WCCP ACL on Catalyst 3750

Similar Messages

• Catalyst 3750 , ACS and Downloadable IP ACL

  Hi,
  We installed a ACS v4.1 , we were trying to limit the access to authenticated users by using Downloadable IP ACL in a Catalyst 3750 with IOS version ipbasek9-mz.122-25.SEE4. The authentication part works fine with a external database (Wins AD) , but we want to limit the access to the network of some groups.
  This can be done using Downloadable IP ACL ?
  Thanks for any help

  Yes, DACL's can be user here. To use a downloadable IP ACL on a particular AAA client, the AAA client must:
  .Use RADIUS for authentication.
  .Support downloadable IP ACLs.
  Examples of Cisco devices that support downloadable IP ACLs are:
  .PIX Firewalls
  .VPN 3000-series concentrators, ASA and PIX devices
  .Cisco devices running IOS version 12.3(8)T or greater
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs
  40/user/c.htm#wp696809
  Please note that downloadable ACLs are not supported on cat based switches.
  If downloadable ACL's through shared profile doesn't work, define a cisco av-pair to create the downloadable acls.
  Give this a try and see if it works. The format for the av-pair ACL is:
  ex
  ip:inacl#1=permit ip 1.1.1.0 0.0.0.255 9.9.9.0 0.0.0.255
  Regards,
  ~JG
  Do rate helpful posts.

• Password problem on Catalyst 3750

  Hi all,
  I am an Unix administrator and we lost all account and password informations to connect on a Catalyst 3750 switch.
  Is there a way to connect to the switch (With a serial cable?) an to create a new account without losing the configuration ?
  Thank's for your reply.
  Regards.

  This method won't reset the configuration.
  During the boot process, you rename the current configuration so it doesn't get loaded.
  rename flash:config.text flash:config.old
  When  the switch boots, it loads a blank image. Then you rename the config  file and load it into the running config and you can change the logon  credentials to something you know.
  It's important that you follow the steps exactly so you don't lose the configuration. Password recovery is a pretty common procedure.
  The  only other method of recovery is if you have a copy of the current  running configuration. Send me a private message if you have this config and we can discuss the possibility.

• Catalyst (3750 24 10/100/1000T) and (3750 12 SFP) Stacking Problems

  Dear all
  I'm having a very strange situation here (at least for me)
  we have 4 core switches
  2 x   WS-C3750G-24T-S Catalyst 3750 24 10/100/1000T + IPB Image
  and
  2 x   WS-C3750G-12S-S Catalyst 3750 12 SFP + IPB Image
  Stack configuration is done this way
  when the switches are powered on, the first two SFP core switches are seen as a single stack with the stack master LED turned green on the first switch
  the other two (24 10/100/1000T) switches have the RPS LEDs always green, mode cannot be changed, and cannot be accessed by Console connection
  but when the (24 10/100/1000T) are powered off, the first (SFP) switch in the stack reports that " Switch 3 and 4 has been removed from Stack "
  which means they are stacked but there's something wrong, because
  only the SFP ports are shown in the " Show interfaces status " , the ethernet ports of the bottom switches are not present !!!
  can you please tell me what's the poblem ?

  Dear Daniel
  Sorry for my delayed response but i was actually quite busy
  but the problem was actually in another sense
  the default profile for the Catalyst 3750 SFP is the Aggregate SDM Template
  while the 3750 10/100/1000 ethernet Switch Default SDM profile was Desktop profile
  so i had an SDM mismatch
  DATACENTER#sh switch detail
  Switch/Stack Mac Address : 081f.f3cf.1c80
                                             H/W   Current
  Switch#  Role   Mac Address     Priority Version  State
  *1       Master 081f.f3cf.1c80     1      0       Ready              
  2       Member 081f.f3cf.5900     1      0       Ready              
  3       Member aca0.16ac.0180     1      2       SDM Mismatch       
  4       Member aca0.16a3.bc80     1      2       SDM Mismatch 
           Stack Port Status             Neighbors    
  Switch#  Port 1     Port 2           Port 1   Port 2
    1        Ok         Ok                2        4
    2        Ok         Ok                3        1
    3        Ok         Ok                4        2
    4        Ok         Ok                1        3 
  all i did was changing the default profile of the SFP switches into the Desktop Profile and problem was solved
  switch 1 provision ws-c3750g-12s
  switch 2 provision ws-c3750g-12s
  switch 3 provision ws-c3750g-24t
  switch 4 provision ws-c3750g-24t
  system mtu routing 1500
  ip subnet-zero
  no file verify auto
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface GigabitEthernet1/0/1
  interface GigabitEthernet1/0/2
  interface GigabitEthernet1/0/3
  interface GigabitEthernet1/0/4
  interface GigabitEthernet1/0/5
  interface GigabitEthernet1/0/6
  interface GigabitEthernet1/0/7
  interface GigabitEthernet1/0/8
  interface GigabitEthernet1/0/9
  interface GigabitEthernet1/0/10
  interface GigabitEthernet1/0/11
  interface GigabitEthernet1/0/12
  interface GigabitEthernet2/0/1
  interface GigabitEthernet2/0/2
  interface GigabitEthernet2/0/3
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet2/0/4
  interface GigabitEthernet2/0/5
  interface GigabitEthernet2/0/6
  interface GigabitEthernet2/0/7
  interface GigabitEthernet2/0/8
  interface GigabitEthernet2/0/9
  interface GigabitEthernet2/0/10
  interface GigabitEthernet2/0/11
  interface GigabitEthernet2/0/12
  interface GigabitEthernet3/0/1
  interface GigabitEthernet3/0/2
  interface GigabitEthernet3/0/3
  interface GigabitEthernet3/0/4
  interface GigabitEthernet3/0/5
  interface GigabitEthernet3/0/6
  interface GigabitEthernet3/0/7
  interface GigabitEthernet3/0/8
  interface GigabitEthernet3/0/9
  interface GigabitEthernet3/0/10
  interface GigabitEthernet3/0/11
  interface GigabitEthernet3/0/12
  interface GigabitEthernet3/0/13
  interface GigabitEthernet3/0/14
  interface GigabitEthernet3/0/15
  interface GigabitEthernet3/0/16
  interface GigabitEthernet3/0/17
  interface GigabitEthernet3/0/18
  interface GigabitEthernet3/0/19
  interface GigabitEthernet3/0/20
  interface GigabitEthernet3/0/21
  interface GigabitEthernet3/0/22
  interface GigabitEthernet3/0/23
  interface GigabitEthernet3/0/24
  interface GigabitEthernet4/0/1
  interface GigabitEthernet4/0/2
  interface GigabitEthernet4/0/3
  interface GigabitEthernet4/0/4
  interface GigabitEthernet4/0/5
  interface GigabitEthernet4/0/6
  interface GigabitEthernet4/0/7
  interface GigabitEthernet4/0/8
  interface GigabitEthernet4/0/9
  interface GigabitEthernet4/0/10
  interface GigabitEthernet4/0/11
  interface GigabitEthernet4/0/12
  interface GigabitEthernet4/0/13
  interface GigabitEthernet4/0/14
  interface GigabitEthernet4/0/15
  interface GigabitEthernet4/0/16
  interface GigabitEthernet4/0/17
  interface GigabitEthernet4/0/18
  interface GigabitEthernet4/0/19
  interface GigabitEthernet4/0/20
  interface GigabitEthernet4/0/21
  interface GigabitEthernet4/0/22
  interface GigabitEthernet4/0/23
  interface GigabitEthernet4/0/24
  that's it !
  : D
  cheers

• Policer with IPv6 class-map on Catalyst 3750

  Hi,
  I've the following problem.
  It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
  On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
  mls qos
  ipv6 access-list DESTINATION-RANGE-A
   permit ipv6 any 2007::/16
  ipv6 access-list DESTINATION-RANGE-B
   permit ipv6 any 2B03::/16
  class-map match-all A
   match access-group name DESTINATION-RANGE-A
  class-map match-all B
   match access-group name DESTINATION-RANGE-B
  policy-map RL-POLICY
   class A
    police 2000000 8000 exceed-action drop
   class B
    police 6000000 8000 exceed-action drop
  interface GigabitEthernet1/0/7
   switchport access vlan 90
   load-interval 30
   service-policy input RL-POLICY
  The last CLI command which should bind the policy to the specific interface, leads to the following error message
  QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
  Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
  Thanks in advance for your help!
  Regards,
  Jens

  If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

• Ratelimiter with IPv6 class-map on Catalyst 3750

  Hi,
  I've the following problem.
  It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
  On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
  mls qos
  ipv6 access-list DESTINATION-RANGE-A
   permit ipv6 any 2007::/16
  ipv6 access-list DESTINATION-RANGE-B
   permit ipv6 any 2B03::/16
  class-map match-all A
   match access-group name DESTINATION-RANGE-A
  class-map match-all B
   match access-group name DESTINATION-RANGE-B
  policy-map RL-POLICY
   class A
    police 2000000 8000 exceed-action drop
   class B
    police 6000000 8000 exceed-action drop
  interface GigabitEthernet1/0/7
   switchport access vlan 90
   load-interval 30
   service-policy input RL-POLICY
  The last CLI command which should bind the policy to the specific interface, leads to the following error message
  QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
  Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
  Thanks in advance for your help!
  Regards,
  Jens

  If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

• Debian Linux Bonding and Cisco Catalyst 3750 - best practise?

  Hello everybody,
  I would like to know what's best practice to do this:
  The two NICs of a Debian Linux server wants to be connected with two Switchports of a Cisco Catalyst 3750 switch(stack). My goal is to have load-balancing and failover.
  My /etc/network/interfaces looks like this:
  iface bond0 inet static
         address 192.168.0.30
         netmask 255.255.255.0
         network 192.168.0.0
         broadcast 192.168.0.255
         gateway 192.168.0.1
         dns-nameservers 192.168.0.10 192.168.0.20
         dns-search xyz.mycompany.com
         slaves eth0 eth1
         bond_mode ???
         bond_miimon 100
         bond_downdelay 200
         bond-updelay 200
  First question: What bond mode should I use?
  The switchports looks like this:
  interface GigabitEthernet3/0/4
   switchport access vlan 20
   switchport mode access
   spanning-tree portfast
  What changes are necessery here? Something like this?
  interface GigabitEthernet3/0/4
   switchport trunk encapsulation dot1q
   switchport mode trunk
   spanning-tree portfast
  Thanks a lot for suggestions, hints, etc.! :-)
  Greets
  Stephan

  Hi Michael,
  thanks a lot for your answer - and sorry for my late reply!
  I like to show you my solution - I hope that it is a solution. ;-)
  My config on the switch(stack):
  switch#show etherchannel summary
  Group  Port-channel  Protocol    Ports
  ------+-------------+-----------+-----------------------------------------------
  2      Po2(SU)         LACP      Gi3/0/3(P)  Gi4/0/3(P)
  switch#show running-config interface GigabitEthernet 3/0/3
  Building configuration...
  Current configuration : 172 bytes
  interface GigabitEthernet3/0/3
   description myserver, eth0
   switchport access vlan 20
   switchport mode access
   channel-group 2 mode active
   spanning-tree portfast
  end
  lansw01#show running-config interface GigabitEthernet 4/0/3
  Building configuration...
  Current configuration : 172 bytes
  interface GigabitEthernet4/0/3
   description myserver, eth1
   switchport access vlan 20
   switchport mode access
   channel-group 2 mode active
   spanning-tree portfast
  end
  switch#show running-config interface port-channel 2
  Building configuration...
  Current configuration : 82 bytes
  interface Port-channel2
   switchport access vlan 20
   switchport mode access
  end
  The /etc/network/interfaces of my Debian machine looks like this:
  auto lo
  iface lo inet loopback
  auto bond0
          iface bond0 inet static
          address 192.168.1.xxx
          netmask 255.255.255.0
          gateway 192.168.1.xxx
          dns-nameservers 192.168.1.xxx
          dns-search xxx.xxx.xxx
          bond-mode 4
          bond-miimon 100
          bond-downdelay 200
          bond-updelay 200
          bond-lacp-rate 1
          slaves eth0 eth1
  This setup seems to work well. But I'm wondering that there is nothing with "trunking" in my setup. Would you like to give me your opinion about this?
  Thanks a lot and many greets
  Stephan

• Make Fiber Ports Live on Catalyst 3750?

  Hello All,
  Have 2 Catalyst 3750's connected via fiber to the cisco gbics converts. Both gbic's are plugged into Slot 1 of 4 on the switches. Everything is physically hooked up correctly. My question is what command do I type to make the fiber ports active? I know the fiber led should go orange for 30 sec then green when you plug the fiber cable in the gbic but it's not working because I've got to make that port or interface active first right? Any help would be appreciated. Thanks in advanced!

  Double check the cabling. Unplug one of the patch cables from one of the gbics. Look at which connector on the gbic has the light coming out of it. Compare to the fiber patch for which connector has light coming out of it. Ensure you have the fiber plugged into the gbic such that light from one connects to dark on the other. Do this at both ends.
  Also, pull the gbics out of the switches & validate both are appropriate for the fiber type you are using. 1000-LX is for single mode fiber; 1000-SX is for multimode fiber.
  If you have the interface administratively shut down, this will fix it:
  int gig 0/1
  no shut

• Interconnecting Catalyst 3750 and 2948G-L3

  I am trying to interconnect a Catalyst 3750 and a 2948G-L3 using fiber GBIC. The interfaces where the GBIC and fiber are attached show up as physically down. I have tried different ports and also changed both switches. No Luck. If I connect a 3524 to the 3750 using the same connection it works.
  Are 2948G-L3 switches compatible with the 3750?
  Thanks,
  VT

  Should have no problem. Can you try the following on the 3750's gig interface:
  speed nonegotiate
  See of the link comes up.
  Please rate all posts.

• Could connect two Nexus 5648 to a stack of Catalyst 3750?

  Good Morning,
  Can I connect a two Nexus 5600 (switchs distribution) with switch Catalyst 3750 (switch access)?
  I have tried to integrate the Nexus switch in the network as switch distribution, replacing a Catalyst 6500 switch and does not work. Everything is going very slow. Although all the ping function properly.
  Is there any incompatibility connect two nexus 5648 to a stack of Catalyst 3750 by VPC?
  Thank you.
  Greetings.

  Hi,
  There can be many reasons for the switches not joining the stack like SDM template mismatch.
  You may go through the following document:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/troubleshooting/switch_stacks.html#wp40112
  Thanks
  Ankur
  "Please rate the post if found useful"

• Catalyst 3750 Ingress SPQ/SRR behavior

  Do Cisco engineers review this community at all?
  I am working on the latest version of QoS standard for our Enterprise and noticed the following conflicting information officially provided by Cisco.
  My question relates to ingress/pre-ring Strict Priority Queue (SPQ) logic.
  Cisco Catalyst 3750 QoS Configuration Examples document states that SPQ on ingress is configured and serviced as follows
  mls qos srr-queue input priority-queue 2 bandwidth 10
  mls qos srr-queue input bandwidth 90 10
  SPQ services Q2 up to the configured 10% of ingress bandwidth
  Any excessive traffic in Q2 is not dropped, but is serviced by SRR in accordance with the configured weights
  For example, a momentary 5Gbps of aggregated ingress EF traffic will be serviced in the following way
  SQP services 10% of total ring's bandwidth, or 3.2Gbp, leaving 1.8Gbps for SRR processing
  SRR services excessive 1.8Gbps in accordance w/ weights Q1 - 90 and Q2 - 10, such as Q1 gets 25.92Gbps and Q2 get 2.88Gbps more.
  The following pictures provides in-depth look into Ingress queuing logic.
  Alternatively, Cisco Medianet Campus Design v4.0 provides the following example w/ comments
  C3750-E(config)#mls qos srr-queue input priority-queue 2 bandwidth 30
  ! Q2 is enabled as a strict-priority ingress queue with 30% BW
  C3750-E(config)#mls qos srr-queue input bandwidth 70 30
  ! Q1 is assigned 70% BW via SRR shared weights
  ! Q2 SRR shared weight is ignored (as it has been configured as a PQ)
  Basically, they now say Q2 bandwidth weight is ignore because it is configured as Strict Priority Queue.  Doesn't it look contradictory?
  In my humble opinion Medianet (or SRND v4.0!!!) provides an incorrect information re ingress queuing on Catalyst 3750 platform.
  I am not sure I can easily test it, providing that an internal ring must experience a congestion. I don't think I can send more than 32Gbps of traffic into any of my lab 3750 switches.
  Also, I don't think this mistake can be critical in my environment as I don't expect to have momentary full capacity load on those... but it can be critical for others.
  Much appreciate
  Tim

• Catalyst 3750 Switch

  How many total Vlans can you create in Catalyst 3750 Switch ? I read a document about Catalyst 3750 Switch. This document is said that "Although the switch stack supports a total of 1005 (normal-range and extended-range) VLANs, the
  number of routed ports". However, I am not sure. Can you confirm for me ? Thanks

  this link should be of some help to answer your question.
  http://www.cisco.com/en/US/products/hw/switches/ps5532/products_command_reference_chapter09186a00803ec324.html#wp1031710
  HTH-Cheers,
  Swaroop

• Revised Visio stencils for CRS and Catalyst 3750

  We just submitted the CRS and Catalyst 3750 revisions to the Cisco web team for posting.  They should be available within a day or so.
  Regards,
  Brett Newman
  Cisco Visio Development
  Visimation Inc.

  Hi Kevin,
  We updated the 3750 on 2/23/12 and the CRS on 2/20/12.  Please check the download page.
  Regards,
  Brett Newman
  Cisco Visio Development
  Visimation Inc.

• System FCS error frames on Catalyst 3750

  Please,
  may someone explain what are the "System FCS error frames" I see with "show controllers ethernet-controller" on some ports of a Catalyst (on trunk and also on access ports) WS-C3750G-24TS-S (3 switches in stackwyse)?
  Error counters advance slowly, but they do grow... and I am afraid this could be the reason for variable slow access time to a server application menu...
  For example "8 System FCS error frames".
  The ports are connected to a PIX-515E and I see the same error count on the firewall interfaces (PIX "show interface" command shows me "8 input errors, 8 CRC, 0 frame, 0 overrun, 8 ignored, 0 abort")
  A few errors may be seen also on other ports, connected to other (C3550)switches.
  I tried to upgrade the IOS version, so I loaded "ipbase 12.2(25)SEB4 " on the Catalyst 3750, but it did not solve the problem.
  PIX firewalls are running software 6.3(4).
  Why these errors are called "System FCS error frames" ? I could not find anything searching on Cisco CCO!
  Thanks

  I apologies for the delay answering, my notebook has been down for 5 days and also cco access password...
  Thank you for the explanation and suggestion.
  We have a second rack with another three switch 4750 in stackwyse, same models as the "faulty" ones, and the errors are not present on those switches, so it must be something hardware related on the first group of switches.
  I cannot touch those devices at the moment, we captured traffic frames with 3 Notebook PCs running "Ethereral" lan sniffer, traffic to and from the server and two clients and we discovered that in different ports of those switches, some packets never reach the clients, causing many TCP retransmissions, especially witch continuous traffic (http get and ftp transfers). This problem is visible on some, but not all, of the catalsyt 3750 switches in stackwyse, but in every one of the three switches. We are planning to go on-site and replace the hopefully faulty one ( or reseat the cables as you suggested).
  Is this a problem you have seen before?
  Regards
  Franco Feri

• New Visio Stencils for Catalyst 3750, Telepresence 1300

  In response to customer requests, there are new images on the Visio Stencils web page at http://www.cisco.com/en/US/products/hw/prod_cat_visios.html
  The updates include images for:
  ASA 5510 Rear
  ASA 5520 Front
  ASA 5520 Rear
  ASA 5540 Front
  ASA 5540 Rear
  ASA 5580 Front
  ASA 5580 Rear
  ME-C6524GT-8S Front
  ME-C6524GT-8S Rear
  ME-C6524GS-8S Front
  ME-C6524GS-8S Rear
  PWR-400W-AC - 400W AC
  PWR-400W-DC - 400W DC
  Catalyst 3750 Metro Front
  Catalyst 3750 Metro Rear
  PWR-ME3750-AC
  PWR-ME3750-DC
  CTS-1300-47
  CTS-1300-65

  Hi Kevin,
  We updated the 3750 on 2/23/12 and the CRS on 2/20/12.  Please check the download page.
  Regards,
  Brett Newman
  Cisco Visio Development
  Visimation Inc.