WCCP on cisco 3725
Hi..I am beginner in WCCP technology. What is the minimum IOS version on the cisco 3725 to configure the WCCP?
WCCP is supported on the Content Engine software. The Cisco 2600/3600/3700 Series content engine modules support Cisco IOS Software Release 12.2(13)T and later. This link provides Web Cache Communication Protocol (WCCP) support for Cisco IOS software and Cisco Content Engine software.
http://www.cisco.com/en/US/customer/products/hw/contnetw/ps761/products_tech_note09186a0080094a77.shtml#topic1
Similar Messages
-
Possible interface issues on cisco 3725 router
I have a router that has been working great for almost 2 years now, has had the occisonal reset due to power failures but, I have not adjusted the configuration for a long time, until today trying to diagnose the issue thats occuring.
Here is the setup, a Cisco 3725, with three network interfaces, FE 0/0 connected to cable modem, FE 0/1 connected to the 10.0.1.x and FE0/1.10 vlan for call manager express ip phones. I then have a third interface FE 1/0 that acts as my DMZ where I keep servers. Both FE 0/0 and FE 1/0 are behind the NAT. Just yesterday I noticed that the internet traffic stops on the FE 0/1 interface after a few hours local VLAN routing works from FE0/1 to FE 1/0 and I can ssh into the router just no web traffic, I reset and it starts working again, odd thing is the DMZ still has internet during this entire time, which makes me think the interface is faling. Is there any logs or commands I can do when the interface fails again to see if its a bad interface on the router?
I isolated the switch out of the question, hooked a non managed switch up while the internet was not working and tried to connect and got nothing as well.Try the below and see whether that works
The inside interface of the PIX cannot be pinged from the other end of the tunnel unless the management-access command is configured in the global configuration mode.
PIX-02(config)#management-access inside
PIX-02(config)#show management-access
management-access inside -
Interleaving doesn't work properly for Cisco 3725 router, IP Plus IOS
Dear All,
I am deploying VoIP between 2 sites using Cisco 3725 routers. Currently, interleaving doesn't work properly which result in voice quality problem only during data trafic. Issuing "show int multilink 1" command, I realise that there is no interleaves even though VoIP call and data are traversing on the link.
Attached here is the info for your reference.
Any idea, please help.
Thanks in advance.
DucHere is the info:
VNHCMR01#sh call active voice brief
: hs. + pid:
dur hh:mm:ss tx:/ rx:/
IP : rtt:ms pl:/ms lost://
delay://ms
MODEMPASS buf:/ loss /
last s dur:/s
FR [int dlci cid] vad: dtmf: seq:
(payload size)
ATM [int vpi/vci cid] vad: dtmf: seq:
(payload size)
Tele : tx://ms noise: acom: i/o:/ dBm
MODEMRELAY info:// xid:/ total://
speeds(bps): local / remote /
Proxy :,,,,, endpt: /
bw: / codec: /
tx: /,/,/
rx: /,/,/
Telephony call-legs: 1
SIP call-legs: 0
H323 call-legs: 1
MGCP call-legs: 0
Total call-legs: 2
12FF : 5798794hs.1 +202 pid:80 Answer 710 active
dur 00:01:14 tx:3721/74420 rx:3721/74420
Tele 0/0:15:424: tx:74420/74420/0ms g729r8 noise:0 acom:24 i/0:-50/-29 dBm
12FF : 5798794hs.2 +202 pid:81 Originate 81555 active
dur 00:01:14 tx:3721/74420 rx:3721/74420
IP 159.12.56.1:19526 rtt:30ms pl:73890/40ms lost:0/1/6 delay:67/67/107ms g729r8
Telephony call-legs: 1
SIP call-legs: 0
H323 call-legs: 1
MGCP call-legs: 0
Total call-legs: 2
VNHCMR01#sh int mu1
Multilink1 is up, line protocol is up
Hardware is multilink group interface
Description:
Interface is unnumbered. Using address of FastEthernet0/0 (159.12.55.2)
Backup interface Dialer1, failure delay 30 sec, secondary disable delay 30 sec,
kickin load not set, kickout load not set
MTU 1500 bytes, BW 256 Kbit, DLY 100000 usec,
reliability 255/255, txload 33/255, rxload 13/255
Encapsulation PPP, LCP Open, multilink Open
Open: CDPCP, IPCP, loopback not set
DTR is pulsed for 2 seconds on reset
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters 00:00:50
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0/0 (size/max total/threshold/drops/interleaves)
Conversations 0/5/64 (active/max active/max total)
Reserved Conversations 1/1 (allocated/max allocated)
Available Bandwidth 56 kilobits/sec
5 minute input rate 14000 bits/sec, 69 packets/sec
5 minute output rate 34000 bits/sec, 72 packets/sec
3062 packets input, 100509 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3078 packets output, 298192 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
VNHCMR01#sh ppp multilink
Multilink2, bundle name is VNHANR01
Bundle up for 02:47:34, 3/255 load
Receive buffer limit 12192 bytes, frag timeout 1000 ms
0/0 fragments/bytes in reassembly list
0 lost fragments, 0 reordered
0/0 discarded fragments/bytes, 0 lost received
0x145A1 received sequence, 0x21A41 sent sequence
Member links: 1 active, 0 inactive (max not set, min not set)
Se0/2, since 02:47:32, 320 weight, 312 frag size
Multilink1, bundle name is VNBHCR01
Bundle up for 16:07:32, 35/255 load
Receive buffer limit 12192 bytes, frag timeout 1000 ms
0/0 fragments/bytes in reassembly list
0 lost fragments, 0 reordered
0/0 discarded fragments/bytes, 0 lost received
0x2DB8D received sequence, 0x536BD sent sequence
Member links: 1 active, 0 inactive (max not set, min not set)
Se0/1, since 16:07:30, 320 weight, 312 frag size
VNHCMR01#sh run int multilink 1
Building configuration...
Current configuration : 380 bytes
interface Multilink1
description
bandwidth 256
ip unnumbered FastEthernet0/0
service-policy output llq
backup delay 30 30
backup interface Dialer1
ip tcp header-compression iphc-format
no ip mroute-cache
ppp multilink
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink group 1
ip rtp header-compression iphc-format
end
VNHCMR01#show policy-map
Policy Map llq
Class voip-rtp
Strict Priority
Bandwidth 50 (%)
Class voip-sig
Bandwidth 8 (kbps) Max Threshold 64 (packets)
VNHCMR01#show class-map
Class Map match-any class-default (id 0)
Match any
Class Map match-any voip-sig (id 1)
Match access-group name VoIP-SIG
Class Map match-any voip-rtp (id 2)
Match ip rtp 16384 16383
VNHCMR01# -
Cisco 3725 Router for Internet Connectivity
Hi,
We have en existing Internet connection using our Cisco 3725 router (ISP A). The router does the NAT and here's the existing default route:
S* 0.0.0.0/0 [1/0] via 1.2.3.153
This router has a "16 Port 10BaseT/100BaseTX EtherSwitch".
Now we have a new Internet connection (ISP B). What I did was to configure two ports on the Etherswitch and added route maps:
interface FastEthernet1/0
description "ISP B to provider"
no switchport
ip address 4.5.6.66 255.255.255.252
interface FastEthernet1/1
description "ISP B to my network"
no switchport
ip address 4.5.7.225 255.255.255.248
ip policy route-map ISPBInternetTraffic
access-list 101 permit ip 4.5.7.224 0.0.0.7 any
route-map ISPBInternetTraffic permit 101
match ip address 101
set interface FastEthernet1/0
set ip default next-hop 4.5.6.65
What I want to happen is that when the router sees the traffic coming from the public IPs of ISP B (4.5.7.224 /29) it will direct that to go out ISP B on F1/0.
1. Is my configuration correct?
2. Any suggestions, recommendations?
3. Can I do load balancing or load sharing between the two ISPs?
Best,
TonyHi Tony,
Your question has already been answered here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd276a5 -
Sample RAS configuration of Cisco 3725
Dear All,
If anyone can help me with some sample RAS configuration of Cisco 3725 having one 1-Port Channelized E1/T1/ISDN-PRI Network Module & 12 Port Digital Modem Network Module.
Thanks
SureshThe configuration is not mine, I just took it from:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1826/products_configuration_guide_chapter09186a00800d9bb5.html
and I remove the extra lines (in the config is 1 to 48, but in your 3725 can be others depending in which module are installed). Also you have to check the lines of your modems. This is a useful link, but you can check it with show diag:
http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080094691.shtml
Config:
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
interface Serial0:23
no ip address
encapsulation ppp
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
ip local pool dialin_pool 10.1.2.1 10.1.2.50
dialer-list 1 protocol ip permit
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
Hope it helps
-as -
How to Configuration Cisco 3725 with NEC ASPILA EX
Dear all;
Now i have Cisco 3725 with 1-Port Channelized E1/T1/ISDN-PRI, i am connect to NEC ASPILA EX with PRI I/F (1PRIU-A1.
The controller link state up, but when clients dialin to RAS not have ring back or not connect to RAS.
anyone can help me?Hi;
i'am config cisco as you recommended is "isdn protocol-emulate network" and "clock source should be internal". After the remote computer call to RAS it have modem signal and then connected, next time it disconnect. can i change some parameter for this problem or what i'am wrong?. I post config, status, and debug message for you. Help me..
===== show isdn status ===========
#show isdn status
Global ISDN Switchtype = primary-net5
ISDN Serial2/0:15 interface
******* Network side configuration *******
dsl 0, interface ISDN Switchtype = primary-net5
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 0 CCBs = 0
The Free Channel Mask: 0xFFFF7FFF
Number of L2 Discards = 0, L2 Session ID = 0
Total Allocated ISDN CCBs = 0
=============== sh controllers e1 2/0 brief ========
#sh controllers e1 2/0 brief
E1 2/0 is up.
Applique type is Channelized E1 - unbalanced
No alarms detected.
alarm-trigger is not set
Framing is CRC4, Line Code is HDB3, Clock Source is Internal.
Module type is Channelized E1/T1 PRI
Version info Firmware: 0000001D, FPGA: 0
Hardware revision is 0.0 , Software revision is 29
Protocol revision is 1
number of CLI resets is 0
receive remote alarm : 0,
transmit remote alarm : 0,
receive AIS alarm : 0,
transmit AIS alarm : 0,
loss of frame : 1,
loss of signal : 1,
Loopback test : 0,
transmit AIS in TS 16 : 0,
receive LOMF alarm : 0,
transmit LOMF alarm : 0,
========== Interface config.=============
controller E1 2/0
clock source internal
line-termination 75-ohm
pri-group timeslots 1-31
interface Serial2/0:15
no ip address
ip nat inside
encapsulation ppp
ip policy route-map nachi-worm
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn protocol-emulate network
isdn incoming-voice modem
no fair-queue
no cdp enable
=================Debug Message when call to RAS ===========================
Mar 6 22:40:29 BANGKOK: ISDN Se2/0:15 Q931: RX <- SETUP pd = 8 callref = 0x000B
Bearer Capability i = 0x8090A3
Standard = CCITT
Transer Capability = Speech
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0xA9838B
Exclusive, Channel 11
Calling Party Number i = 0x0081, N/A
Plan:Unknown, Type:Unknown
Called Party Number i = 0x81, '075205600'
Plan:ISDN, Type:Unknown
Low Layer Compat i = 0x8090A3
High Layer Compat i = 0x9181
Mar 6 22:40:29 BANGKOK: ISDN Se2/0:15 Q931: TX -> CALL_PROC pd = 8 callref = 0x800B
Channel ID i = 0xA9838B
Exclusive, Channel 11
Mar 6 22:40:29 BANGKOK: ISDN Se2/0:15 Q931: TX -> ALERTING pd = 8 callref = 0x800B
Mar 6 22:40:29 BANGKOK: ISDN Se2/0:15 Q931: TX -> CONNECT pd = 8 callref = 0x800B
Mar 6 22:40:35 BANGKOK: %ISDN-6-CONNECT: Interface Serial2/0:10 is now connected to unknown unknown
Mar 6 22:40:46 BANGKOK: %ISDN-6-DISCONNECT: Interface Serial2/0:10 disconnected from unknown , call lasted 17 seconds
Mar 6 22:40:46 BANGKOK: ISDN Se2/0:15 Q931: TX -> DISCONNECT pd = 8 callref = 0x800B
Cause i = 0x8290 - Normal call clearing
Mar 6 22:40:47 BANGKOK: ISDN Se2/0:15 Q931: RX <- RELEASE pd = 8 callref = 0x000B
Mar 6 22:40:47 BANGKOK: ISDN Se2/0:15 Q931: TX -> RELEASE_COMP pd = 8 callref = 0x800B
============================================== -
Hello all,
This is a new install, I am trying to bring up a WAE-674 box at one my remote sites with 2 routers (a 3725 and a 2621) at this remote site and I am using WCCP for traffic redirection. I am having an issue with WCCP on the 3725 router, for some reason when I enable the command "IP wccp 62 redirect in" under the WAN serial interface I suddenly can no longer telnet to the fastethernet interface on the router but I can still ping it and still able to telnet to the loopback interface. And I have no issue with WCCP on the other 2621 router with the same config setup.
Has anyone run into this issue before ? I appreciate any feedbacks on this !!!!
I am running IOS version 12.3(14)T7 on the 3725 router and WAAS software version 4.1.1c
Thanks in advance !!
DannyYou will want to explore CSCsg30875 to see how it applies to your installation
CSCsg30875 wccp blocking telnet to router
Since 12.3T is EOL, it probably was not tested and may or may not exist in that Cisco IOS track.
End-of-Sale and End-of-Life Announcement for Cisco IOS Software Release 12.3T
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6947/ps5207/prod_bulletin0900aecd803a0ffe.html
Thank You,
Dan Laden -
Will Cisco 3750G takes 700 users WCCP redirection sessions?
Hi,
We are configuring WCCP in Cisco 3750G switches. We would like to know if it can take concurrent 700 users WCCP redirection session?
If not then what is the maximum session we can achieve with this model? And what will be the next best model which can handle this load.
Regards
AsifAbsolutely correct.
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/basic_wccp.html#wp1143527
Quoted from above:
"WCCP redirection is supported only on the ingress of an interface. The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client, without going through the ASA. " -
Hi,
I've a question related to WCCP and IPv6.
Let's imagine a web-cache cluster, all the nodes dual stack (IPv4+IPv6) and all of them supporting WCCP (also IPv4+IPv6) for transparent web-cache, so they can cache either IPv6 or IPv4 web pages.
Let's imagine one Cisco router that is also dual-stack and having WCCP support (AFAIK only for IPv4). I assume that the router and the web-cache nodes are able to communicate to each other through either IPv6 and/or IPv4 for any protocol different than WCCP. For WCCP only communication through IPv4 is feasible (IPv4 only support for WCC in the cisco router).
My question is what about the port-80 IPv6 traffic (http queries indeed) forwarded to the router from the user's hosts?
Would such a traffic be forwarded to the external IPv6 HTTP public server (like no-http traffic)?
Would such a traffic be forwarded to the web-cache farm (like IPv4-http traffic does) in spite of WCCP supports only IPv4?
In other words, the IPv4-only-WCCP capable cisco router (but dual-stack) inspects only the IPv4 packets looking for the TCP-80 port or it does it also for IPv6 packets?
Regards
MiguelThis URL should help you:
http://www.cisco.com/en/US/products/ps6350/prod_bulletin09186a0080457b39.html -
How can I mirror all ports on CISCO 3750 switches to one Gigabyte port?
Hi,
I have a requirement to mirror all the ports on my 7 CISCO 3750 switches, which are in 3 separate stacks, to one single Gigabyte Ethernet port.
Does anyone know how I can do that?
Thanks in advance.Vlad, thanks a heap for your response.
I want to apply to my sitation. Please let me know if I get them right in the following:
Catalyst A
vlan 901
remote-span
monitor session 1 source interface fastethernet 1-48 (I want to monitor all ports on the CISCO 3725)
monitor session 1 destination remote vlan 901
Catalyst B
vlan 901
remote-span (If I don't need to monitor this switch, do I still need to put anything into this switch at all?)
Catalyst C
vlan 901
remote-span
monitor session 1 source interface fastethernet 1-48 (I want to monitor all ports on this switch as well)
monitor session 1 source remote vlan 901
monitor session 1 destination interface gigabitethernet 3 (There are 4 Gigabit Ethernet Uplink in CISCO 3750, I want all the traffic to go to port 3, is this the right way to do?)
Thanks in advance. -
Good day Everyone! I've read all of cisco guides but I can't figure out why I'm experiencing the following problem:
1. I have'got 4215 in inline mode
2. Windows host with 10.0.3.1/24,10.0.3.254 (ip\mask, gateway) is on fa0/1 interface and Cisco 3725 is on fa1/0 port of the sensor.
3. I've got the following configuration on Cisco 3725 interface:
interface FastEthernet2/12
switchport access vlan 23
interface Vlan23
ip address 10.0.3.254 255.255.255.0
ip access-group IDS_vlan23_out_1 out
ip nat inside
ip virtual-reassembly
4. the sensor has the following configuration:
inline-interfaces pair-0
no description
interface1 FastEthernet0/1
interface2 FastEthernet1/0
service analysis-engine
virtual-sensor vs0
logical-interface pair-0
5. if I issue "packet display FastEthernet0/1" of "packet display FastEthernet1/0" on the sensor I see the same:
traffic from Cisco 3725 OSPF hellos:
18:57:32.329981 802.1d config 8000.00:0b:46:fc:95:50.805d root 8000.00:0b:46:fc:95:50 pathcost 0 age 0 max 20 hello 2 fdelay 15
BUT! The problem is I do not have a physical link on my Windows host to the network (the red cross on network connection Icon on the bottom right side of the toolbar)
Can anyone please give me a hint what I've done wrong?
Thanks in Advance!What type of cable are you using to connect the Host with the sensor?
Are you using a crossover cable?
With 10/100 ports, a crossover cable is needed when connecting 2 Hosts.
When planning the cabling remember that the IDS-4215 acts like an end host (as do routers) instead of a switch or hub.
Normally the switch or hub does the crossover internally so a straight through cable is used when connecting a Host to a switch or hub. BUT when connecting a Host to a Host (or sensor, or router) the cross over must be externally by using a cross over cable.
If you are already using a crossover cable, then the next thing to determine is if there is a problem with speed and duplex negotiation.
You might try hard coding both the Host and sensor to use 100 Mbps Full Duplex. Bu hardcoding both sides you won't have to worry about auto negotiation.
NOTE: If using 10/100/1000 interfaces on both the Host and Sensor you likely could have used a straight through cable. The When neogiating to 1 Gbps the NICs can detect the difference between a straight through and cross over cable and adjust to use either type in most circumstances.
BUT most 10/100 interfaces generally lack this capability and require a cross over cable when connecting from Host to Host. -
Will the NME-WLC8-K9 work on the Cisco 3725? Will there be a problem if there is a L3 switch between the router where the NME-WLC8 is plugged in and the L2 switches where the LAPs are connected?
That will work just fine. The ap's will just need to have connectivity back to the to the wlc. Now it depends on how you stage the lap's to be able to join the wlc.
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a00808e2d27.shtml#backinfo
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080665cdf.shtml#conf -
Symantec web filter cloud server with wccp
Hi All,
My web filter is now from symantec cloud. Which I created a vm windows 2008 r2 and install the client site proxy. So all user now are using proxy settings on that local server IP with the port 3128.
Is it possible to make that server connect to wccp on cisco asa 5515x? It's annoying to have proxy settings especially on smart phones. I don't know if symantec have a linux CSP version, maybe wccp will work fine with a linux server.
Thanks and more power.Hello Phillipe,
Yes, You nail it down.
With this Setup the asa is going to generate a Router ID and Just like OSPF is going to use the higher Ip . In this scenarios should use the interface where the Iron port is. But sometimes the higher is the outside interface ( public one) so we are going to have an issue and there is no solution . The Iron Ports servers can handle this. Other than those ones cannot.
Just like OSPF is going to use the higher Ip as the Router Identifier so when he SENDS the packets to the server is going to send it with the wrong ip
Regards -
How many calls cisco 3745 router can support?
I want to select a router as GK for 1000 users which located in different site with about 10 GW. Cisco 3725 or 45 is ok?
Is it must for CCM server?It is beased mainly on port size for the type of voice circiut you are using. FXO,FXS E&M low volume and users. T1 PRI or CAS 23-24 calls per circuit to the PSTN. I am not sure of the realestate on the back plan ,but I am sure it is plenty. I have 600 hundred off of a 2621 4 pri circuits in it.
-
Ironport not allowing different subnet using cisco dhcp
Recently i configured new vlan on remote site and directed it to backup link, but strange thing is our wireless clients proxy is working and lan connected pcs proxy is not working,
Ironport is working on default vlan, microsoft dhcp server but i created different vlan and configured dhcp on cisco but it is not allowing access that subnet. using wccp redirect on the interface.
we configured NTLM authentication connecting to AD, the problem is the clients which are different vlan is not in AD, and AD pc in different vlan is working only non AD denied actually we configured guest on authenticaion, and also that subnet is placing remote site and our main site's unknown pcs are accessing throught guest no problem, 2nd thing is main vlan uses MS server 2003 dhcp pool and working non AD users, im using switch own dhcp pool for vlan 200, is it conflict? and when i put ironport ip on IE's proxy setting it is working
How to fix it?Network Side:
---->Cisco 2800-1 (Gre Configured) --> Sat Link-->Cisco 2800-2(Gre Configured)--->
End Users->1-L3-> ---->L3-2(WCCP)---Ironport
---->Cisco 2800-3 (MPLS Configured ) --> Sat Link-->Cisco 2800-4(MPLS Configured)--->
Our network is like this, so through MPLS everything is working fine. The problem is on backup.
End users --> VLAN 1, VLAN 200 and VLAN 1 is default and our AD users, AD users working okay but looks like depending on some operating system Win XP, Win 7 some of them not working, and for VLAN 200 is all unknown pc.
1-L3 doing only routing role.
Cisco 2800-1 and 2800-2 both also configured routing and Gre tunnel.
Cisco 2800-1 Configs
crypto isakmp policy 2
encr 3des
authentication pre-share
crypto isakmp key *** address 10.1.9.254
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile VPN
set transform-set 3DES-SHA
interface Loopback0
ip address 1.2.2.1 255.255.255.252
interface Tunnel0
bandwidth 1024
ip address 10.1.9.250 255.255.255.252
ip mtu 1300
tunnel source 10.2.9.254
tunnel mode ipsec ipv4
tunnel destination 10.1.9.254
tunnel protection ipsec profile VPN
service-policy output QoSTunnel
interface GigabitEthernet0/0
description Connected to Satellite Modem
bandwidth 1024
ip address 10.2.9.254 255.255.255.252
duplex auto
speed auto
interface GigabitEthernet0/1
description Connected to L3-Switch
ip address 10.2.5.253 255.255.255.240
ip nbar protocol-discovery
duplex auto
speed auto
service-policy input block-p2p
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 1.2.1.1 255.255.255.255 Tunnel0
ip route 10.1.0.0 255.255.224.0 Tunnel0
ip route 10.1.5.240 255.255.255.240 Tunnel0
ip route 10.1.5.254 255.255.255.255 10.1.5.253
on the WCCP configuration L3-2
sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 192.168.0.1
Protocol Version: 2.0
Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 4
Process: 2
CEF: 2
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 2970
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
sh ip wccp int
WCCP interface configuration:
Vlan6
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
Vlan7
Output services: 0
Input services: 1
Mcast services: 0
Exclude In: FALSE
Vlan8
Output services: 0
Input services: 1
Mcast services: 1
Exclude In: FALSE
interface Vlan6
ip address 10.1.0.254 255.255.224.0
no ip redirects
ip wccp web-cache redirect in
ip access-list standard wccp_grp_list
permit 10.1.7.253 ## Ironport IP ##
ip access-list extended wccp_redir_list
permit tcp 10.1.0.0 0.0.31.255 any eq www
permit tcp 10.2.0.0 0.0.31.255 any eq www
permit tcp 10.2.1.0 0.0.0.255 any eq www ## VLAN 1 Users ##
permit tcp 10.2.11.0 0.0.0.255 any eq www ## VLAN 200 Users ##
and Static routings on L3-2.
On Ironport.
connected NTLM to Domain server
Service Profile Name:
Service:
Standard service ID: 0 web-cache (destination port 80)
wccp_redir_list
Router ip address: 10.1.7.254
Load Balancing : Allow hash and mask
Forwarding method: Allow GRE or L2
Return method: Allow GRE or L2
Default Route : to Router IP
And configured Guest privileged so if unknown pc will connect it should go through Guest privilege.
Global Authentication Settings
Action if Authentication Service Unavailable: Block all traffic if authentication fails
Failed Authentication Handling: Log Guest User by: IP Address
Re-authentication: Disabled
Basic Authentication Token TTL: 18000
Transparent Proxy Mode Authentication Settings
Credential Encryption: Disabled
Redirect Hostname: proxy
Credential Cache Options: Surrogate Timeout: 3600 seconds
Client IP Idle Timeout: 3600 seconds
Cache Size: 8192 entries
User Session Restrictions: Disabled
Secure Authentication Certificate: Common name: IronPort Appliance Demo Certificate
Organization: IronPort Systems, Inc.
Organizational Unit:
Country: US
Expiration Date:
Basic Constraints: Not Critical
Enable Identity
Name:
(e.g. my IT policy)
Description:
Insert Above:
Membership Definition
Membership is defined by any combination of the following options. All criteria must be met for the policy to take effect.
Define Members by Subnet:
(examples: 10.1.1.1, 10.1.1.0/24, 10.1.1.1-10)
Define Members by Protocol:
All protocols
HTTP/HTTPS Only
Native FTP Only
Define Members by Authentication:
Select a Realm or Sequence:
Select a Scheme: Scheme setting applies to HTTP/HTTPS only.
If a user fails authentication: Support Guest privileges
Authorization of specific users and groups is defined in subsequent policy layers
(see Web Security Manager > Decryption Policies, Routing Policies and Access Policies).
Authentication Surrogate for Transparent Proxy Mode: Surrogate Type:
IP Address
Persistent Cookie
Session Cookie
Explicit Forward Request: Apply same surrogate settings to explicit forward requests
If this option is not selected, no surrogates will be used with explicit forward requests and NTLM credential caching will not be available to these requests.
Advanced
Use the Advanced options to define or edit membership by proxy port, destination (URL Category), or User Agents.
The following advanced membership criteria have been defined:
Proxy Ports: None Selected
URL Categories: None Selected
User Agents: None Selected
Use: NTLMSSP
Identity Policies: Global Group
Settings for Global Policy
Define Members by Authentication: Require authentication
Select a Realm or Sequence: NTLMSSP
Select a Scheme: Scheme setting applies to HTTP/HTTPS only.
If a user fails authentication: Support Guest privileges
Authorization of specific users and groups is defined in subsequent policy layers
(see Web Security Manager > Decryption Policies, Routing Policies and Access Policies).
Authentication Surrogate for Transparent Proxy Mode: Surrogate Type:
IP Address
Persistent Cookie
Session Cookie
Explicit Forward Request: Apply same surrogate settings to explicit forward requests
If this option is not selected, no surrogates will be used with explicit forward requests and NTLM credential caching will not be available to these requests.
But the problem is it is not forwarding Guest privilege and browser stuck when loading .
Maybe you are looking for
-
Windows 8.1 crashing/rebooting
My windows 8.1 is rebooting multiple times per day. I've uploaded all the dmp files to my skydrive. Here's the output/report for WhoCrashed. I'm not sure how to troubleshoot from here. computer name: P6X58D-FLL windows version: Windows 8 , 6.2, buil
-
PC crashes as soon as I connect my iPhone 4.
I've recently updated all my Apple applications, and iPhone 4 to iOS 7. Ever since then, my computer has been acting really strange. I thought my computer was infected, so I did a few virus scans. Fortunately, nothing came up in the virus scan res
-
EXPORT_MD_TO_FILE
Hello All, I am trying to run the standard EXPORT_MD_TO_FILE Data Manager Package. I'm having an issue with any descriptions that have a comma. If the description has a comma, it splits it into another column in the export. Thus, if I have: ID
-
For those of you who ordered your macbook online
I recently ordered a macbook from the online store, and I was wondering if any of you who ordered yours online know where apple ships their products from. I've hear a myriad of answers, from Taiwan to Shanghai to Cupertino. Thanks in advance.
-
Need to update my Logic 7.0.1 on my OS X 10.5.5
Hi. Can you please help me. I've had Logic 7.0.1 for over 3 years. Never connected to the internet for updates. I just recently upgraded my OS from 10.4 to 10.5 and starting to notice some problems using my LOGIC 7.0.1. I visited the apple website to