Transparent mode with WCCP v2
Hi all.
I config my content engine 7305 with configurations:
CE(config)# wccp version 2
CE(config)# wccp router-list 1 10.10.10.1
CE(config)# wccp web-cache router-list-num 1
And with router:
Router(config)# ip wccp web-cache
Router(config)# interface Serial0
Router(config-if)# ip wccp web-cache redirect out
Address Router: 10.10.10.1/24
Address CE: 10.10.10.2 /24
Client1 connect internet with url: http://www.vnexpress.net
Client2 connect the same URL many times.
But when I use: sho statistic http saving
The hit is a little.(1 hit)
The miss is alot. (49 miss)
So I don't understand the ContentEngine work perfect or not????
Help me, plz
Thanks
You should check to see if your CE and router see each other.
CE "show wccp routers" - you should see the ID of your router you have configured.
Router "show ip wccp web-cache view"
If that doesn't work you can turn on debug
"debug ip wccp packets" and see the request/response sequence
.Jun 16 17:46:26: WCCP-PKT:S00: Received valid Here_I_Am packet from 10.1.1.1 w/rcv_id 00000844
.Jun 16 17:46:26: WCCP-PKT:S00: Sending I_See_You packet to 10.1.1.1 w/ rcv_id 00000845
Similar Messages
-
Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP router ?
Hello !
I would like to use Cisco WSA as a web proxy in a transparent way (without any configuration in client's web browsers) but i don't have a WCCP router. So, is it possible ?
If yes, how to do this ?
Thank you,
Stephane WalkerHi Stephane
The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well.
Sample configuration for Cisco router
access-list 110 permit tcp any any eq www
route-map proxy-redirect permit 10
match ip address 110
set ip next-hop xxx.xxx.xxx.xxx
interface ethernet0/1
ip policy route-map proxy-redirect
xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.
The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.
Routers other than Cisco equipment should also have an option to configure policy based routing.
/Artur
Ps. It's not possible to place the WSA in-line between clients and the internet. -
Transparent Mode using WCCP v2
Dear All,
Greetings. Please correct me if I am wrong. When to use GRE and when to use L2 redirection is depends on the router/switch?
What are the parameters to be configured in Transparent Redirection 'Load-Balacing Method' and 'Forwarding Method' when using GRE?
Please help me to understand more on GRE and L2 redirection when in transparent mode, and configuration in S-Series.
Many Thanks,
ezekielEzekiel,
L2 is the preferred method when possible, since GRE adds an extra 28 bytes of overhead. For L2 to be possible, the WSA must be directly connected to the router / WCCP device.
If the WSA is more then 1 hop away, GRE MUST be used.
The major difference between Hashing and Masking is that if Masking is supported, the router / switch will consume less CPU building the load balancing tables.
It's recommended that you set the WSA to use "Hashing or Masking". The WSA will then negotiate with the WCCP router which to use. If your router supports both, Masking is preferred.
Hope this helps.
Please help regarding WCCP v2.
My company had 2 routers & 2 WSA. Each WSA is directly connected to the each router.
Can I use both WCCP L2 & GRE? If possible, can give some examples? -
Failure when FWSM in transparent mode with multiple contexts
hi experts,
We have two FWSMs working in active/standby state, configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet.
Now we have one FWSM broken and the RMA part can't arrived in short time, so we have the risk that the sencond FWSM could be failed as well. In the worst case if the two was broken or powered off simultaneously, i wonder that if the communications between multiple contexts could be ok???
thanks in advance.The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html -
Transparent mode with AIP-SSM-20
I currently have an ASA5510 in routed mode with an AIP-SSM-20.
There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE. This part should present no issue.
However, this will remove the IPS device, and I still want to use IPS.
So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN. The transparent ASA would be functioning strictly as an IPS appliance.
Setup would look something like this:
Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
Can the AIP-SSM still perform IPS with the ASA in transparent mode?
Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
Regards.AFAIR, There is no problem to setup AIP in a transparent firewall.
"An ASA in transparent mode can run an AIP. In the event the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
Marcin -
ASA transparent mode with secondary IP on the router
Hi
I have
Router --- ASA (Transparent)----Switch
and just wonder if it is possible to configure secondary IP on the router interface which is connected to ASA
so there is plenty of room in terms of LAN IP range.
Or to implement this, do I have change ASA to context mode and modify configuration on the ASA?
hope I do not have to change anything on the ASA.
ThanksASA in transparant mode work as L2 device
so what ever ips u use dosent matter
u dont need to change anything in the ASA while it is in transperant mod
but be careful of what is allowed to be passed through the firewall
u can control it by ACLs
the router and the switch u have will operat in L3 as thy connected directly or nothing between them from routing and layer three prespective
so they shoud be in the same subnet VLAN and so on
good lcuk
please, if helpful rate -
Firewall Transparent Mode with IPS
Dear All,
I have network setup shown below
Router --- Firewall Transparent Mode --- cisco layer 3 switch
I am planning to implement ips. Which is the right place to put the IPS
IPS is separate hardware. Let me know on which mode IPS has to be enabled? Rgds - pramodHello,
If you have the separate hardware of IPS then, place the IPS in between Router and firewall.
you can use the IPS in inline and promiscuous mode.
In inline mode all traffic will pass through the IPS first then after inspection will move to firewall.
And if you are using the IPS in promiscuous mode then the copy of traffic will send to the IPS and after that inspection will done.
Thanks. -
Config transparent Proxy with LDAP authen with L4 switch?
How to config policy based routing on L4 switch if wsa run in transparent mode with LDAP authentication?
Async OS: 5.1.0-420
Thank you,
ThanapolEzekiel,
I wanted to add some clarification to your comments:
1) Network TAP connected to T1/T2.
This will work good. You will need to tap one direction of traffic to the T1 port and the other direction in to the T2 interface.
2) L4 switch connected to P1.
This will NOT work. Further explaination below. What you can do is use a switch that supports port spanning / port mirroring. You'll need to send a COPY of all traffic going to gateway to the T1 interface.
The L4TM will need to be in 'duplex' mode - Configurable in the GUI.
3) WCCP v2 connected to P1.
WCCP cannot be used at all with the L4TM, because WCCP doesn't 'copy' the traffic, it redirects it.
L4TM information
The L4TM can be thought of as a completely seperate appliance that operates primarily via the t1 / t2 interfaces.
The L4TM is a sniffer application, meaning that you cannot redirect traffic to it (such as L4 switching PBR or WCCP), but you can send a copy of traffic to it (port mirroring or physical tap).
If you are blocking with the L4TM, the WSA will use M1/P1 to send the TCP RST packets. This is the ONLY use for the M1/P1 interfaces that the L4TM will use.
The P1 interface is intended to be used for Web proxy traffic and the L4TM does not listen on this interface. -
ASA5510 - LACP in Transparent Mode
Hello all,
I understand that in transparent mode an ASA5510 would only be able to have two interfaces, inside and outside.
My question is could one of those logical interfaces be an LACP'd interface, made up of two physical interfaces. Topology below.
I understand that the router and ASA5510 are SPOF here, so it is a bit of a moot point, but we're connecting already existing infrastructures together!
|-------–---| |---------|
| Switch 1 |------| |
|-----------| | ASA5510 | |----------|
| | | (transp |---------| Router |
|-------–---| | mode) | |----------|
| Switch 2 |------| |
|-----------| |---------|Configuring Cisco ASA Service Appliance in Transparent Mode with vPCSince Release 8.4, Cisco ASA 5500 Series Adaptive Security Appliance solution supports Link Aggregation ControlProtocol (LACP). ASA port-channel contains up to eight active member ports.Supported LACP modes are: ACTIVE, PASSIVE, and ON (ON means manual ports bundling i.e not using dynamicport-channeling control protocol).ASA can be configured in transparent or routed mode. Both modes are supported when integrating ASA with CiscoNexus 7000 Series vPC.
http://www.cisco.com/en/US/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
Page 87-88 -
Cisco 2960S Configured in Transparent mode
I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?
If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue.
I'd be keen to know if you have a firewall blocking anything from the IP address of the printer? Maybe the IP subnet mask or default gateway of the printer is not working?
What do you get when you do a "sh mac-address interface <PRINTER port>"? -
Hi all,
i am actually designing for a new solution based on 6509 Switch with FWSM module, here is what i have :
FWSM will be used in Transparent mode with two bridge group : 1 , 2 as mentioned on the image, i wonder if this is a correct deisgn or not, is this will work with no probleme with these two trunk links ?
i've seen on the guidelines of this url :
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/fwmode.html#wp1184961
"The transparent FWSM uses an inside interface and an outside interface only. "
is it applicable in my case,
any other information will be welcome.
Thanks for helpHi,this is sample configuration.
6509A:
vlan 256
name FWoutside
int vlan 256
ip addr 98.1.1.252 255.255.255.0
6509B:
vlan 255
name FWinside
int vlan 255
ip addr 98.1.1.251 255.255.255.0
firewall module 3 vlan-group 16,32
firewall vlan-group 16 255
firewall vlan-group 32 256
FW:
firewall transparent
nameif vlan256 outside security0
nameif vlan255 inside security100
access-list ACL_IN extended permit ip any any
access-group ACL_IN in interface outside
access-group ACL_IN in interface inside
6509B:
6509B#ping 98.1.1.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.1.1.252, timeout is 2 seconds:
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
6509B# -
ASA 8.4 transparent mode active/active questions
Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
Thanks for your repliesHello,
1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
You can configure up to 8 bridge groups per context to achieve this.
3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
Active/Active failover is only possible in multiple context mode.
Hope that helps.
-Mike -
VRF issue with Firewall in transparent Mode.
Hi Guys,
I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.I have taken following output from Firewall will this be any help?
sh interface ouTSIDE
Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 7c69.f68f.df78, MTU 1500
IP address 175.4.8.35, subnet mask 255.255.255.248
8435 packets input, 680680 bytes, 0 no buffer
Received 8135 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
8138 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (476/461)
output queue (blocks free curr/low): hardware (511/511)
Traffic Statistics for "OUTSIDE":
297 packets input, 118503 bytes
0 packets output, 0 bytes
297 packets dropped
1 minute input rate 0 pkts/sec, 13 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 6 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
ciscoasa# show asp drop
Frame drop:
FP L2 rule drop (l2_acl) 297
ASA Version 9.0(1)
firewall transparent
ciscoasa# show module all
Mod Card Type Model Serial No.
0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt ASA5545
ips ASA 5545-X IPS Security Services Processor ASA5545-IPS
Mod MAC Address Range Hw Version Fw Version Sw Version
0 7c69.f68f.df77 to 7c69.f68f.df80 1.0 2.1(9)8 9.0(1)
ips 7c69.f68f.df75 to 7c69.f68f.df75 N/A N/A 7.1(4)E4
Mod SSM Application Name Status SSM Application Version
ips IPS Up 7.1(4)E4
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
ips Up Up
Mod License Name License Status Time Remaining
ips IPS Module Enabled perpetual
ciscoasa#
I have create Ehtertype ACL and permit any traffic.
cdp traffic has passed through but I am still not able to ping :( -
INPUT textfield does not show non-English letters with transparent mode
INPUT textfield does not show non-English letters when i
type, if transparent mode turn on
this is bug of Flash Player 9?
will this bug had be fixed?I just tested Firefox and Chrome on linux, i doesn't work either, but i get different weird chars: éèça
However, on both mac and linux, if i copy the chars and paste them in the input field, it passes. -
Squid array in transparent mode
Hello Netpros,
I know the CSS is perhaps a little bit out of date, but there's still a lot of boxes running out there in the field.
Is there a way (L2 or L3) to manage load balancing between web clients with no proxy configured and an array of squid servers configured in transparent mode.
There are no SCAs and WCCP is not available on the squids
Thank you for you cooperation
AndreaYou can operate in bridged mode which will separate the client from thier gatway at a layer 2 level. Create a vip that matches all traffic (0.0.0.0 for tcp/udp or both) and point them to the squid proxies as a transparent service.
service Squid1
ip address 172.16.35.11
type transparent-cache
active
owner L2Caches
content L2
vip address 0.0.0.0
add service Squid1
protocol tcp
active
Regards,
Chris Higgins
Maybe you are looking for
-
Auto PO creation using purchase requisition
Hi, I have tried the following steps for auto PO creation using purchase requisition. i. Maintain Auto PO in Material master Purchasing view ii. Select Automatic purchase order in Vendor master- Purchase data iii. Maintain info-record iv. Create PR t
-
there is a weird glitch or something in the bottom left corner of my finder windows. here is a pic of it http://www.s-a-k.org/pic.tiff anyone know how to fix this?
-
Hello! Couldn't found header file extcode.h in LabVIEW 6i
Hello! At the monent I try to use a cluster from LabVIEW 6i to get Data from VC ++ dll. I knew that I need the header file extcode.h. I could found it at directory of LabVIEW 6i.
-
hi..i have lost my HP 1000 Notebook pc on 7/4/2014..kindly tell me how do i find it..i also have its tracking id..if any way to find it then plzzz tell me..i also reported it to police.but they r failed to recover it..
-
Why cant i download latest version of itunes, keeps saying invalid signature
Why can't I donwload the latest version of itunes to my windows Pc? It keeps saying 'invalid signature'.