Extended ACL and pbr behavior

Answered Question
Mar 6th, 2009
User Badges:
  • Green, 3000 points or more

Hi,


Can't seem to understand this behaviour and Im kind ot leaning towards thinking that it is a bug , or perhaps Im missing something.. any insite greatly appretiated.


I have PRB setup to send ftp only traffic through a different gateway/PIX firewall for few specific local hosts. This is configured in a 6509 MSFC2 router

with c6msfc2-psv-mz.121-11b.E.bin code.


Route-map ftp_only_viaPIX3 permit 30

Description FTP outbound Via PIX3

match ip address 101

set ip next-hop 10.10.0.1

set ip default next-hop 192.168.2.4


interface VlanXX

ip policy route-map ftp_only_viaPIX3



access-list 101 permit tcp host 10.168.100.40 any eq ftp

access-list 101 permit tcp host 10.168.100.40 any eq ftp-data

access-list 101 permit tcp host 10.168.100.38 any eq ftp

access-list 101 permit tcp host 10.168.100.38 any eq ftp-data


the ftp traffic works fine going PIX3 gateway, and rest of traffic www and others go through regular default route.


when I place the keyword log at the end of each access list 101 line the pbr for ftp no longer works, if I remove the (log) word the prb works so I have to leave it as such without the log, but.. when I do show access-list 101 no hit count is seen against any of the acl statements at all, the ftp is confirmed is going through right gateway because the ftp server at other end sees the public PAT address for these hosts.


could this be a bug?


Regards


Correct Answer by Edison Ortiz about 8 years 2 weeks ago

It's not a bug but a normal PBR behavior on a hardware assisted PBR such as the one implemented in the 6500.


Unlike, routers, the PBR in the 6500 does not accept the log keyword.


HTH,


__


Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Edison Ortiz Fri, 03/06/2009 - 12:41
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

It's not a bug but a normal PBR behavior on a hardware assisted PBR such as the one implemented in the 6500.


Unlike, routers, the PBR in the 6500 does not accept the log keyword.


HTH,


__


Edison.

Actions

This Discussion