05-15-2006 02:57 AM
I have a 7609 with a slb firewallfarm configured. It is running IOS 12.2(18)SXE3 with sup720. The firewallfarm is configured with default settings with no access parameter, only real servers configured.
All the traffic is coming from a single vlan (it's not possible to implement another layer 2 way to make the traffic pass through) and I would like to make a single flow to exit from another interface and not pass to the real servers configured on FWfarm. I wrote the following PBR statements:
!!!!!!! Begin !!!!!!!
access-list 110 permit ip host XX.XX.XX.XX any
!where XX.XX.XX.XX is an omitted IP address
route-map NEW-ROUTEMAP permit 10
match ip address 110
set ip next-hop 192.168.253.3
interface Vlan55
!vlan 55 is the interface from where the selected flows comes
ip route-cache policy
ip policy route-map NEW-ROUTEMAP
!!!!! END !!!!!!!
The route-map seems working, in fact I can see matched ACL and route-map.
The problem is the SLB seems to take all the traffic in charge, also the one I would like to route to another interface, in fact if I put my desidered output interface in monitor I can see no traffic passing through.
SLB creates the sticky entry anyway, in fact as far as I know, the SLB has the priority to static routing and route-maps.
Any idea for a workaround? Is there a way to make PBR works with SLB?
Thanks in advance.
Ric
Solved! Go to Solution.
05-16-2006 04:12 AM
Ric,
I knew about this bug and thought this was it.
I checked your description and realised you are already running a version which normally integrates the fix.
This sounds like a bug and you should probably open a TAC case so we can report the problem and work on a fix.
regarding your workaround, I think it should work.
The access-group should limit the traffic to only this host.
You will also need a static route using this real server.
Gilles.
05-16-2006 12:03 AM
CSCin82741
PBR does not work if both PBR & SLB are applied on same interface
Fixed in:
12.2(18)SXE & 12.2(17d)SXB05
Gilles.
05-16-2006 03:16 AM
Thanks Gilles.
I was thinking about create a new firewallfarm like this:
!Begin
ip slb firewallfarm NEWONE
inservice
access source XX.XX.XX.XX 255.255.255.255
!
real 192.168.253.3
inservice
! End
Theoretically the FWLB should do the same work the PBR was supposed to do.
How will the IOS choose the right firewallfarm to apply? Do you think it will work?
In this way I can do the same job without re-testing the new IOS for the production environment.
Thanks in advance,
Ric
05-16-2006 04:12 AM
Ric,
I knew about this bug and thought this was it.
I checked your description and realised you are already running a version which normally integrates the fix.
This sounds like a bug and you should probably open a TAC case so we can report the problem and work on a fix.
regarding your workaround, I think it should work.
The access-group should limit the traffic to only this host.
You will also need a static route using this real server.
Gilles.
05-16-2006 05:37 AM
Gilles,
we opened a TAC and we are waiting for a solution because I still don't know if someone will approve my workaround.
Thank you very much for your help.
Riccardo
05-18-2006 01:52 AM
Gilles,
TAC answer me the router behaviour is correct because the SLB has priority to PBR in every case. Anyway they are analyzing my workaround proposal, I can declare this issue as closed.
Thanks for your answers,
Ric
06-01-2006 02:35 AM
Gilles,
just to tell you my solution went in production last night and works perfectly.
The only issue was I had to create another uplink vlan in which receive packets because of HSRP, in fact if you state replicate casa on the same subnet of the other firewallfarm casa instance it doesn't work.
The rule seems to be: n firewallfarms on n uplink vlans.
Two fwfarms applied on the same interface works only if you don't have casa redundancy.
Regards,
Riccardo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide