WCCP ACL on 4506 switch

Similar Messages

• WCCP ACL on Catalyst 3750

  Hi
  I have a stack of 3750s with IP Services and 2 WAAS appliances connected to the stack. I am running wccp in the stack and redirecting traffic to the WAAS appliances using a redirect acl. I read in the command guide for the 3750 that ONLY permit entries are supported. I have a appox 20 vlans and there are local traffic flowing between some of them.
  My questions is if I can`t use deny entries in the redirect acl in the switch, how can I stop the local traffic between the vlans getting redirected unnecessarly. The local traffic will be redirected to the WAAS appliance and then just go bypass and go back to the switch stack or does WCCP handle this in someway so only the first packets for each session gets redirected?
  BR
  CJ Ekman

  Hey CJ,
  Option 1: another option you might consider is intercepting closer to the WAN edge, if that's an available option for you.
  Again, like Patrick mentioned it depends on your network / IP design but if you intercept closer to the WAN edge you should be able to avoid engineering a redirect ACL altogether.
  Option 2: depending on the 3750 platform and code upgrade options, some of the latest 3750 IOS versions include support for deny entries for WCCP redirect ACLs. Check out these release notes (look at the very last bullet point in this list):
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/release/notes/OL24338.html#wp1009434
  Hope this helps!
  -Chet

• Configure WCCP on a 4510 switch

  I have to configure an instance of a WCCP on a 4510 switch and I have to admit  have read the examples given by Cisco but dont have understanding of the example config
  Router(config)#
  ip wccp web-cache group-address 224.1.1.100 password alaska1
  I have attached the config in question above and could someone please clarify what the group address  224.1.1.100 is ?
  Many Thanks
  Mark

  Now I have used what you say which is
  ip wccp 99 group-list websense_proxy (Proxy server) but it does not give the option to create redirect list and this is the out put of sh ip wccp
  Service Identifier: 99
          Number of Service Group Clients:     0
          Number of Service Group Routers:     0
          Total Packets s/w Redirected:        0
            Process:                           0
            CEF:                               0
          Redirect access-list:                -none-
          Total Packets Denied Redirect:       0
          Total Packets Unassigned:            0
          Group access-list:                   websense_proxy
          Total Messages Denied to Group:      0
          Total Authentication failures:       0
          Total Bypassed Packets Received:     0 Service Identifier: 99
          Number of Service Group Clients:     0
          Number of Service Group Routers:     0
          Total Packets s/w Redirected:        0
            Process:                           0
            CEF:                               0
          Redirect access-list:                -none-
          Total Packets Denied Redirect:       0
          Total Packets Unassigned:            0
          Group access-list:                   websense_proxy
          Total Messages Denied to Group:      0
          Total Authentication failures:       0
          Total Bypassed Packets Received:     0

• Cisco 4506 switch in Err-disable mode

      I have a Cisco 4506 switch and its 10 gig interface is in error disable mode.I tried Shut and no shut the port couple of times but it transits from up to down number of times and then to error-disable. Did anyone else encountered this issue before. kindly advise the solution for the same. thanks         

  Hi Shariq,
  Can you post the output of the show interface status err-disable ? That output contains the reason for putting your port into err-disabled state.
  Best regards,
  Peter

• Resetting a blade on a 4506 switch

  What is the command to reset a single line card on a 4506 switch?

  If running IOS:
  hw-module module # reset
  Please rate helpful posts.

• Cisco 4506 Switch Hanging

  I have got a 4506 switch with Sup V 10GE. This switch is in VTP domain, but in VTP transparent mode. I has got hanged twice, could anybody tell me the reason what could have happend.
  There was no configuration change been done to that switch.

  Hi Suresh,
  CSCsb61172 can be confirmed by looking at the output of "show platform hardware interface all".
  eg:
  CAT4510#show platform hardware interface all
  Global Hardware Gigaport State
  RxIpg : 6
  TxIpg : 264
  FreeListCount : 329 <<<-----
  Note that typical values of the free list count are between 20,000 and 64,000 depending on the traffic
  being switched. A count of 329 above is too low and indicates a memory leak.
  So if you see the number decreasing constantly, then you are running into this issue. The fix is in 12.2(25)EWA5, 12.2(31)SG, and higher.
  HTH,
  Bobby
  *Please rate helpful posts.

• Configuring new 4506 switches.

  MERRY X-MAS !!!
  I am going to configure IOS version of brand new 4506 Switch with Supervisory engine IV. You guys know that it has separate modules of Supervisory engine, 3 to 4 blades, redundant power supply. Because of this little bit confused. Apart from doing VLAN, STP configs, should I need to do any other configs for the chassis, redundant power supplies, blades, memory ect…..
  If u do have any sample configs plz do help me guys…

  No configuration needed for chassis/RPS. Configuration guidelines should help
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/index.htm

• How to put a comment(remark) into a certain line in ACL on L3 switch

  hello all,
  am I correct that for comments in access lists on L3 switches it is provided only so limited functionality, that it is possible only to put a remark at the end of existing rules list and no way to put a comment into a defined line, but only reapply the whole access list?!
  (config-ext-nacl)#remark ?
    LINE  Comment up to 100 characters
    <cr>
  Maybe other commands exist or special applications that can help with such important matter ?

  You're correct. Remark entries will be added in the order that you enter them, but can't be inserted with a sequence number. Any time I've needed to make changes to ACL remarks, the ACL has had to be deleted and re-created with the new entries.

• WCCP on lower end switches

  Hi - I'm searching for a lower end switch that supports WCCP. According to the feature navigator the 3550 is the only one that supports wccp. The only 3550 still available is the DC version, for which you can only get the SMI version and not the EMI version that supports wccp. According to the CCO the 3560 and 3750 does not support wccp.
  Thanks

  Hi,
  Your research is correct - the 3550 was the only low-end layer-3 switch which supported wccp. (Only Cisco knows why the others don't support it)
  Another alternative, if you really need all those switch ports, is something like a 2800 series with either a 16 or 36 port etherswitch module (NM-16ESW or NMD-36-ESW).
  HTH
  Andrew.

• 4506 switch and netflow card

  folks
  i have a 4506 with a netflow card installed and i'm using crannog software to read the netflow stats but i have a problem
  i have the following statements on my switch config
  ip route-cache flow
  ip flow ingress
  ip flow-cache timeout active 5
  ip flow-export source GigabitEthernet4/1
  ip flow-export version 5
  ip flow-export destination 10.*.*.* 2055
  my software is picking up the switch and the switch is exporting flows:
  Flow export v5 is enabled for main cache
  Exporting flows to 10.*.*.* (2055)
  Exporting using source interface GigabitEthernet4/1
  Version 5 flow records
  820249 flows exported in 118103 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  but the software shows 0 bits for traffic
  is anyone aware of any commands i'm missing (the ip route-cache command isn't available for an interface as in a router)
  thanks to anyone taking the time to respond or read this

  Sup7LE supports Flexible Netflow. 
  http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/flexible-netflow/product_data_sheet0900aecd804b590b.html

• Recommendation on having ACL on the switch or on the FW?

  Hi There,
  I have a setup of a core switch connected through a trunk link to a PIX535 FW; currently I have 150 users and the PIX is doing the ACL between the different VLANs. However, in the future the organization will grow to 2000+ users and I'm afraid of performance degradation on the FW side if we maintained the ACL on its side.
  From security-perspective, is it better to keep the ACL managed by the PIX FW and not by the core switch? And from performance-perspective is it recommended in my scenario to move the ACL to the core switch so the performance of the PIX doesnt get degraded?
  Also, my core switch is 4 X Catalyst 3750 switches stacked together, will there be any performance problems when my organization grows to 2000+ users with this type of switch? (i.e. should we consider moving to a higher-end model like 4500 series or 6500 series)?
  Appreciate your feedback.
  Thanks,
  Haitham

  Hi Haith,
  Cisco 3750 is designed to use for small & medium sized networks, since you say that your network is going 2 get increased 2000 plus users, you need to consider going in for either 4500 or 6500 series switches, you can also put the access-list on these switches & performance will not affect. deciding the switch should also be considered what type of application going to run on the network, lets say that if you using it for Audio/Video Applications with more than 2000 plus users, you should really need to go in for 6500 series switches, bcoz files size of these applications will be huge.
  hope this helps.
  rate this post if cleared. if not please lemme know

• 4506 Switch reloads

  Hi,
  I had a problem with a 4506 version 12.2(37) SG Switch which reloads once, I saw, in the show version output the following line System returned to ROM by abort at PC 0x0, I tried to check it out within the bug tool kit and I found this bug CSCsi17158 but it says it happens in other platforms. I'd like to know if there is a document where the problem presents in 4500 series switches and how to solve it, or if anyone knows why this happened and how to avoid it.
  Thank you in advance,
  Alex

  “Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main  This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.”

• Reflexive ACL on a switch interface

  Is there any reason a reflexive ACl will not work on a switch port? I see that most examples pertain to routers. We have a 4510 with a Sup 6. I have not tried it yet, but here is the config I came up with :
  ip access-list extended internal_acl
  permit tcp any any reflect tcptraff
  permit udp any any reflect udptraff
  permit icmp any any reflect icmptraff
  ip access-list extended external_acl
  evaluate tcptraff
  evaluate udptraff
  evaluate icmptraff
  deny ip any any
  int g1/48
  ip access-group internal_acl out
  ip access-group external_acl in
  Does this look like it will work? Being that the 4510 can't do NAT I need to "hide" what is connected to this particular switch interface. Suggestions?
  Poirot

  here are 2 good basic documents on this topic:
  "How To Calculate Bandwidth Utilization Using SNMP"
  SNMP Counters: Frequently Asked Questions
  Basicly, what you have to do is, to poll the ifHCInOctets and ifHCOutOctets (from the IF-MIB (ifXTable) - e.g ifHCInOctets = .1.3.6.1.2.1.31.1.1.1.6.)
  and do some calculation to get bps. This thread gives a good example.
  there are 2 Mib objects, which gives directly what you want, but they are deprecated and have 32-bit counters, so they are not of practical use for highspeed (Gig) interfaces:
      locIfInBitsSec      1.3.6.1.4.1.9.2.2.1.1.6
      locIfOutBitsSec     1.3.6.1.4.1.9.2.2.1.1.8
  Typically you will poll these values with snmp instead of sending them; (for 64-bi counters (ifHCInOctets) you 'll have to use snmpv2c or snmpv3)

• Acl's on switches.

  I have 5 subnets from my ISP.  I want to use a switch for routing 2960 or sf300-24p.  I just want to route one inside network to one outside subnet.  A point of sale system is setup on one static IP this VLAN would just need to conect to the one subnet on the outside.  If I turn on IP routing and create SVI's This will route between all subnets.  I also have a public emplolyee and management vlan.   They are on seperate static IP addresses. 
  The three local networks will use private ip addressing.  How do I trananslate between the local private IP addresses and the designated address from the service providor.
  An example I want 192.168.1.0 network in vlan 100 to route to only isp address 1
  192.168.2.0 Vlan 200 to route only isp address 2
  192.168.3.0 vlan 300 to route only to isp address 3
  The issue is I cant have vlan 200 or vlan 300 comunicate with isp address 1 or vlan 100.
  How can I do this with a catlyst 2960 with lanbase firmware. 
  Thanks

  An example I want 192.168.1.0 network in vlan 100 to route to only isp address 1192.168.2.0 Vlan 200 to route only isp address 2192.168.3.0 vlan 300 to route only to isp address 3The issue is I cant have vlan 200 or vlan 300 comunicate with isp address 1 or vlan 100.How can I do this with a catlyst 2960 with lanbase firmware.
  Are you sure these are the only things you want to route? 
  If yes, then a 2960 can do limited static routes if you upgrade to 12.2(55)SE2 and later.  You can enable routing if you change the SDM template to route. 

• 4506 Switches and Power Requirements

  I am required to install several switches in a LAN closet and want to make sure I don't blow anything up.
  I have no experience nor knowledge regarding watts, amps, etc.
  Are there any internal documentation or outside that explain the basics about power and cables type (3 prongs) in regards to Cisco equipment? Sorry, I very new.

  Hi David,
  Cisco Catalyst 4500 Series Power-over-Ethernet Capabilities and Power Supplies
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_data_sheet09186a00801f3dd9.html
  Does this help?