Transparent Mode using WCCP v2

Dear All,
Greetings. Please correct me if I am wrong. When to use GRE and when to use L2 redirection is depends on the router/switch?
What are the parameters to be configured in Transparent Redirection 'Load-Balacing Method' and 'Forwarding Method' when using GRE?
Please help me to understand more on GRE and L2 redirection when in transparent mode, and configuration in S-Series.
Many Thanks,
ezekiel

Ezekiel,
L2 is the preferred method when possible, since GRE adds an extra 28 bytes of overhead. For L2 to be possible, the WSA must be directly connected to the router / WCCP device.
If the WSA is more then 1 hop away, GRE MUST be used.
The major difference between Hashing and Masking is that if Masking is supported, the router / switch will consume less CPU building the load balancing tables.
It's recommended that you set the WSA to use "Hashing or Masking". The WSA will then negotiate with the WCCP router which to use. If your router supports both, Masking is preferred.
Hope this helps.
Please help regarding WCCP v2.
My company had 2 routers & 2 WSA. Each WSA is directly connected to the each router.
Can I use both WCCP L2 & GRE? If possible, can give some examples?

Similar Messages

  • Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP router ?

    Hello !
    I would like to use Cisco WSA as a web proxy in a transparent way (without any configuration in client's web browsers) but i don't have a WCCP router. So, is it possible ? 
    If yes, how to do this ? 
    Thank you,
    Stephane Walker

    Hi Stephane
    The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well. 
    Sample configuration for Cisco router
    access-list 110 permit tcp any any eq www
    route-map proxy-redirect permit 10
    match ip address 110
    set ip next-hop xxx.xxx.xxx.xxx
    interface ethernet0/1
    ip policy route-map proxy-redirect
    xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.
    The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.
    Routers other than Cisco equipment should also have an option to configure policy based routing.
    /Artur
    Ps. It's not possible to place the WSA in-line between clients and the internet.

  • Transparent mode with WCCP v2

    Hi all.
    I config my content engine 7305 with configurations:
    CE(config)# wccp version 2
    CE(config)# wccp router-list 1 10.10.10.1
    CE(config)# wccp web-cache router-list-num 1
    And with router:
    Router(config)# ip wccp web-cache
    Router(config)# interface Serial0
    Router(config-if)# ip wccp web-cache redirect out
    Address Router: 10.10.10.1/24
    Address CE: 10.10.10.2 /24
    Client1 connect internet with url: http://www.vnexpress.net
    Client2 connect the same URL many times.
    But when I use: sho statistic http saving
    The hit is a little.(1 hit)
    The miss is alot. (49 miss)
    So I don't understand the ContentEngine work perfect or not????
    Help me, plz
    Thanks

    You should check to see if your CE and router see each other.
    CE "show wccp routers" - you should see the ID of your router you have configured.
    Router "show ip wccp web-cache view"
    If that doesn't work you can turn on debug
    "debug ip wccp packets" and see the request/response sequence
    .Jun 16 17:46:26: WCCP-PKT:S00: Received valid Here_I_Am packet from 10.1.1.1 w/rcv_id 00000844
    .Jun 16 17:46:26: WCCP-PKT:S00: Sending I_See_You packet to 10.1.1.1 w/ rcv_id 00000845

  • WLSM, FWSM in transparent mode, VRF's , EAPFAST and LEAP

    Has anyone got any experience of all of the above.
    Some background - The FWSM is in transparent mode, using virtual contexts between the VRF and the main routing table to ensure relevant mobility traffic passes through the relevant security context.
    I can authenticate with LEAP via RADIUS, then obtain an IP through DHCP, ping my gateway from wireless client but not outside my VRF. If I remove the VRF from the tunnel interface associated with my mobility group all connectivity OK.
    With EAPFAST I can authenticate via RADIUS, but do not get an address through DHCP. If I use a static ( and use mobility trust on tunnel interface )I can not ping my gateway. If I remove the VRF off the tunnel interface associated with this type of users mobility group, I receive an address through DHCP, and can ping merrily everywhere.
    Has anybody got any thoughts if I am missing something here?

    The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
    http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

  • Trying to figure out whether I can use an ASA cluster in Transparent mode to facilitate VRF based network ??

    Hi Guys,
    I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
    I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
    The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
    As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
    I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
    So I need to clarify following with you guys.. 
    1) Can I actually do this or am I missing something.
    2) Are there any limitations that I might run in to with this setup
    3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
    4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
    Appreciate your input.
    Thanks
    Shamal 

    There is a limitation on how many context you can have, which depends on the license you have.  This is quite possible with ASA multi routed mode and even with multi transparent mode.  You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
    Thanks

  • VTP transparent mode and using VTP domain

                       Hi all,
    Need to ask question when  using VTP transparent mode is it good idea to use VTP domain name and password?
    I know for switches in transparent mode they act as independent of each other.
    So need to know why we should use vtp domain  and password with transparent mode?
    thanks
    mahesh

    Mahesh,
    I know this 2 years later, but it will help others who will come across this. If you have a Transparent switch mixed with Server and Clients switches. This is your concern....... If you do not put the Transparent switch in the same domain, then it will not forward VLAN changes to other swithces.  
    So Sw1(Server-CCIE Domain) <-------> Sw2(Transparent-CCIE Domain)  <-------> Sw3(Client-CCIE Domain)
    The above will work because the Transparent switch is in the same domain. This means that SW3 will get any Vlan changes that are done on SW1.
    Now lets look at it the other way.........
    Sw1(Server-CCIE Domain) <-------> Sw2(Transparent-Null Domain)  <-------> Sw3(Client-CCIE Domain)
    Two things are going to happen here
    1) The transparent switch is not on same domain, so SW3 will never get any updates when changes to Vlans are done on SW1. So if I add one vlan to SW1, and that make the Configuration Revision increase to the value of 10, that means SW3's Revision will still be 9, and will remain that way until the issue is corrected.
    2) If you are dynamically negotiating trunks, this will never happen due to the mismatch domains. Meaning that your trunks will never come up because you did not put your Transparent switch in the same domain.
    Kiel Martin 

  • Using Clustered ASAs in Transparent mode to support VRF based Network ?

    Hi Guys,
    I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
    The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
    As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
    I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
    So I need to clarify following with you guys.. 
    1) Can I actually do this or am I missing something.
    2) Are there any limitations that I might run in to with this setup
    3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
    4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
    Appreciate your input.
    Thanks
    Shamal 

    Is any expert out there who can answer my query ?. Much appreciated.

  • Transparent Deployment Using Layer 4 Switch

    Hi,
    Just want to ask how to deploy WSA Ironport on transparent mode on layer 4 Switch.
    I believe it is just deployed by choosing Layer 4 on Transparent Redirection on WSA Ironport.
    But the question is, what will I need to configure to my Layer 4 switch for it to redirect traffic to WSA?
    I'm trying to connect it to a hp procurve layer 4 switch to use transparent redirection.
    Can someone clarify how to deploy it?
    Thanks

    Make sure your swtich can do it:
    http://h30499.www3.hp.com/t5/Switches-Hubs-Modems-Legacy-ITRC/HP-Procurve-2626-Policy-based-routing/td-p/5421071
    I did some digging and didn't find any decent docs on setting it up... but if you take your drawing from the L4TM question you posted, you want to set up a policy that for the "security vlan" so that all IP traffic on the web ports you want to monitor (80, 443, plus others you might want) gets sent to the IP of the WSAProxy
    Here's a bit I lifted from a post on HP's site:
    http://bizsupport2.austin.hp.com/bc/docs/support/S​upportManual/c03015541/c03015541.pdf
    You'll want to have a look through Chapter 8 for the configuration. You've got to basically configure a traffic class, configure policies for it, and then apply it (in this case) to each of the VLANs you want it for.
    What kind of firewall are you using?  If its a Cisco ASA, it would actually be simpler to do WCCP to the WSA...

  • Cisco ASA 5512 Transparent mode

                       Hi all - hope this is the right place to ask this question-
    I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
    I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
    I have the interfaces set up thusly:
    interface GigabitEthernet0/0
    nameif UnTrustedNetwork
    security-level 0
    interface GigabitEthernet0/1
    nameif TrustedNetwork
    security-level 100
    interface Management0/0
    nameif ManagementAccess
    security-level 100
    ip address 192.168.X.Y 255.255.255.0
    management-only
    I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
    other networks, like 10.6.X.Y, etc.
    I thought the point of a Management interface was that you could set things up in such a way that the Management interface
    was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
    (at least not in transparent mode, for NAT you obviously would have to)
    I tried to add a static route entry to 10.6.X.Y , but
    when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
    How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

    transparent firewall is configured differently from routed mode.
    here's a basic config required:
    firewall transparent               (erases the current config; does not require a reboot)
    interface BVI1
    ip address 192.168.10.10 255.255.255.0
    interface GigabitEthernet0
    nameif outside
    bridge-group 1
    security-level 0
    interface GigabitEthernet1
    nameif inside
    bridge-group 1
    security-level 100
    route outside 0.0.0.0 0.0.0.0 192.168.10.254
    route inside 10.0.0.0 255.0.0.0 192.168.10.100
    I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
    The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
    Hope that helps,
    Patrick

  • Explain about transparent mode, single mode, multiple context mode

    You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.

    Great question. Hope the below helps:
    Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
    Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
    Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
    Hope this helps. Let me know if you have anymore questions!
    -Mike
    http://cs-mars.blogspot.com

  • Connectivity Issues Cisco ASA 5515 in Transparent Mode

    Hi,
    we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
    Firewall-Info:
    - ASA Version 9.1(2) 
    - Interfaces gi0/0 + gi0/2 without any interface errors
    The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
    - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
    - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
    - http downloads are stopping, Customer: it will stop responding and the download will fail.
    In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
    I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
    Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
    I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
    Best Regards
    Sebastian

    Hi Vibhor,
    thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
    Is it recommend to configure the default-inspection rule as a default setting? 
    Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
    Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
    ciscoasa# show asp drop
    Frame drop:
      Invalid encapsulation (invalid-encap)                                       10
      First TCP packet not SYN (tcp-not-syn)                                     114
      TCP failed 3 way handshake (tcp-3whs-failed)                                 3
      TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
      Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
      L2 Src/Dst same LAN port (l2_same-lan-port)                                260
      FP L2 rule drop (l2_acl)                                                  2958
      Interface is down (interface-down)                                        9420
      No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
      Dropped pending packets in a closed socket (np-socket-closed)               66
    Thanks
    Sebastian

  • Failure when FWSM in transparent mode with multiple contexts

    hi experts,
                We have two FWSMs working in active/standby state,  configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet. 
                Now we have one FWSM broken and the RMA part can't arrived in short time, so  we have the risk that the sencond FWSM could be failed as well.   In the worst case if the two was broken or powered off simultaneously,   i wonder that if the communications between multiple contexts could be ok???
    thanks in advance.

    The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
    http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

  • VRF issue with Firewall in transparent Mode.

    Hi Guys,
    I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
    I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
    My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.

    I have taken following output from Firewall will this be any help?
    sh interface ouTSIDE
    Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
      Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
            Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
            Input flow control is unsupported, output flow control is off
            MAC address 7c69.f68f.df78, MTU 1500
            IP address 175.4.8.35, subnet mask 255.255.255.248
            8435 packets input, 680680 bytes, 0 no buffer
            Received 8135 broadcasts, 0 runts, 0 giants
            0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
            0 pause input, 0 resume input
            8138 L2 decode drops
            0 packets output, 0 bytes, 0 underruns
            0 pause output, 0 resume output
            0 output errors, 0 collisions, 1 interface resets
            0 late collisions, 0 deferred
            0 input reset drops, 0 output reset drops
            input queue (blocks free curr/low): hardware (476/461)
            output queue (blocks free curr/low): hardware (511/511)
      Traffic Statistics for "OUTSIDE":
            297 packets input, 118503 bytes
            0 packets output, 0 bytes
            297 packets dropped
          1 minute input rate 0 pkts/sec,  13 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  6 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    ciscoasa# show asp drop
    Frame drop:
      FP L2 rule drop (l2_acl)                                                   297
    ASA Version 9.0(1)
    firewall transparent
    ciscoasa# show module all
    Mod Card Type                                    Model              Serial No.
      0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545           
    ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS       
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
      0 7c69.f68f.df77 to 7c69.f68f.df80  1.0          2.1(9)8      9.0(1)
    ips 7c69.f68f.df75 to 7c69.f68f.df75  N/A          N/A          7.1(4)E4
    Mod SSM Application Name           Status           SSM Application Version
    ips IPS                            Up               7.1(4)E4
    Mod Status             Data Plane Status     Compatibility
      0 Up Sys             Not Applicable
    ips Up                 Up
    Mod License Name   License Status  Time Remaining
    ips IPS Module     Enabled         perpetual
    ciscoasa#
    I have create Ehtertype ACL and permit any traffic.
    cdp traffic has passed through but I am still not able to ping :(

  • ASR5k transparent mode

    Hi,
    in order to configure transparent mode in ASR5k to disable authentication and to allow everyone what is the appropriate commandso co
    in SAMI module we used used to configure 'access-mode non-transparent' under the APN
    what is the equivalent in ASR5k?
    we have configured the following 2 commands and we still have authentication failure for the GTP user
    aaa authentication subscriber none
    apn {apn_name}
      authentication allow-noauth

    Hi,
    If you use transparent instead of server or client, there should be no problem wit copy run start. (The difference is that in this case your switch doesn't participate in the VTP communication, only forward the received messages and doesn't update its vtp db).
    During the copy running-config startup-config did you get some error message? (not enough space or something) PLease first check the flash with the show flash command.
    Or try to save your running to flas not to startup config: copy running flash:test.cfg
    If you need more help please send me output of show flash at least...
    bye
    FCS
    Please rate me if I helped.

  • SCA Transparent Mode

    At a customer site any traffic running from the SCA through their CSS shows the SCA as the source IP in the server logs. I need to be able to set this up so the customer can see the real source address from their clients. I followed the docs on how to do one armed transparent mode but I obviously missed something or did something incorrectly. Attached are the configs.

    could you tell us what's wrong.
    Is it still using its own ip or you have no connectivity ?
    The CSS config is also very important.
    Did you configure correctly the default gateways ?
    [one pointing at the SCA and one to the router].
    Is the default gateway of the server set to the CSS ?
    If you can't make it work, use a sniffer trace to understand the traffic flow.
    For reference, here is a link to the config
    http://www.cisco.com/en/US/products/hw/contnetw/ps2083/products_configuration_example09186a00801bbf4e.shtml
    Regards,
    Gilles.

Maybe you are looking for

  • Crystal report  error

    hi, i'm using crystal reports 11 in java, while calling that in tomcat server the following error is occured. javax.servlet.ServletException: Can't find bundle for base name crystalreportviewer, locale en_US bye

  • Dynamic table in RFC

    hi, I wrote one source code in RFC which gives output as dynamic table. I want this dynamics table as output of RFC. In RFC, Table parameter does not support TYPE u2018ANYu2019 to define Table as Dynamic. During runtime, RFC Code supposed to identify

  • Consume SAP Web service with parameters in Forms using JS

    Hi All I am trying to execute a call to a webservice using javascript from my adobe form . I can get this working by creating a DataConnection and mapping input fields on the form to the Request structure (XFA method) . But when I use JS, i cannot ge

  • Trying to download XI trial and it asks for a password, what password is this?

    Trying to download XI trial and it asks for a password, which password is this??

  • Doubt on 11g reports server (rwservlet.properties)

    Hi ,       We are using oracle fusion middleware forms & reports(11.1.1.2.0).For reports,we have setup standalone report server.As per my understanding by reading the documentation, Based on rwservlet.properties(server & in process parameters) under