WCCP Redirect ACL with Static Routes
I need help in creating a redirect ACL (along with an explanation) for one of our sites that has multiple static routes on the router pointing to a customers device on his network. I have attached relevant config for review. We have tried numerious combo's for this and so far nothing has worked correctly. Essentially we need the 165. network, 10.48 and the 10.0 network to all be redirected to the WAE appliance hanging off FA0/1 to be optimized and returned back, but not break communication b/w 10.0 and 10.48 network. Thoughts and/or suggestions?
Thank you
Have you try to do the static route in the WAE?
Jan
Similar Messages
-
Router WCCP redirect ACLs for WAAS
Since WAAS accelerates TCP connections only, would it be more efficient to code my router WCCP redirect ACLS for protocol TCP instead of all IP traffic between my source and dest subnets I want redirected?
Greg,
The protocol (TCP) is an attribute of the WCCP service group, so using IP in your ACL is fine.
Regards,
Zach -
Simple Load Sharing With Static Routes
The scenario given below, L3 switch connected to 2 local LAN routers which in turn connected to internet router.
I would like to distribute the internet traffic from local LAN(L3 switch) on both RTRA and RTRB by adding static routes on L3 switch. How can I achieve this without configuring the routing protocol.
---------------RTRA----
L3SWITCH-------RTRB----INTERNET-RTRHi
If its simple internet traffic do keep in mind about the local NAT commands which has to be configured accordingly with route-maps here.
If you are having your own block of ip address space then better to run bgp between the providers.
regds -
Configuring MPLS VPN using static routing
Hi,
I am managed to set up a BGP/MPLS VPN in a laboratory using CS3620 routers running IOS 12.2(3) with ISIS. I am thinking of using static routes among the PE and P routers instead of a IGP. Does anyone know if Cisco routers supports static configuration of LSP? I have tried but could not get it work.You can very well run MPLS with static routing in the core, as in Cisco we have to meet 2 criterias to have a MPLS forwarding Table.
1) Creating the LIB
This thing lies in having LDP neighborship netween two peers and you have Label bindings.
This is irrespective of what is the best next hop to reach the advertising peers LDP_ID.
2) Creating the LFIB
Now after considering all the Label bindings, the LDP_ID which can be reached out an interface
as a next hop, those Label bindings get installed in the LFIB.
So considering the above two points, we have to be careful in static routes
only for interfaces like Ethernet (Multiaccess Segments).
As in CEF when you give a static route pointing to an Ethernet Interface, CEF creates a
GLean Adjacency (Meaning there could be multiple hosts as the next hop on this segement, and it will glean for the right next-hop)
Now you may observe that when you give a static route only pointing to an Ethernet interface,
you LDP adjacency may come up and you may exchange the bindings with each other. But the Label Forarding Table is not created. This is bcos of this being a Multiaccess interface. And you have
Glean For it. If its a Normal WAN interface like Serial or POS, then there is no problem of
GLean and you would have a Valid Cached Adjacency.
So to avoid probelems with Ethernet interfaces you can simply specify the next-hop-ip address.
For Eg: ip route 10.10.31.250 255.255.255.255 10.10.31.226 (Without the Interface)
ip route 10.10.31.250 255.255.255.255 fa0/0 10.10.31.226 (Or with the Interface)
Only Difference in both is in the first one it has to do a recursive lookup for the outgoing interface. Otherwise both work well. And you can have static routes in your network
running MPLS.
And doing this CEF would would work as it should and you would have a Valid Cached Adjacency.
So this is applicable for Cisco devices which use CEF, including 6500 with SUP720.
HTH-Cheers,
Swaroop -
Hi
İ have 2 different Nexus working diffrent NX-OS (6.0(4) & 6.2(6) ) with different line card (F2 & F2E ) and different Sup (Sup 1 & Sup 2 ) but share the same problem. Sup 2 devices work with VPC Sup 1 device Standalone this is the only difference
I try to configure WCCP on device your redirect http & https Traffic to Websense. i create following lines in boot nexus
Feature wccp
ip wccp 1 redirect-list WS_REDIRECT
ip wccp 5 redirect-list WS_REDIRECT
ip wccp 70 redirect-list WS_REDIRECT
ip access-list WS_REDIRECT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp
interface vlan 7
ip wccp 1 redirect in
ip wccp 5 redirect in
ip wccp 70 redirect in
This redirects all the traffic even deny list.
No bug reported in but tool kit
Could you please help me.Okay, Its weird you have multiple WCCP groups,
Considering you are only using one ACL, just simple use one WCCP Group ID
Also, here is a sample config:
Let's say you want to redirect traffic from VLAN 10,11 and 12 to WCCP
and your WCCP device is at VLAN20
#conf t
#ip wccp version 2 -DEFAULT: ver1
#ip wccp 90
#ip wccp 90 password wccp123 -THIS IS OPTIONAL! Place a password on your WCCP instance.
#interface vlan 10
#ip wccp 90 redirect in
#interface vlan 11
#ip wccp 90 redirect in
#interface vlan 12
#ip wccp 90 redirect in
#interface vlan 20
#ip wccp redirect exclude in -avoid optimization loops
Your WCCP device will be in VLAN 20, and I recommend dedicating that VLAN to WCCP devices:
Configure your WCCP device(Websense) and define the Service group ID, in this example, its wccp 90 and of course the IP of VLAN 20
By default, all traffic in interfaces configured with "wccp 90 in" will forward traffic to the WCCP device -
Hello all,
This is a new install, I am trying to bring up a WAE-674 box at one my remote sites with 2 routers (a 3725 and a 2621) at this remote site and I am using WCCP for traffic redirection. I am having an issue with WCCP on the 3725 router, for some reason when I enable the command "IP wccp 62 redirect in" under the WAN serial interface I suddenly can no longer telnet to the fastethernet interface on the router but I can still ping it and still able to telnet to the loopback interface. And I have no issue with WCCP on the other 2621 router with the same config setup.
Has anyone run into this issue before ? I appreciate any feedbacks on this !!!!
I am running IOS version 12.3(14)T7 on the 3725 router and WAAS software version 4.1.1c
Thanks in advance !!
DannyYou will want to explore CSCsg30875 to see how it applies to your installation
CSCsg30875 wccp blocking telnet to router
Since 12.3T is EOL, it probably was not tested and may or may not exist in that Cisco IOS track.
End-of-Sale and End-of-Life Announcement for Cisco IOS Software Release 12.3T
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6947/ps5207/prod_bulletin0900aecd803a0ffe.html
Thank You,
Dan Laden -
Does wccp redirect break routing protocol?
This may be a dumb question to ask, sorry i don't have equipment to test it at this moment.
If wccp redirect is configured on an interface running routing protocol (such as eigrp or ospf), will this redirect the "unicast" ospf database or eigrp topology update to WAAS? and/or will this also redirect ospf & eigrp "multicast" update which maintains neighbor relationship to WAAS?
Should this type of traffic be denied on wccp redirect-list?
ThanksHi Joe,
Since WAAS normally uses TCP promiscuous mode services, based on service group number 61 and 62 - you'll only get TCP redirected ... and neither OSPF nor EIGRP runs on top of TCP, so don't worry.
If you run a TCP based routing protocol like BGP, it will get redirected.
Later versions of WAAS don't, by default, try to optimize on BGP, as it has given some problems in the past due to sequence number manipulation.
Best Regards
Finn Poulsen -
WCCP Redirect list ACL mask for WAAS
Good day,
I would like to conform if the following would be correct to implement for WCCP redirection list on 6500. We have over 800 branches and we also need to manage the intra-server traffic in the Data Center which we do not want to be re-directed.
ip access-list extended WCCPLIST-61
permit tcp 10.112.0.0 0.0.31.255 any
ip access-list extended WCCPLIST-62
permit tcp any 10.112.0.0 0.0.31.255
So, as an example, would these masks work for us, as the number of entries otherwise would be exhaustive.
Just want to confirm that the mask in the ACL doesn't have to match exactly.
Thanks in advance.Hi Zach,
Thanks for the response and confirmation.
I was wanting to make sure that it is not required to have the masks match the source masks, resulting in the exhaustive list (operational nightmare).
A quick question on the ACL for WCCP redirect-list. Should we not see hits on specific entry's (e.g.permit tcp 10.113.9.0 0.0.0.31 any for the 61 redirect list, and the same for the permit tcp any 10.113.9.0 0.0.0.31 for the 62 redirect list).
If we don't, no traffic? We see flows on the branch WAE, although very few (not many users), but no hits on the ACL on the DC 6500. Is this due them being handled in hardware maybe, TCAM's?
Any input would be apprecited.
Thanks again.
Paul. -
Can P2 be used with transparent WCCP redirection?
I have the following scenario for a WSA:
A. P1 is configured as the internal facing proxy interface.
B. P2 is configured as the public facing interface on a separate subnet from P1.
C. IP spoofing has been enabled.
D. The WSA uses transparent redirection based on the destination port with WCCP service 91 and WCCP service 92 with source port redirection for the return path.
F. IP spoofing is then disabled.
After IP spoofing is disabled, will transparently proxied traffic only use the P1 interface? Will the second (return path) WCCP service need to be disabled on the WSA?
I'm interested in being able to use both P1 and P2 to reduce proxied traffic congestion on the P1 interface after IP spoofing is disabled.Hi Parleysmith,
WCCP will only be used to redirect client traffic on the P1 once it is disabled on the P2 interface using service ID 92. The service ID 92 also needs to be disable on the WSA.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator -
Afp sharing bug with static IP ? cannot connect to shared folder via wireless router
Does anyone ever try this ?
i got 2 macs (imac snow leopard 6.6 and macbookpro leopard 10.5.8). connect to a wireless router using UTP cable and set using static ip , connection is ok, ping is ok, ftp between two mac is ok, browse the internet is ok. But i got on problem , i can't connect to shared folder. Error : 'connection failed' . i can see the other mac's icon on the shared section in finder, but i can't connect to it. The problem is fixed if --> The only way i can connect to shared folder is if i changed the ip from static to dhcp. Or if i want to keep my static ip, i have to connect mac to mac (using crosscable or airport) without the router , then the sharing folder will work fine. Anyone got similar problem? The problem only happen while sharing using afp and smb method. I have no problem with ftp, ftp sharing is working perfectly in any situation above.
My conclussion : afp sharing is having problem when apply with static IP and connected to router (or wireless router only ??) is this an afp bug on snow ?
Any idea ?
ThanxI did pay the 12 dollars, but I think the program remembers with the free one. If you didn't ever have to do port forwarding in the past, then you likely won't have to do it again. I couldn't get modern warfare to play properly without it. But your situation might be different.
If you had it in the DMZ, then that is a work around to doing port forwarding, so that will still work for you as it did before, and if you reset it properly, then yes you will have to put the ps3 back in the dmz.
just keep in mind if you changed your WiFI SSID or Password, it will reset to the default, and the default is found on your sticker that is on your router. -
Does 2960-X with LAN Base supports static route?
Does 2960-X with LAN Base supports static route?
Does 2960-X with LAN Base supports static route?
Yes. You need to load the correct IOS, 12.2(55)SE (and later), and you need to change the SDM Template.
Read more HERE. -
We have a VSS based on 2x WS-C4500X-16., The VSS is used as Layer 2 Switch for diffrents Vlan in our DC.
After making the VSS as a Layer 3 gateway for our production VLAN and added 2 routes for routing purposes, we encountered a network down time with high CPU in the VSS and a huges log messages :
.May 14 12:11:25.947: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.7.22 Vlan100
.May 14 12:11:34.516: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.7.22 Vlan100
.May 14 12:11:40.072: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.1.1.254 Vlan100
.May 14 12:11:49.682: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
.May 14 12:11:55.079: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.1.1.254 Vlan100
.May 14 12:12:00.926: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.7.40 Vlan100
.May 14 12:12:06.701: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.8.32 Vlan100
.May 14 12:12:12.624: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.7.40 Vlan100
.May 14 12:12:21.627: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.7.40 Vlan100
.May 14 12:12:32.261: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.8.32 Vlan100
.May 14 12:12:41.801: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.2.105 Vlan100
.May 14 12:12:49.633: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
.May 14 12:12:54.831: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.1.1.254 Vlan100
.May 14 12:12:59.960: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.1.1.254 Vlan100
.May 14 12:13:08.745: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
.May 14 12:13:16.138: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
.May 14 12:13:22.393: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
.May 14 12:13:31.415: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.141 Vlan100
.May 14 12:13:38.944: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.2.215 Vlan100
.May 14 12:13:45.972: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
Bellow are the show version of our VSS,
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.04.00.SG RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 05-Dec-12 04:38 by prod_rel_team
ROM: 15.0(1r)SG10
S_C4500X_01 uptime is 33 weeks, 1 day, 14 minutes
Uptime for this control processor is 33 weeks, 1 day, 16 minutes
System returned to ROM by power-on
System restarted at 11:59:10 UTC Tue Sep 24 2013
Running default software
Jawa Revision 2, Winter Revision 0x0.0x40
Last reload reason: power-on
License Information for 'WS-C4500X-16'
License Level: ipbase Type: Permanent
Next reboot license Level: ipbase
cisco WS-C4500X-16 (MPC8572) processor (revision 9) with 4194304K/20480K bytes of memory.
Processor board ID JAE173303CF
MPC8572 CPU at 1.5GHz, Cisco Catalyst 4500X
Last reset from PowerUp
4 Virtual Ethernet interfaces
32 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Configuration register is 0x2101
Can you help please,Hi,
thanks for your reply, but there is no hsrp configured, just an interface vlan. with 2 static routes and the problem was there for more than an hour before we decided to rollback.
Is there a BugId with this problem in Cisco DataBase.
here is a show ip route
S_C4500X_01# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.2.1.253 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.2.1.253
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/8 is directly connected, Vlan100
L 10.1.1.250/32 is directly connected, Vlan100
172.31.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.31.0.0/16 is directly connected, Vlan120
L 172.31.0.1/32 is directly connected, Vlan120
S 192.1.0.0/16 [1/0] via 10.1.1.254
and the show ip cef:
_C4500X_01# show ip cef
.May 14 12:13:57.859: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.158 Vlan100 f
Prefix Next Hop Interface
0.0.0.0/0 10.2.1.253 Vlan100
0.0.0.0/8 drop
0.0.0.0/32 receive
10.0.0.0/8 attached Vlan100
10.0.0.0/32 receive Vlan100
10.1.1.6/32 attached Vlan100
10.1.1.17/32 attached Vlan100
10.1.1.40/32 attached Vlan100
10.1.1.41/32 attached Vlan100
10.1.1.50/32 attached Vlan100
10.1.1.60/32 attached Vlan100
10.1.1.99/32 attached Vlan100
10.1.1.121/32 attached Vlan100
10.1.1.122/32 attached Vlan100
10.1.1.124/32 attached Vlan100
10.1.1.125/32 attached Vlan100
10.1.1.126/32 attached Vlan100
10.1.1.225/32 attached Vlan100
10.1.1.227/32 attached Vlan100
10.1.1.250/32 receive Vlan100
10.1.1.254/32 10.1.1.254 Vlan100
10.2.1.3/32 attached Vlan100
10.2.1.4/32 attached Vlan100
10.2.1.6/32 attached Vlan100
10.2.1.8/32 attached Vlan100
10.2.1.9/32 attached Vlan100
10.2.1.18/32 attached Vlan100
10.2.1.23/32 attached Vlan100
10.2.1.24/32 attached Vlan100
Prefix Next Hop Interface
10.2.1.26/32 attached Vlan100
10.2.1.28/32 attached Vlan100
10.2.1.29/32 attached Vlan100
10.2.1.31/32 attached Vlan100
10.2.1.103/32 attached Vlan100
10.2.1.108/32 attached Vlan100
10.2.1.109/32 attached Vlan100
10.2.1.124/32 attached Vlan100
10.2.1.129/32 attached Vlan100
10.2.1.137/32 attached Vlan100
10.2.1.139/32 attached Vlan100
10.2.1.143/32 attached Vlan100
10.2.1.144/32 attached Vlan100
10.2.1.159/32 attached Vlan100
10.2.1.167/32 attached Vlan100
10.2.1.174/32 attached Vlan100
10.2.1.175/32 attached Vlan100
10.2.1.176/32 attached Vlan100
10.2.1.181/32 attached Vlan100
10.2.4.38/32 attached Vlan100
10.2.4.39/32 attached Vlan100
10.2.4.43/32 attached Vlan100
10.2.4.47/32 attached Vlan100
10.2.4.51/32 attached Vlan100
10.2.4.63/32 attached Vlan100
10.2.4.65/32 attached Vlan100
10.2.4.69/32 attached Vlan100
10.2.4.71/32 attached Vlan100
10.2.4.73/32 attached Vlan100
10.2.4.102/32 attached Vlan100
10.2.4.106/32 attached Vlan100
10.2.4.107/32 attached Vlan100
10.2.4.113/32 attached Vlan100
10.2.4.116/32 attached Vlan100
10.2.4.119/32 attached Vlan100
10.2.4.120/32 attached Vlan100
10.2.4.122/32 attached Vlan100
10.2.4.141/32 attached Vlan100
10.2.4.148/32 attached Vlan100
10.2.6.7/32 attached Vlan100
Prefix Next Hop Interface
10.2.6.16/32 attached Vlan100
10.2.6.31/32 attached Vlan100
10.2.7.14/32 attached Vlan100
10.2.7.22/32 attached Vlan100
10.2.7.24/32 attached Vlan100
10.2.7.34/32 attached Vlan100
10.2.7.37/32 attached Vlan100
10.2.7.41/32 attached Vlan100
10.2.7.48/32 attached Vlan100
10.2.8.18/32 attached Vlan100
10.2.8.32/32 attached Vlan100
10.2.8.59/32 attached Vlan100
10.2.8.70/32 attached Vlan100
10.2.8.85/32 attached Vlan100
10.2.8.88/32 attached Vlan100
10.2.8.104/32 attached Vlan100
10.2.8.135/32 attached Vlan100
10.2.99.10/32 attached Vlan100
10.2.99.54/32 attached Vlan100
10.255.255.255/32 receive Vlan100
127.0.0.0/8 drop
172.31.0.0/16 attached Vlan120
172.31.0.0/32 receive Vlan120
172.31.0.1/32 receive Vlan120
172.31.0.5/32 attached Vlan120
172.31.0.29/32 attached Vlan120
172.31.255.255/32 receive Vlan120
192.1.0.0/16 10.1.1.254 Vlan100
224.0.0.0/4 drop
224.0.0.0/24 receive
Prefix Next Hop Interface
240.0.0.0/4 drop
and show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 0 aa00.0400.c286 ARPA Vlan100
Internet 10.1.1.6 0 0050.5689.24b8 ARPA Vlan100
Internet 10.1.1.10 0 0050.5694.7d20 ARPA Vlan100
Internet 10.1.1.11 0 0050.5694.7d20 ARPA Vlan100
Internet 10.1.1.12 0 0050.5694.6ae7 ARPA Vlan100
Internet 10.1.1.13 0 0050.5694.6ae7 ARPA Vlan100
Internet 10.1.1.14 0 0050.568a.6321 ARPA Vlan100
Internet 10.1.1.16 0 0050.5694.0ab5 ARPA Vlan100
Internet 10.1.1.17 0 0050.5694.493d ARPA Vlan100
Internet 10.1.1.40 0 0013.19b0.9c40 ARPA Vlan100
Internet 10.1.1.41 0 1c17.d35a.c840 ARPA Vlan100
Internet 10.1.1.50 0 0002.b9b4.a5c0 ARPA Vlan100
Internet 10.1.1.60 0 000a.410f.e500 ARPA Vlan100
Internet 10.1.1.71 - 0008.e3ff.fc28 ARPA Vlan100
Internet 10.1.1.96 0 e02f.6d12.4df3 ARPA Vlan100
Internet 10.1.1.98 0 0050.5696.6d86 ARPA Vlan100
Internet 10.1.1.99 0 0050.5696.6d88 ARPA Vlan100
Internet 10.1.1.121 0 e02f.6d12.4dea ARPA Vlan100
Internet 10.1.1.122 0 e02f.6d12.4e61 ARPA Vlan100
Internet 10.1.1.123 0 e02f.6d5b.c10e ARPA Vlan100
Internet 10.1.1.124 0 e02f.6d17.c869 ARPA Vlan100
Internet 10.1.1.125 0 e02f.6d5b.c217 ARPA Vlan100
Internet 10.1.1.126 0 e02f.6d17.c8ec ARPA Vlan100
Internet 10.1.1.127 0 e02f.6d17.c876 ARPA Vlan100
Internet 10.1.1.128 0 e02f.6d5b.bef3 ARPA Vlan100
Internet 10.1.1.202 0 0000.85b7.9031 ARPA Vlan100
Internet 10.1.1.222 0 000f.f84d.2ca9 ARPA Vlan100
Internet 10.1.1.225 0 000f.f84d.3963 ARPA Vlan100
Internet 10.1.1.227 0 00c0.ee26.9367 ARPA Vlan100
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.250 - 0008.e3ff.fc28 ARPA Vlan100
Internet 10.1.1.254 0 0000.0c07.ac07 ARPA Vlan100
Internet 10.2.1.2 0 0011.4333.bcda ARPA Vlan100
Internet 10.2.1.3 0 0050.5689.5d38 ARPA Vlan100
Internet 10.2.1.4 0 0050.5689.0404 ARPA Vlan100
Internet 10.2.1.6 0 0050.5689.6d3b ARPA Vlan100
Internet 10.2.1.7 0 1cc1.def4.6940 ARPA Vlan100
Internet 10.2.1.8 0 0050.5689.330e ARPA Vlan100
Internet 10.2.1.9 0 0012.793a.3ccc ARPA Vlan100
Internet 10.2.1.10 0 0012.7990.e5d3 ARPA Vlan100
Internet 10.2.1.13 0 0050.568a.6dcf ARPA Vlan100
Internet 10.2.1.15 0 0050.568a.60ff ARPA Vlan100
Internet 10.2.1.18 0 0050.5689.091b ARPA Vlan100
Internet 10.2.1.20 0 0050.5689.451c ARPA Vlan100
Internet 10.2.1.21 0 0050.568a.0cf4 ARPA Vlan100
Internet 10.2.1.22 0 0050.5689.6c59 ARPA Vlan100
Internet 10.2.1.23 0 0050.5696.6d9e ARPA Vlan100
Internet 10.2.1.24 0 0050.5689.76c4 ARPA Vlan100
Internet 10.2.1.26 0 0050.5689.2f4e ARPA Vlan100
Internet 10.2.1.27 0 0050.5689.0632 ARPA Vlan100
Internet 10.2.1.28 0 0050.5689.1ce9 ARPA Vlan100
Internet 10.2.1.29 0 0050.5689.6aaa ARPA Vlan100
Internet 10.2.1.31 0 0050.5689.0d1a ARPA Vlan100
Internet 10.2.1.37 0 0050.5696.6d81 ARPA Vlan100
Internet 10.2.1.103 0 d4be.d9be.8eef ARPA Vlan100
Internet 10.2.1.106 0 14fe.b5e1.c595 ARPA Vlan100
Internet 10.2.1.107 0 0023.ae7d.a966 ARPA Vlan100
Internet 10.2.1.108 0 d4be.d9c8.6770 ARPA Vlan100
Internet 10.2.1.109 0 14fe.b5e9.c5b5 ARPA Vlan100
Internet 10.2.1.110 0 14fe.b5ea.5f9d ARPA Vlan100
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.2.1.111 0 001e.c959.d4f0 ARPA Vlan100
Internet 10.2.1.114 0 b8ac.6f48.4538 ARPA Vlan100
Internet 10.2.1.115 0 14fe.b5e1.ed89 ARPA Vlan100
Internet 10.2.1.116 0 7845.c409.1959 ARPA Vlan100
Thanks
Lotfi -
Help with RV042 Static Routing
I just purchased an RV042 Dual WAN Router. Both WAN's are connected from different ISP's. I have a PBX phone server connected to this router and want all traffic to and from this phone server going out strictly on one WAN and all the computers and the rest of the traffic on the other WAN. If I understand correctly, this needs to be set up in static routes? If that's the case, how would I do that? If not, the question still stands. Please help.
Hello Vitaly,
What you are looking for is Protocol Binding. By setting this up you will be able to control what traffic goes out which WAN port. Protocol Binding can be done for certain traffic types or for certain IP addressess. -
ACE as cache engine for wccp redirection
Does anybody know if the ACE 4710 appliance supports WCCP acting as a web-cache engine? I am exausting all possible options, and then some, for deploying a new application networking environment. I just returned from ACE training last week and found myself ramping up to deploy a new ACE.
I have pretty much exhausted my options for topology. We discussed several different designs in class and I don't like any of them. I have some serious problems with using the ACE as a default-gateway for servers. That options is out due to how other "non application" traffic is handled. Traffic such as RDP from IT support staff, patching from SMS servers, virus dat updates, vulnerability scanning... it all routes to the ACE which has to have static routes... then clients hitting the application VIPs have to be natted so the ACE does not use the static routes and reply directly... it all becomes a very big problem over time.
Second and third options are one-armed and direct server return... both not suitable for my requirements.
Now... that leaves me with an option we currently have deployed. That is to use a distribution route-switch (Catalyst 4500 Sup-IV) in the middle. The Cat uses PBR to return http traffic from the web servers back to the ACE. All other traffic follows normal routing table.
Ok... that works perfect... except PBR is not supported in the Sup-6 engine. Unbelievable... I know. This is a major fly in the ointment for this new deployment.
Now... there is another protocol that is often used for redirection... WCCP. If the ACE were a wccp web-cache, the router could be configured to redirect ingress http to the ACE. But... the ACE would have to act as a web-cache engine and register with the Cat as a home-router.
I am sure this option is not an option... but it would be nice. The ACE 4710 appliance has the general processor to do it but it would have to be implemented in software. I'm running A3(1.0) and I cannot find anything related to wccp. Nothing in the command-reference.
If there are any Cisco developers interested in adding some killer funtionality... this would be it. Wccp can be done in layer-2 as well as layer-3. The Sup-6 supports layer-2 redirection. Since the ACE is generally layer-2 adjacent this would be rather easy to implement. Anyway... food for thought.I just would like to mention that you could have ACE in bridge mode inserted between your servers and the gateway (4500).
All traffic will go through ACE but no need for nating and no statc routes (just one default route pointing to the 4500).
The only problems would be if you exceed the BW of the 4710 with all your traffic.
Regarding the WCCP support for the 4710 this is not currently in our roadmap.
Ask your cisco account team to introduce the request.
Thanks,
Gilles. -
Issues getting url-redirect working with Cisco ISE
Hi,
I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.
DEVLABSW01#show epm session ip 10.0.1.104
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa
I have also attached my switch config. Any help would be greatly appreciated.
DanSo im also doing ISE for the first time and i knew it may have been a bit tough however i didnt forsee my following issue.
everything is working as expected other than every now and then (intermittent) the ISE Central Portal does not display on any device -android, windows, etc..... i checked and checked the configs, had probably about 10 TAC cases open..... this weekend i ripped out the main components, setup in the offfice and tried to replicate the issue....i could...what i noticed is that without Internet the ISE Portal didnt actually display....it sounds weird but thats what im seeing.....As soon as i plug into Internet Link into the equation, the portal page comes up.....im able to replicate it every time... Currently, i placed back into the customer network and im now looking down at the routing/firewall......
my issue is that i cant really explain why the Internet affects the Central Auth Page.... In any event. im working backwards, tomorrow im bringing in a second link and doing NAT on a cisco router to bypass the checkpoint firewall....ill know if its checkpoint or if im barking up the wrong tree....
if anyone can explain why, it would help out a great deal..
My setup BTW is
1. WLC 5760 - Not latest code but latest stable (recommended by the TAC Engineer)
2. ISE 1.2 - Doing simple Wireless only implementation
3. 3650 - Just acting like a switch - no ACLs etc - just a switch
4. Integrated into AD
Ill post back with any findings if i make any headway - BTW, i didnt like this at all as other solutions are so much simpler, BUT, i can now see how powerful this could potentially be for the right type of customer...
thanks again how i can get some feedback
Maybe you are looking for
-
Doubts in reading a '.properties' file
Hi All, I have a doubt regarding properties file from which I am reading some key-values. Now I have few different keys (4-5) having same value .e.g. key1=value1 key2=value1 key3=value1 key4=value1 key5=value1 Now I need to read these keys from diffe
-
I have an older iMac running Yosemite and I just ran the EtreCheck and this the report. I am not sure what it means by "memory pressure" or what the solution is to the issue? Thanks EtreCheck version: 2.1.8 (121) Report generated April 3, 2015 at 11:
-
How to make vedio/audio standalone application in java
i need an overall idea of developing a vedio/audio application in java a standalone application using swings. from scratch i need to develope so i need some idea of dataflow,class diagrams etc everything related to develope a project.
-
Don't copy typed words&sentenses in google translator!
After firefox updated to 9.0.1 I got this problem. I type word for example "hi" in google translator and click to translate to another language for example Russian "привет" then I tryed to copy this word "привет" I couldn't do it, when I click second
-
How to Config Internet Explorer 5.5 for Kerberos
Hi all, How do I have to config IE 5.5 to get an Kerberos ticket(tocken) from the active directory server? It should send that token to the identity assertion provider on the wls7.0 side Thank Guido