- Green, 3000 points or more
Can't seem to understand this behaviour and Im kind ot leaning towards thinking that it is a bug , or perhaps Im missing something.. any insite greatly appretiated.
I have PRB setup to send ftp only traffic through a different gateway/PIX firewall for few specific local hosts. This is configured in a 6509 MSFC2 router
with c6msfc2-psv-mz.121-11b.E.bin code.
Route-map ftp_only_viaPIX3 permit 30
Description FTP outbound Via PIX3
match ip address 101
set ip next-hop 10.10.0.1
set ip default next-hop 192.168.2.4
ip policy route-map ftp_only_viaPIX3
access-list 101 permit tcp host 10.168.100.40 any eq ftp
access-list 101 permit tcp host 10.168.100.40 any eq ftp-data
access-list 101 permit tcp host 10.168.100.38 any eq ftp
access-list 101 permit tcp host 10.168.100.38 any eq ftp-data
the ftp traffic works fine going PIX3 gateway, and rest of traffic www and others go through regular default route.
when I place the keyword log at the end of each access list 101 line the pbr for ftp no longer works, if I remove the (log) word the prb works so I have to leave it as such without the log, but.. when I do show access-list 101 no hit count is seen against any of the acl statements at all, the ftp is confirmed is going through right gateway because the ftp server at other end sees the public PAT address for these hosts.
could this be a bug?
It's not a bug but a normal PBR behavior on a hardware assisted PBR such as the one implemented in the 6500.
Unlike, routers, the PBR in the 6500 does not accept the log keyword.