WCCP redirection issues over 3560 E

Hello everybody
I have a WS-C3560E-24PD-S in my Data Center, in this switch I have vlan configuration and it is connected with a switch 4503 Core via a Port channel (4 interfases).
My problem is that the switch is not accepting any command related to the redirection (ip wccp version 2, ip wccp 61 (62), etc.)
I used this link:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_52_se/configuration/guide/swwccp.html#wp1031033
I updated the IOS to be the same as the version in the Link. So to this moment I've done everything the link has suggested and i'm not getting the switch to accept the commands.
Do you have any suggestion I can take?

Hi Rene,
The 3560-E (and 3750-E) models have a universal IOS image, and dependant on a license and a PAK code you'll either run IP Base or IP Services.
If you do a show version you'll probably see something like this :
License Level: ipbase   Type: Default. No license found.
Next reboot license Level: ipbase
To run IP Services on a 3560-E you'll neeed to purchase an IP Services license (product number 3560E-IPSLCB-QTY - IP Services for 3560 E, upgrade from the IP Base Feature Set ) which have a list price of 4K US $ -  so you don't have to buy a new switch ... just an expensive license :-(
In order to run WCCP on a CAT4503 with Sup IV - you'll only need IP Base (at least from version 12.2(31)SGx)
Best Regards
Finn

Similar Messages

  • WAAS - WCCP redirect in Cat 3560

    Are WAAS redirect ACLs supported on Catalyst 3560?
    Thanks

    You can only configure allow ACLs, no denys (except the deny all at the end).
    Dan

  • WCCP redirect not working on Cat 3560

    We have a 3560 running 12.2(37)SE1, IP services image.
    Through debug, we can see WCCP communication betweeen the 3560 and our content engine (for web caching).
    However, web traffic isn't being redirected to the CE at all. Instead, it goes straight out to the Internet.
    Does anyone have the same issue? Has anyone got their 3560 to work w/ their WCCP products (web caching or WAAS)?

    The 3560 does not support GRE redirection (layer3), so you need to use layer 2 redirection on your Content Engine for your 3560 to work fine with WCCP, also you need to use mask assignment since hash is non-supported as well.
    Check this link:
    http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a008081db5b.html#wp1051427
    Hope it helps!!

  • Wccp redirection for waas on same platform as wccp for websense?

    just wondering if anyone knows if a Cisco router or switch can handle wccp redirection enabled for both waas and some other web content filtering appliance using a different service group?
    seems like the priority value would come into play determining which service group gets handled first?
    we currently do WCCP for WaaS on our 3945s.
    I am going to advocate to my customer that we separate this out for CPU load issues, config complexity issues, IOS issues, etc... but the question is going to come up - "can we do WCCP for different applications on our Catalyst 3750 core switch, or our 3945 WAN routers?"
    Thanks,
    Paul

    Hi Paul,
    Yes, it's technically possible to have WCCP redirection for several services even in those devices that don't support setting the priority. However, in this case, both WAAS and Websense need to redirect HTTP traffic, and that's what makes things complicated.
    Assuming you first want to send the traffic to Websense and then to WAAS, I would recommend doing the WAAS redirection only on the WAN link (with one service inbound and the other outbound). You can then configure Web-cache redirection inbound on the client vlan and, a service for the return traffic (I'm not sure if this is required for websense), inbound on the interface where the WAE is connected (with a redirect-list to match only the return direction)
    Even if it's possible to have both redirections in the same device, if possible, I would strongly suggest you to either use different devices for the redirection or to make them mutually exclusive (for example, not sending HTTP to WAAS), otherwise, if you make a small mistake with the configuration, you can end up with a redirection loop.
    Regards
    Daniel

  • ASR1002 throughput degradation when wccp redirect-list is changed

    We have two ASR 1002's going to 2 different WAN service providers, and two 7371 WAE load balanced by mask assignment. When we change the ACL (adding or removing lines) from our wccp redirect-list, the throughput on interfaces applied to the wccp service-groups is degraded to almost no traffic passing, until we completely remove wccp service group from the global configuration and then reapply. Then traffic throughput on the interface goes back to normal.
    Our ACL defined in the redirect list specifies our specific networks on our WAN that have WAE's and need the redirection. All other networks are denied implicitly. We need to regularly change this ACL, and this service interruption is a major issue. This was not an issue before moving to the ASR platform from 7206's.
    At TAC's request we have upgraded our IOS version to 15.1(3)S4 and that did not make any difference. Does anyone know why this occurs and if there is a way to work around this other than removing wccp configuration and adding back, every time the ACL needs to be modified?
    As a side note to this... We have recently added riverbed appliances, and created separate service groups with separate redirect-lists. The exact same behavior occurs on the ASR 1002 when the ACL for the riverbed's redirect list is altered.

    Thank you very much for sharing that information.  It is great to hear verification that the mask assignment change did resolve your problem.   That is the latest resolution that TAC has recommended, but we have to restart the WCCP service on all redundant edge routers to be able to implement this, so planning the outage window is taking some time.   We've been told that TAC will set this up in a lab and test for us by our Cisco SE.  We're hoping to get verfication that this actually resolves the problem before we take the outage.   
         If you could, can you tell me if this resolved the issue 100% or do you still have any performance issues when making a change to your WCCP ACL going to your bluecoat equipment?    We may also need to implement this in our redirects to BlueCoat from our Nexus.  Do you happen to have a link to how to make this change in Bluecoat?   Thanks again!

  • WCCP Redirection on a GRE Tunnel

    For some of our smaller branch offices we run GRE tunnels through a secured IPSec VPN connection over the Internet. Will WCCP redirect work if configured on the GRE Tunnel interface?

    Hi,
    Yes, it will work.
    Regards,
    Erik
    Sent from Cisco Technical Support iPad App

  • WCCP Redirect list ACL mask for WAAS

    Good day,
    I would like to conform if the following would be correct to implement for WCCP redirection list on 6500. We have over 800 branches and we also need to manage the intra-server traffic in the Data Center which we do not want to be re-directed.
    ip access-list extended WCCPLIST-61
    permit tcp 10.112.0.0 0.0.31.255 any
    ip access-list extended WCCPLIST-62
      permit tcp any 10.112.0.0 0.0.31.255
    So, as an example, would these masks work for us, as the number of entries otherwise would be exhaustive.
    Just want to confirm that the mask in the ACL doesn't have to match exactly.
    Thanks in advance.

    Hi Zach,
    Thanks for the response and confirmation.
    I was wanting to make sure that it is not required to have the masks match the source masks, resulting in the exhaustive list (operational nightmare).
    A quick question on the ACL for WCCP redirect-list. Should we not see hits on specific entry's (e.g.permit tcp 10.113.9.0 0.0.0.31 any for the 61 redirect list, and the same for the permit tcp any 10.113.9.0 0.0.0.31 for the 62 redirect list).
    If we don't, no traffic? We see flows on the branch WAE, although very few (not many users), but no hits on the ACL on the DC 6500. Is this due them being handled in hardware maybe, TCAM's?
    Any input would be apprecited.
    Thanks again.
    Paul.

  • WCCP v2 - "ip wccp redirect out" command

    I'd like to validate the following:
    1.- I have this equipment:
    Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(53)SE, RELEASE SOFTWARE (fc2)
    * Packet redirection on an outbound interface that is configured by using the ip wccp redirect out interface configuration command. This command is not supported.
    I'd like to know if there's a version that support the command.
    1.- If there's no version that supports the command in the equipment. Then, which is the "smallest" switch model that can support the command.
    Thanks a lot for your support.

    Ali,
    The issue is that not all of your traffic is being redirected in hardware. When you configure outbound interception on the 6500/Sup720, the first packet for every flow is punted to the MSFC and switched in software. Subsequent packets for that flow are redirected in hardware using NetFlow forwarding. So the impact on your MSFC CPU utilization is tied to the number of connections per second (cps) being redirected, as well as some overhead for managing the NetFlow forwarding table.
    In addition, the command 'ip wccp redirect exclude in' is not completely understood by the 6500 hardware. So again, the first packet for every flow entering the interface with this configured must be punted to the MSFC and switched in software.
    And finally, the use of mask assignment (as opposed to hash assignment) is needed to ensure that all interception is handled in hardware).
    Taking these three points together, the following configuration is required if you want WCCP interception to be handled completely in hardware on the 6500/Sup720:
    - GRE or L2 forwarding
    - Mask assignment
    - Inbound redirection
    - No 'ip wccp redirect exclude in'
    This will require you to reverse the logic of how your service groups are applied:
    - 'ip wccp web-cache redirect in' on client-facing interfaces
    - 'ip wccp 95 redirect in' on internet-facing interfaces
    If you have any questions, please let us know.
    Zach

  • WCCP redirection in 3750 bad rcv id error

    I am attempting to sample a test deployment of WSA S170 with WCCP redirection using a CAT 3750-X.I have defined a custom service group as that of 91for redirecting HTTP and HTTPS traffic from my end user's subnets.I am repeatedly receiving an error as follows:-
    WCCP-EVNT:D91: HIA from 12.12.12.12 with bad rcv_id:76/0
    The CAT switch is running IOS 12.2(44)SE and the WSA is running an OS version of  7.1.3.Is it a bug on the provided version IDs/model number.Thank you in advance for your co-operation.
    Yours sincerely,
    Ajay D'mello       

    Ajay,
    I've seen those errors before and they were typically resolved with an upgrade on the switch.
    Can you also provide the output on the switch?  show run | include wccp
    I don't believe there is a really clean answer to this.  You can take a look at the WCCP logs on the WSA by enabling the logging level to debug (for proxylog), then tailing it from the CLI.
    You may also do a packet capture at the WSA and filter for 'udp port 2048' (no quotes) to see the WCCP packets to see if you can find anything wrong (look at the Here I Am and I See You packets).  But from the error you provided, I believe you will not see any I See You packets.
    If you do not find anything obvious in those, I'd recommend you open up a TAC case.  To be quite honest, I think this is a switch issue.  But if you feel it is an error on the WSA's end, you can pursue that route as well.
    -Vance

  • I wonder if It is working ip wccp redirect 61 and 62 on same int at C2800

    hi
    I wonder if it is working like below at C2800.
    case.1
    interface ATM1/0.40 point-to-point
    description to_WAN
    bandwidth 18000
    ip address 192.1681.1 255.255.255.0
    ip wccp 61 redirect out
    ip wccp 62 redirect in
    ! other configuration is omitted.
    In cisco recomemdation, we know that the following configuration is common.
    case.2
    interface fa1/0
    desc from_lan
    ip address 1.1.1.1 255.255.255.0
    ip wccp 61 redirect in
    interface ATM1/0.40 point-to-point
    description to_WAN
    bandwidth 18000
    ip address 192.1681.1 255.255.255.0
    ip wccp 62 redirect in
    BTW, the result of lab test, case.1 at C2800 didn't work, we tested it with FTP, but FTP open didn't open.
    when we change from option1 to option2 , We can open ftp and completed acclecation test.
    my questions point is that At C2800, option 1 is working?

    Hi,
    First thing we should verify is : is WCCP up and running while this issue is happening?
    Can you paste following CLI command ?
    Please get the output of following cli commands when the problem is happening.
    sh ver
    sh ip wccp
    sh ip wccp 61 detail
    sh ip wccp 62 detail
    Further, whar cache engine you are using? and what's the version of the CE?  Can you also paste the cli command output:
    sh egress-method
    sh wccp router
    sh stat connection | in
    Last thing: is this issue related to FTP only ? do you see same issue with any other traffic?
    is this traffic being optimized?
    One more thing you want to add is: add exclude in statement on interface connected to CE.
    cli command: ip wccp redirect exclude in
    Regards.

  • Guest Anchor - Web Passthrough - Apple device web redirect issue

    Hi All,
    I've setup a Guest Mobility Anchor at DMZ with 5508 WLC. I've setup the EoIP mobility tunnel and everything works so far.
    Now, I was testing multiple clients to connect to the Guest SSID and observed that Apple devices are not redirecting url, resulting unsuccessful connection.
    I looked Cisco docs and added the command "config network web-auth captive-bypass enable" on the Anchor as recommended.
    Even after executing the command, I'm still facing web redirect issue with Apple Devices. I don't have any issues with other devices, except Apple.
    My controller running code AirOS 7.6.130.0. I'm using DMZ controller as DHCP server for Guests and public DNS servers as 8.8.8.8 & 8.8.4.4
    How to solve this web redirect issue? Will a Third-party generated CSR solves the problem?
    Thanks,
    CJ

    Hi All,
    The issue was with WISPr Protocol with iOS Clients. After upgrading the AirOS Code on the controller to 8.0.100.0; the issue with Web Redirect is resolved.
    Jagan

  • Does introducing WCCP redirect for WAAS disrupt Netflow information?

    Before installing WAAS and WCCP redirect on some 6500 interfaces in our data center, those interfaces showed Netflow flows for users at a remote location accessing servers at our data center. Now with WCCP redirecting that traffic to the WAEs, I notice the only netflow flows for that remote location are UDP flows and some ICMP stuff.
    Is this an unintended consequence of installing WAAS - that netflow statistics are going to be skewed by not showing flows that are now accelerated?

    I believe your problem may be due to the fact that you are redirecting http
    based traffic per the ACL configuration. The sup720 uses wccp v2 as a default
    version,however, the Sup720 does NOT support the hardware-based redirection for the TCP port 80 when we enable wccpv2.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/wccp.
    htm#wp1017009
    Support for Non-HTTP Services:
    WCCPv2 allows redirection of traffic other than HTTP (TCP port 80 traffic), including a variety of UDP and TCP traffic. WCCPv1 supported the redirection of HTTP (TCP port 80)traffic only. WCCPv2 supports the redirection of packets intended for other ports, including those used for proxy-web cache handling, File Transfer Protocol (FTP) caching, FTP proxy handling, web caching for ports other than 80, and real audio, video, and telephony applications.

  • Apply WCCP redirect to logical or physical interface?

    If there is a logical subinterface configured under its physical interface (for example serial0/0/0.100 for routing), I should apply WCCP redirect (ip wccp 62 redirect in) to the logical interface, not the physical interface. Is that correct?
    Thanks

    Yes. You apply WCCP redirect to subinterface if you are using sub interfaces.
    Regards.
    PS: Please mark this Answered, if it answers your question.

  • OIM 9102 , AD Password Sync 91x, JBoss 423GA - issue over SSL port.

    Followed the steps describe in "Deploying the connector"
    http://download.oracle.com/docs/cd/E11223_01/doc.910/e11218/install_config.htm#insertedID0
    section
    Pre-Installation both SSL n non-SSL works for SPML verification.
    For JBoss Application Server:
    http://IP ADDRESS:8080/spmlws/services/HttpSoap11
    https://IP ADDRESS:8443/spmlws/services/HttpSoap11
    Post Installation - configured SSL.
    On AD machine logs following error message is displayed:
    MAX_RETRY LIMIT count is not updated: OIM is down
    Following meta-link ID 1073889.1
    https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=PROBLEM&id=1073889.1
    explains to verify 'oimhost and oimport' - oimhost is machine ip address ( AD machine is able to ping OIM machine through ip address and machine name )
    oimport is 8443
    Any suggestion.
    Or anyone previously successfully deployed password sync over SSL for OIM 9102 and AD Password sync 91x,
    as i found a similar thread in OTN forum where user had issues over SSL.

    Did anyone resolve this issue? I have the same running SSL Password Sync on OAS 10.1.3.4 and OIM 9.1.0.2 BP09a with AD 2003.
    Debug [7/8/2010 6:35:45 AM] oimport is
    Debug [7/8/2010 6:35:45 AM] 4443
    Debug [7/8/2010 6:35:45 AM]
    Debug [7/8/2010 6:35:45 AM] oimsslclient is
    Debug [7/8/2010 6:35:45 AM] nw-dc-01.nwocaland.nwoca.org
    Debug [7/8/2010 6:35:45 AM]
    Debug [7/8/2010 6:35:45 AM] oimuserattr is
    Debug [7/8/2010 6:35:45 AM] USR_UDF_SAM_ACCTNAME
    Debug [7/8/2010 6:35:45 AM]
    Debug [7/8/2010 6:35:45 AM] oimusessl is
    Debug [7/8/2010 6:35:45 AM] Y
    Debug [7/8/2010 6:35:45 AM]
    Debug [7/8/2010 6:35:45 AM] oimappservertype is
    Debug [7/8/2010 6:35:45 AM] 2
    Debug [7/8/2010 6:35:45 AM]
    Debug [7/8/2010 6:35:45 AM] End of sgsloidi::getConfigParamters
    Debug [7/8/2010 6:35:45 AM] Inside sgsloidi::setParameters
    Debug [7/8/2010 6:35:45 AM] The SOAP start element is
    Debug [7/8/2010 6:35:45 AM] <SPMLv2Document xmlns="http://xmlns.oracle.com/OIM/provisioning">
    Debug [7/8/2010 6:35:45 AM] The SOAP end element is
    Debug [7/8/2010 6:35:45 AM] </SPMLv2Document>
    Debug [7/8/2010 6:35:45 AM] The path is
    Debug [7/8/2010 6:35:45 AM] /spmlws/HttpSoap11
    Debug [7/8/2010 6:35:45 AM] End of sgsloidi::setParameters

  • Does wccp redirect break routing protocol?

    This may be a dumb question to ask, sorry i don't have equipment to test it at this moment.
    If wccp redirect is configured on an interface running routing protocol (such as eigrp or ospf), will this redirect the "unicast" ospf database or eigrp topology update to WAAS?  and/or will this also redirect ospf & eigrp "multicast" update which maintains neighbor relationship to WAAS?
    Should this type of traffic be denied on wccp redirect-list?
    Thanks

    Hi Joe,
    Since WAAS normally uses TCP promiscuous mode services, based on service group number 61 and 62 - you'll only get TCP redirected ... and neither OSPF nor EIGRP runs on top of TCP, so don't worry.
    If you run a TCP based routing protocol like BGP, it will get redirected.
    Later versions of WAAS don't, by default, try to optimize on BGP, as it has given some problems in the past due to sequence number manipulation.
    Best Regards
    Finn Poulsen

Maybe you are looking for

  • External hard drive to network & Time Machine

    I set up a network in my house with a new Airport Extreme as the base station and an Airport Express for extended range (also plugged into the home stereo). Computers consist of an iMac G5 running 10.5.5 and a Sony Vaio running Windows. Today I plugg

  • New Patch in XML Publisher

    Hello Tim, In your announcement for the new patch, i think you haven't specified the new patch number. Below is your post. Thank You. This is a patch for Template Builder 10.1.3.4 and 10.1.3.4.1 The patch address the following issues: +8463992 - INCO

  • Table for transport history

    Hi Experts, I want to know which table stores the information about the history of an object's transports. I am looking for which transport were created and moved for a specific query.

  • Monthly average at run time.

    Hi, My report contains,say 10 ,records for each month.can I get an average of a keyfig in that month when I run my query? Kind regards, Aru

  • Creating a device type for Chinese Simplified

    Hello Gurus , i have a question regarding Device types. We recently bought a Chinese Simplified Font Flash USB and we installed it on an HP Laserjet 4515. In windows mode the printer is printing chinese correctly . But in SAP i didnt found how to mak