: StartPtr: 0E880000 ReadPtr: 0E880E20
WritePtrs: 0E881520 Fifo_Flag: 8C001900
writeHeaderPtr: 0E881520
Fifo8: StartPtr: 0EB1A600 ReadPtr: 0EB1A770
WritePtrs: 0EB1A780 Fifo_Flag: 880001F0
writeHeaderPtr: 0EB1A780
Fifo9: StartPtr: 0E2E0CD8 ReadPtr: 0E2E0CD8
WritePtrs: 0E2E0CD8 Fifo_Flag: 82800008
writeHeaderPtr: 0E2E0CD8
Fifo10: StartPtr: 0E81D000 ReadPtr: 0E81D1D8
WritePtrs: 0E81D1D8 Fifo_Flag: 88800200
writeHeaderPtr: 0E81D1D8
Fifo11: StartPtr: 0E4AEF00 ReadPtr: 0E4AEF60
WritePtrs: 0E4AEF60 Fifo_Flag: 86800080
writeHeaderPtr: 0E4AEF60
Fifo12: StartPtr: 0E84A000 ReadPtr: 0E84A300
WritePtrs: 0E84A000 Fifo_Flag: 89000100
writeHeaderPtr: 0E84A000
Fifo13: StartPtr: 0E4AEE00 ReadPtr: 0E4AEE00
WritePtrs: 0E4AEE00 Fifo_Flag: 86800080
writeHeaderPtr: 0E4AEE00
Fifo14: StartPtr: 00000000 ReadPtr: 00000000
WritePtrs: 00000000 Fifo_Flag: 00800000
writeHeaderPtr: 00000000
Fifo15: StartPtr: 0E02CEC0 ReadPtr: 0E02CED0
WritePtrs: 0E02CED0 Fifo_Flag: 84800020
writeHeaderPtr: 0E02CED0
===========================================================
Complete Board Id:0x00B2
=========================================================== -
3750 stack won't sync with NTP server
Any help greatly appreciated with this one - I can't for the life of me figure out what's going wrong here.
I'm working on a 3750 stack in Singapore (UTC +8) and I'm trying to get it to sync its clock with 3.sg.pool.ntp.org.
This is the weird part - "sh ntp associations" shows that it is syncing:
address ref clock st when poll reach delay offset disp
*~199.195.193.200 203.117.180.36 2 52 64 377 80.936 -13895. 1.771
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
And "sh ntp associations de" shows that it's happy:
199.195.193.200 configured, our_master, sane, valid, stratum 2
ref ID 203.117.180.36, time D691F63E.C4B691CD (17:26:22.768 UTC Tue Jan 28 2014)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 196.39 msec, root disp 592.71, reach 377, sync dist 944.69
delay 80.93 msec, offset -13895.2686 msec, dispersion 2.65
precision 2**20, version 4
org time D691FA8F.5FF29003 (17:44:47.374 UTC Tue Jan 28 2014)
rec time D691FA9D.5041E9C7 (17:45:01.313 UTC Tue Jan 28 2014)
xmt time D691FA9D.3B3524C8 (17:45:01.231 UTC Tue Jan 28 2014)
filtdelay = 82.20 80.93 82.17 81.49 155.78 81.08 84.67 82.09
filtoffset = -13897. -13895. -13899. -13900. -13901. -13872. -13876. -13876.
filterror = 0.00 0.99 1.98 2.94 3.94 4.92 5.87 6.81
minpoll = 6, maxpoll = 10
But the clock is stubbornly remaining unsynchronised ("sh ntp st"):
Clock is unsynchronized, stratum 16, reference is 199.195.193.20
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is 00000000.00000000 (08:00:00.000 UTC Mon Jan 1 1900)
clock offset is -13895.2686 msec, root delay is 0.00 msec
root dispersion is 14.62 msec, peer dispersion is 3.26 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, never updated.
NTP-relevant config is as follows (no ACLs, outbound UDP 123 allowed on perimeter firewall):
clock timezone UTC 8 0
ntp server 3.sg.pool.ntp.org
I have configured a pair of stacks in Hong Kong for NTP (though that was a couple of months ago and I recall that those were a pain at the time as well) and those are working fine.Much to my annoyance, the switch stack is now synchronised. No configuration changes were made in the interim; it just looks like it needed a long time (well over an hour in this case) to start syncing properly.
-
WAAS Configuration for 3750 Switch
I am configuring a 3750 switch with 12.2(52)SE according to:
(from https://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/3750_scg.pdf )
This example shows how to configure SVIs and how to enable the web cache service with a multicast group list. VLAN 299 is created and configured with an IP address of 175.20.20.10. Gigabit Ethernet port 1 is connected through the Internet to the web server and is configured as an access port in VLAN 299. VLAN 300 is created and configured with an IP address of 172.20.10.30. Gigabit Ethernet port 2 is connected to the application engine and is configured as an access port in VLAN 300. VLAN 301 is created and configured with an IP address of 175.20.30.50. Fast Ethernet ports 3 to 6, which are connected to the clients, are configured as access ports in VLAN 301. The switch redirects packets received from the client interfaces to the application engine.
Note Only permit ACL entries are being used in the redirect-list; deny entries are unsupported.
Switch# configure terminal
Switch(config)# ip wccp web-cache 80 group-list 15
Switch(config)# access-list 15 permit host 171.69.198.102
Switch(config)# access-list 15 permit host 171.69.198.104
Switch(config)# access-list 15 permit host 171.69.198.106
Switch(config)# vlan 299 WEB SERVER
Switch(config-vlan)# exit
Switch(config)# interface vlan 299
Switch(config-if)# ip address 175.20.20.10 255.255.255.0
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 299
Switch(config)# vlan 300 WAE
Switch(config-vlan)# exit
Switch(config)# interface vlan 300
Switch(config-if)# ip address 171.69.198.100 255.255.255.0
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 300
Switch(config-if)# exit
Switch(config)# vlan 301 CLIENTS
Switch(config-vlan)# exit
Switch(config)# interface vlan 301
Switch(config-if)# ip address 175.20.30.20 255.255.255.0
Switch(config-if)# ip wccp web-cache redirect in
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/3 - 6
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 301
Switch(config-if-range)# exit
===================================================================
Question: How do I configure my WAE to play nicely with this switch?Hi James,
Here is the link to WCCP config part on WAE:
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v441/configuration/guide/traffic.html#wp1041742
In your case, if my understanding is right, VLAN300 is where you want to connect WAE and WAE is also L2 adjacent. if that is true, here is the config you need on WAE:
wccp router-list 1 171.69.198.100
wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign l2-return
wccp version 2
Please note that 3750 supports L2 redirection only with redirect IN statements on 3750 interfaces connected to servers and clients.
Hope this helps.
Regards. -
Hello,I've deployed a Netgear M5300 series L3 switch underneath of a Sonicwall NSA2600 with stateful HA. Under the switch, there's another 20+ L2 switches at various locations.The issue I'm currently dealing with is there is now a requirement that all VLANs (20 or so) MUST be segregated from each other fully. This normally wouldn't be much of an issue, because you'd just turn off routing and cut the switch down to L2 functionality, but the L3 switch is handling DHCP to 15 of these VLANs.As far as I'm aware, you can't assign ACLs to virtual interfaces on Netgear switches, so I'm under the belief that the only course of action I currently have is to remove all L3 functionality from the Switch and allow the NSA2600 to take the DHCP requests; Set up the L3 with a few tagged (trunk) ports back to the Sonicwall, and just let the Sonicwall...
This topic first appeared in the Spiceworks CommunityHow many vlans are you going to be hosting on those switches? If you wish to firewall off intervlan communication, then what you can do is take the 3750 and use it as a layer 2 device and put the gateways onto the ASA firewalls. You can create sub-interfaces under one physical interface (a sub-interface per vlan) or you can split this over more (I believe the 5525s come with 4x 1GE copper interfaces???). In this situation the firewall would have to be in routed mode.
The concern is valid. Since this is public facing, any attacker externally, or a compromised machine internally in your network could generate a large connection attack and eat up the state table of the ASA. This concern applies for any appliance, or server. -
Hi Folks,
Greetings and happy new year!! I have a network core which is on a stacked 3750g, that has several SVIs for network segmantation. Some of the SVIs have ACLs applied on them. I need to help in determining whan tools to use to be able to see inter-VLAN traffic on the 3750's, we need this to determine how lockdown the network. I just realized that ip accounting and netflow is not supported on the 3750s.
Thank you in advanced.
JPKyle,
On a 3750, I think you can do WCCP if you have the right software load on it.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/prod_qas09186a00801b0971.html
There are limitations to the 3750... it only does L2 redirection (no GRE) and assignment must be mask.
and you have to have SDM set to prefer routing....
sdm prefer routing
Then turn on WCCP for dynamic service group 90 (so you can set what ports you need on the WSA)
Switch(config)# ip wccp 90 group-list 15
Create an ACL to keep traffic to internal servers from being redirected to your WSA
Switch(config)# access-list 15 deny any 10.90.0.0 255.255.0.0 <--add whatever networks you need.
Switch(config)# access-list 15 permit any any
Assuming the VLAN you have the WSA and the DSL router on is 301
Switch(config)# interface vlan 301
Switch(config-if)# ip wccp 90 redirect in
This will catch inbound traffic to the VLAN an hand it to the WSA, assuming it doesn't match the ACL. If the WSA is down, it routes it as normal...
Here's the docs I pulled that from (near the bottom for doing a vlan instead of a port...)
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_58_se/configuration/guide/swwccp.html#wp1031033
The WSA should negotiate the L2 vs GRE & mask vs. hash issues...
Hope that helps.
Ken -
Hi ,
We have a cisco 4506 switch with the IOS version of 12.2-50.SG1. I would like to know whether any latest IOS version will support redirect ACL with the deny statement for WCCP on a client interface.
Switch details:
cisco WS-C4506-E (MPC8245) processor (revision 7) with 524288K bytes of memory.
Processor board ID FOX1407G5P7
MPC8245 CPU at 333Mhz, Supervisor IV
Last reset from Reload
5 Virtual Ethernet interfaces
192 FastEthernet interfaces
26 Gigabit Ethernet interfaces
403K bytes of non-volatile configuration memory.
Regards,
BalaHey CJ,
Option 1: another option you might consider is intercepting closer to the WAN edge, if that's an available option for you.
Again, like Patrick mentioned it depends on your network / IP design but if you intercept closer to the WAN edge you should be able to avoid engineering a redirect ACL altogether.
Option 2: depending on the 3750 platform and code upgrade options, some of the latest 3750 IOS versions include support for deny entries for WCCP redirect ACLs. Check out these release notes (look at the very last bullet point in this list):
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/release/notes/OL24338.html#wp1009434
Hope this helps!
-Chet
Maybe you are looking for
-
On Demand sub report not printing in IE and Other Browsers
Hi All, We have developed Crystal report for our web application with version 13.0 and Visual Studio 2010. When we run our web app in IIS report display fine in All web browser and when we print report in ActiveX mode in IE 9+ for main report it prin
-
I have a iMac G4 flat panel, I had a kernal panic and the computer told me to restart. I dod and now all I get is a gray screen with no apple... is there anything I can do, soes it sound like a hardware or software issue??? thanks Jarrod
-
Access from an external network
Hi everyone! I'm trying to give support to a client who has an OBIEE application. Here's the problem: The software is installed on the network of the developer's company. This server is connected to the client's network through a firewall. This firew
-
Dear Friends,I have one requirement. Price has changed from order time to billing time.system is picking old condition record instead of new one at the time of billing. When i go for pricing analysis,the condition record value is showing as new price
-
ECN Export to cFolder along with Affected item
Hi Experts, We have a requirement to export ECN along with all the affected item and history of ECN in PDX format. I am using cFolder to export the BOM in PDX format. There is no option to export the ECN from SAP to cFolder using CFE02 transaction.