×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PBR is not working with ip slb configured

Answered Question
May 15th, 2006
User Badges:

I have a 7609 with a slb firewallfarm configured. It is running IOS 12.2(18)SXE3 with sup720. The firewallfarm is configured with default settings with no access parameter, only real servers configured.

All the traffic is coming from a single vlan (it's not possible to implement another layer 2 way to make the traffic pass through) and I would like to make a single flow to exit from another interface and not pass to the real servers configured on FWfarm. I wrote the following PBR statements:


!!!!!!! Begin !!!!!!!

access-list 110 permit ip host XX.XX.XX.XX any

!where XX.XX.XX.XX is an omitted IP address


route-map NEW-ROUTEMAP permit 10

match ip address 110

set ip next-hop 192.168.253.3


interface Vlan55

!vlan 55 is the interface from where the selected flows comes

ip route-cache policy

ip policy route-map NEW-ROUTEMAP

!!!!! END !!!!!!!


The route-map seems working, in fact I can see matched ACL and route-map.

The problem is the SLB seems to take all the traffic in charge, also the one I would like to route to another interface, in fact if I put my desidered output interface in monitor I can see no traffic passing through.

SLB creates the sticky entry anyway, in fact as far as I know, the SLB has the priority to static routing and route-maps.

Any idea for a workaround? Is there a way to make PBR works with SLB?

Thanks in advance.

Ric

Correct Answer by Gilles Dufour about 11 years 3 months ago

Ric,


I knew about this bug and thought this was it.

I checked your description and realised you are already running a version which normally integrates the fix.


This sounds like a bug and you should probably open a TAC case so we can report the problem and work on a fix.


regarding your workaround, I think it should work.

The access-group should limit the traffic to only this host.

You will also need a static route using this real server.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
Loading.
Gilles Dufour Tue, 05/16/2006 - 00:03
User Badges:
  • Cisco Employee,

CSCin82741

PBR does not work if both PBR & SLB are applied on same interface


Fixed in:

12.2(18)SXE & 12.2(17d)SXB05


Gilles.

tortoricir Tue, 05/16/2006 - 03:16
User Badges:

Thanks Gilles.

I was thinking about create a new firewallfarm like this:


!Begin

ip slb firewallfarm NEWONE

inservice

access source XX.XX.XX.XX 255.255.255.255

!

real 192.168.253.3

inservice

! End


Theoretically the FWLB should do the same work the PBR was supposed to do.

How will the IOS choose the right firewallfarm to apply? Do you think it will work?

In this way I can do the same job without re-testing the new IOS for the production environment.

Thanks in advance,

Ric

Correct Answer
Gilles Dufour Tue, 05/16/2006 - 04:12
User Badges:
  • Cisco Employee,

Ric,


I knew about this bug and thought this was it.

I checked your description and realised you are already running a version which normally integrates the fix.


This sounds like a bug and you should probably open a TAC case so we can report the problem and work on a fix.


regarding your workaround, I think it should work.

The access-group should limit the traffic to only this host.

You will also need a static route using this real server.

Gilles.

tortoricir Tue, 05/16/2006 - 05:37
User Badges:

Gilles,

we opened a TAC and we are waiting for a solution because I still don't know if someone will approve my workaround.

Thank you very much for your help.


Riccardo

tortoricir Thu, 05/18/2006 - 01:52
User Badges:

Gilles,

TAC answer me the router behaviour is correct because the SLB has priority to PBR in every case. Anyway they are analyzing my workaround proposal, I can declare this issue as closed.

Thanks for your answers,

Ric

tortoricir Thu, 06/01/2006 - 02:35
User Badges:

Gilles,

just to tell you my solution went in production last night and works perfectly.

The only issue was I had to create another uplink vlan in which receive packets because of HSRP, in fact if you state replicate casa on the same subnet of the other firewallfarm casa instance it doesn't work.

The rule seems to be: n firewallfarms on n uplink vlans.

Two fwfarms applied on the same interface works only if you don't have casa redundancy.

Regards,

Riccardo

Actions

This Discussion