WCCP with 3560

Similar Messages

• WCCP with CWAAS WAE

  Dear Community,
  By using WCCP Layer 2 forwarding on C6500, C3750 or ASR 1000 series routers to redirect intercepted traffic to the WAAS WAE the Cisco best practive recommends to use MASK ASSIGMENT for load balancing on such switches and ASR routers.
  With WAAS versin 4.2.1 and up the default MASK ASSIGMENT is "wccp tcp-promiscuous mask src-ip-mask 0xF00 dst-ip-mask 0x0".
  With a typical data center WCCP interception configuration (ingress interception with service 61 on the WAN, ingress interception with service 62 on the LAN), this mask load balances /24 branch subnets (it extracts the last 4 bits of /24 subnets). Connections from one branch subnet will be pinned to one data center WAE.
  Question:
  How should look like the "src-ip.mask" hex value if I would like to balance per host address instead of a Class C subnet?
  A per host /32 load balacing is required on large client-sites where each client ip@ has to be balanced over the WAEs.
  I am working on a project and missing the information how I can't find the "src-ip.mask" hex value information for a per host /32 load balancing on a site where only clients are located.
  Thanks for your comments and replys

  Unfortunately, I did not build the spread sheet so I wouldn't know/ if it's possible to convert to 2003.  I did see on that page that Excel 2007 is mentioned as a requirement for it to work properly.
  However, if you want a mask that will match on the 4th octet of your IP scheme use 0x000F (which simplifies to 0xF).  This will create 16 buckets just like the default mask in 4.2.1 (0xF00) but instead will match on the last 4 bits of the 4th octet of your IP.  Where the default mask matches on the last 4 bits of the 3rd octect.
  Hope this helps,
  Mike

• Load balance servers with 3560?

  Here is my scenario...
  I have two servers that are both connected to a single 3560 (SMI).
  These two servers are in a primary/secondary relationship. Right now, if the primary server goes down - we need to manually configure the secondary server to take over.
  I have two questions...
  What is the best way to set up fault tolerance with these devices, so the secondary server will automatically kick in if the primary goes down?
  In addition to that, is there any type of load balancing feature we can use on this 3560...so both the primary/secondary servers can run at the same time?
  Ideally, we would like communication to the second server kick in when the link to the primary server gets too congested.

  your best bet is to use IOS SLB or a content switch such as the cisco CSS series.
  please see the following links for more info on ciscos CSS and SLB capabilities:
  content switching (CSS) -
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns254/networking_solutions_package.html
  SLB - (example of use)
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080093de3.shtml

• 1142N NON_CISCO-NO_CDP_RECEIVED with 3560 switch

  I thought the 3560 switches, the 8 port and 24 port are 802.3af standard switches?  When I connect 1142N radios to them I get the no cdp error and the radios are disabled. I have 17 of these that I converted to LAP, and I got the issue both before and after upgrading to LAP from AP.  It's not like I disabled CDP on the switches.

  I may have found the problem. I thought I had initially connected to a switchport that was just setup as a switchport access vlan, with no other configurations on it, and after looking at the port found it was a trunk port, which should work, and does for the other AP's I worked with, but not the 1142N.
  I took one of the other AP's that is connected to the test switch I am using to setup the WLC and AP's and connected that to one of the unconfigured ports, with default settings and the radios both powered up and I saw CDP neighbor detail,
  I removed spanning-tree portfast from the trunk port, and reconnected the AP to that port, I saw it negotiated full power, but I dont see neighbor information. I had to console in and do a no shut on dot11radio 0 for it to come up on all 3 of them.
  I went back and pulled that new one out of the box and reconnected to the interface I used before after removing portfast, still had the same problem, then removed the trunk configuration, and rebooted. Now I see
  *Mar  1 00:14:19.266: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3560-8PC
  Fa0/6     auto   on         14.5    AIR-LAP1142N-A-K9   3     15.4
  I took one of the other AP's that I boxed up and connected it to the same port, this was a converted AP to LAP.
  Fa0/6     auto   on         15.4    AIR-LAP1142N-A-K9   3     15.4
  Futher puzzlement, plugged that last AP into the test switch which is setup to mimic a remote location with trunk ports for FlexConnect, and after the radio powered up, and joined the controller, saw this.
  wmmAC status is FALSE
  *May 30 08:15:02.896: Starting Ethernet promiscuous mode
  *May 30 08:15:03.150: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
  *May 30 08:15:03.222: %LWAPP-3-CLIENTEVENTLOG: OfficeExtend Localssid saved in AP flash
  *May 30 08:15:03.629: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC-2504
  *May 30 08:15:03.677: %LWAPP-3-CLIENTEVENTLOG: SSID wlcman added to the slot[0]
  *May 30 08:15:03.710: %LWAPP-3-CLIENTEVENTLOG: SSID internal added to the slot[0]
  *May 30 08:15:04.137: %LWAPP-3-CLIENTEVENTLOG: SSID guest added to the slot[0]
  *May 30 08:15:04.269: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *May 30 08:15:04.461: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to down
  *May 30 08:15:04.462: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *May 30 08:15:04.552: %LWAPP-3-CLIENTEVENTLOG: SSID wlcman added to the slot[1]
  *May 30 08:15:04.553: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *May 30 08:15:04.575: %LWAPP-3-CLIENTEVENTLOG: SSID internal added to the slot[1]
  *May 30 08:15:05.010: %LWAPP-3-CLIENTEVENTLOG: SSID guest added to the slot[1]
  *May 30 08:15:05.866: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5300 MHz for 60 seconds.
  *May 30 08:15:06.055: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
  *May 30 08:15:06.351: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
  *May 30 08:15:07.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  *May 30 08:15:07.215: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to down
  *May 30 08:15:07.216: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *May 30 08:15:08.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *May 30 08:15:08.237: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5300 MHz for 60 seconds.
  *May 30 08:15:08.237: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
  *May 30 08:15:09.245: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  Why would radio 0 be admin down? It is enabled on the WLC.  I went into the AP and did a no shut on it too.  Not sure what is going on with this, never ran into this sort of issue before.

• WCCP with Catalyst6500 version 12.2(33)SXH1

  recently I deployed WAAS 4.1.1c with Catalyst6500. We have several different L3 vlan interfaces configured as wccp 61/62 redirect in. The L3 vlan interface connected to the direct servers is normal. However, I found that L3 vlan interface connected to internal FWSM outside interface doesn't work well.
  I don't know if it's a Catalyst6500 IOS or WAAS issue.
  Thanks,
  Daniel

  Hi Daniel,
  Can you please describe wasn't isn't working with the FWSM outside interface? If possible, it would also help to get a copy of the 6500 and WAAS configurations.
  Thanks,
  Zach

• Use of CE/WCCP with Microsoft ISA server acting as an authentication proxy.

  We have a design where all web users are authenticated against Active Directory by Microsofts ISA server proxy service prior to accessing web resources.
  Is it possible to implement a CE behind the ISA server, and still have the proxy authenticate users credentials?
  My concern is that WCCP will redirect traffic to the content engine first, if the content is not available, wil the content engine then forward to the proxy for authentication prior to the request going out to the web?
  Cheers,

  Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
  If anyone else in the forum has some advice, please reply to this thread.
  Thank you for posting.

• WCCP with Catalyst6500 version 12.2(33)SXI

  Hi,
  I deployed 2x6500 and 3xWAE in a branch. Problem is when I set wccp on - all traffic is cut off for the interface with service 61. I've ACL considering traffic which have to be redirected but there is no any match in this ACL.
  Each WAE is connected to both 6500 (FE, full-duplex). I've also another branch in the same configuration working (but WAE is connected by GE - this is only one difference)
  WAAS 4.1.1c
  any idea?

  Darek,
  A couple of comments on your configs. I would not use the following configs with a hardware based redirection on a CAT-6K.
  int tunnel x
  ip wccp 62 redirect in
  - As far as I know, this should not work for redirection on a hardware based platform, however, it WILL work on a software based IOS platform.
  egress-method negotiated-return intercept-method wccp (on the WAE)
  - This should cause your egress traffic to be all prossess by the CPU as it cannot do WCCP-GRE on the SUP. Use Generic GRE egress instead for CAT6Ks. http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v411/configuration/guide/traffic.html#wp1106308
  Both of those configs will give you trouble on a hardware based platform. I might recommend that you move away from the tunnel interface if at all possible. As a side note, on the newer ASR-1000 platform, we can do interception on tunnels as well as negotiated return in hardware.
  Hope that helps,
  Dan

• WAE-674 WCCP with 3725 router

  Hello all,
  This is a new install, I am trying to bring up a WAE-674 box at one my remote sites with 2 routers (a 3725 and a 2621) at this remote site and I am using WCCP for traffic redirection. I am having an issue with WCCP on the 3725 router, for some reason when I enable the command "IP wccp 62 redirect in" under the WAN serial interface I suddenly can no longer telnet to the fastethernet interface on the router but I can still ping it and still able to telnet to the loopback interface. And I have no issue with WCCP on the other 2621 router with the same config setup.
  Has anyone run into this issue before ? I appreciate any feedbacks on this !!!!
  I am running IOS version 12.3(14)T7 on the 3725 router and WAAS software version 4.1.1c
  Thanks in advance !!
  Danny

  You will want to explore CSCsg30875 to see how it applies to your installation
  CSCsg30875 wccp blocking telnet to router
  Since 12.3T is EOL, it probably was not tested and may or may not exist in that Cisco IOS track.
  End-of-Sale and End-of-Life Announcement for Cisco IOS Software Release 12.3T
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6947/ps5207/prod_bulletin0900aecd803a0ffe.html
  Thank You,
  Dan Laden

• Cisco 4507R WCCP with blue coat SG 8000 as proxy server integration

  Dear All,
  I installed the blue coat on one of the vlan with users in diffwrent vlans. The core 4507R is used with L3 vlans as gateway for the respective vlan users. Now i need to configure both core switch and blue coat as proxy server so that all the users in different vlans access internet websites without configure the blue coat proxy address but the core switch would redirect the users request to the blue coat proxy server. I tried with latest IOS upgrade to the switch eventhen i could not get the cmds related to WCCP blue coat documents suggest to use in core switch to configure the proxy server of SG8000
  Could any one help me to solve this issue.
  Thanks
  swamy

  Following link may help you
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a008062cfc6.html

• Strange behavior with 3560s and RPS 2300

  I just installed an RPS 2300 in a small branch office that has a pair of WS-C3560-24PS switches.  There are two odd things I'm noticing:
  1) When I do "show env rps", it shows the RPS detected but I don't get any information about it.
  Switch#show env rps
  SW  Status          RPS Name          RPS Serial#  RPS Port#
  1   Active          <>
  2) When the switch loses power it fails over to the RPS just fine, but does not fail back to regular power automatically.  I have to unplug the RPS. 
  I've installed same model RPS with a pair of 3750-Es switches, and in that case, "show env rps" from the switch shows me the RPS information, and failback happens when regular power is restored.
  Is there something different about the 3560s, or did I miss something in the configuration?  The switches are running 12.2(55)SE7, IP Services.

  Yes, just found via searching automatic failback is only supported on the 3560-E and 3750-E.
  https://supportforums.cisco.com/message/3669961#3669961
  Also noticed the "power rps" commands are only supported on the 3560v2, so those won't work for me.
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/command/reference/3560cr/cli1.html#wpmkr11908996
  What's funny is while the exec commands don't work, the config-mode commands do. 
  Switch#power rps name serialnumber
  Can not execute cmd on legacy switch 1
  Switch#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Switch(config)#power rps deviceid serialnumber
  Oh well.  I've been wanting to replace the 3560s with 3750Gs, so this is yet another reason to do so!

• PoE problem with 3560-48 port

  I am trying to power a door entry system which is 802.3af compliant (clas 3) from a 48 port 3560. It works on a 24 port version and on an HP switch but it will not work with the 48 port variant. The error log says "power Imax error". Looking at the documentation, although the switch cannot support all 48 ports at the full 15.4W, it should be able to intelligently manage power delivery to support up to 24 devices (I only need it to support 1), but this is not happening. Does anyone have any thoughts on this problem?
  Thank you.

  The cause of this Message is output in the following condition.
  1. Either IEEE 802.3af power device or Cisco power device is detected.
  2. Power is given to the device, but link is not up with (5 or 10 seconds), and power thenwill be removed and this error message is generated.
  These features have been added to Cisco IOS Release 12.1(19)EA1c .
  Ability to provide power to connected Cisco prestandard and IEEE 802.3af-compliant powered devices from all Catalyst3750-24PS, 3750-48PS, 3560-24PS, and 3560-48PS switch 10/100 Ethernet ports if the switch detects that there is no power on the circuit.

• Intel MAC Compatibility with 3560/Other Catalyst Switches

  Some of our users recently reported problems with their new Intel based Macintosh computers when we upgraded from old Extreme Summits to Catalyst 3560 series switches. They report sluggish response from the network. We have checked the ports for negotiation issues and errors and do not find any. Suspect the Intel Mac; but wanted to find out if anyone else is experiencing the same or has suggestions. Thanks.

  Hello,
  to my understanding MAC issues should not be the cause of your issues. Either the Ethernet frame is standard compliant, then there should not be an issue with Catalyst switches and no port errors. Or the Ethernet frames or MAC in use is non standard then the switch would report an error.
  Network response times depend on many things and negotiation might be the first thing to check - as you did. I would still recommend fixed settings for port speed and especially duplex. Just to avoid also intermittend problems (f.e. between PC reboots).
  Have you also checked for MTU and TCP window size settings? What else did change when you upgraded to the 3560s? Did you also check Router and switch ports for duplex and speed settings?
  Hope this helps! Please rate all posts.
  regards, Martin

• WAAS using WCCP with gre tunnel going via vpn

  Hello All
  I am trying to get WAAS using WCCP to work according to the attached diagram. I would like to know if there is a redirection config that I need to apply to the ASAs?
  Many thanks
  Donagh

  Hello
  Thanks for your reply.
  I posted this twice in error.
  Original is here
  http://preview.tinyurl.com/ygpuehy
  You might have a look and see if you agree. I have not deployed yet.
  Thanks
  Donagh

• WCCP with Layer2

  Hi,
  I want to configure WCCP on Layer2 Redirection on Cisco Router 3800, but only GRE mode is working layer2 redirect is not comming up.
  Cisco Router Details: Cisco IOS Software, 3800 Software (C3845-SPSERVICESK9-M), Version 12.4(15)T7, RELEASE
  Proposed diagram is attached.
  WCCP will be configured on LAN Interface of Router.
  Observation: if cashing engine connected on (L3 Switch) LAN side of router, Layer2 Redirection is working fine. But if cashing engine connected on additional interface of router layer2 mode is not working.

  Hi Karthik,
  Please find commands on Router as below and WCCP configuration on Cashing Engines screen is attached --
  Router Configuration
  Router (config)# access-list 101 permit ip 172.60.10.0 0.0.0.255 172.80.10.0 0.0.0.255
  Router (config)# ip wccp 53 redirect-list 101
  Router (config)# ip wccp 54 redirect-list 101
  Router (config)# interface FastEthernet0/0 (LAN Interface of Router)
  Router (config)# ip wccp 53 redirect in
  Router (config)# ip wccp 54 redirect in
  Router (config)# end

• Wccp with wsa

  Dears,
  i have 2 no's of  wsa i am planning to have redundancy, if incase  one of the wsa fails still the 6509 will forwards traffic to fails wsa ???
  I want to know what does actually layer 4 switch does ??
  below is the configuration
  access-list 10 permit host 10.1.1.1-----WSA-1
   access-list 10 permit host 10.1.1.2---WSA--2
  ip access-list extended protocols
  permit tcp any any eq 443
  permit tcp any any eq 20
  permit tcp any any eq 21
  permit tcp any any eq 80
  ip wccp version 2
  ip wccp 120 redirect-list protocol
  ip wccp web-cache group-list 10
  interface gigabitethernet2/1
  description wsa-1
  ip wccp 120 redirect in
  interface gigabitethernet2/2
  description wsa-2
  ip wccp 120 redirect in
  Thanks

  don't worry about "layer 4", it doesn't affect you...
  I think you have the config wrong.
  I have some questions first...
  Is the firewall plugged into the 6509? If so, which port(s)?
  Which firewall do you have?  Is it redundant?