I have a 7609 with a slb firewallfarm configured. It is running IOS 12.2(18)SXE3 with sup720. The firewallfarm is configured with default settings with no access parameter, only real servers configured.
All the traffic is coming from a single vlan (it's not possible to implement another layer 2 way to make the traffic pass through) and I would like to make a single flow to exit from another interface and not pass to the real servers configured on FWfarm. I wrote the following PBR statements:
!!!!!!! Begin !!!!!!!
access-list 110 permit ip host XX.XX.XX.XX any
!where XX.XX.XX.XX is an omitted IP address
route-map NEW-ROUTEMAP permit 10
match ip address 110
set ip next-hop 192.168.253.3
!vlan 55 is the interface from where the selected flows comes
ip route-cache policy
ip policy route-map NEW-ROUTEMAP
!!!!! END !!!!!!!
The route-map seems working, in fact I can see matched ACL and route-map.
The problem is the SLB seems to take all the traffic in charge, also the one I would like to route to another interface, in fact if I put my desidered output interface in monitor I can see no traffic passing through.
SLB creates the sticky entry anyway, in fact as far as I know, the SLB has the priority to static routing and route-maps.
Any idea for a workaround? Is there a way to make PBR works with SLB?
just to tell you my solution went in production last night and works perfectly.
The only issue was I had to create another uplink vlan in which receive packets because of HSRP, in fact if you state replicate casa on the same subnet of the other firewallfarm casa instance it doesn't work.
The rule seems to be: n firewallfarms on n uplink vlans.
Two fwfarms applied on the same interface works only if you don't have casa redundancy.
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...