[c-nsp] 6500 IOS SLB and 'log' keyword?
Mark Tohill
Mark at u.tv
Fri Aug 31 07:03:28 EDT 2007
Hello,
We have a 6509-E(single Sup720/MSFC3/PFC3) are running modular
12.2(18)SXF4
ADVANCEDIP on 2 x 6509-E(single Sup720/MSFC3/PFC3).
We would like to implement IOS SLB (no CSM, as yet).
!
ip slb serverfarm WEB
nat server
real 192.168.30.11
weight 1
inservice
!
!
ip slb vserver WEB-WWW
virtual 192.168.16.239 tcp www
serverfarm WEB
inservice
!
!
interface Vlan226
description client
ip address 192.168.26.60 255.255.255.128
ip access-group VLAN226_OUTBOUND out
<ommitted...>
!
!
The real servers in VLAN 600(192.168.30.0/27) are behind the FWSM:
!
firewall module 6 vlan-group 1
firewall vlan-group 1 <remaining vlans ommitted>,600
!
ip route 192.168.30.0 255.255.255.224 192.168.1.196<FWSM>
!
We have found that we can SLB to the VIP, 192.168.16.239, from any VLAN
configured on the
MSFC, for example, VLAN 226 but only when we remove the ACL from
VLAN226, VLAN226_OUTBOUND, or insert a 'log' statement somewhere into
the ACL. A snippet of this ACL:
remark .
remark ****** Established TCP
permit tcp any any established
<...output ommitted...>
remark ****** SLB workaround
deny tcp any gt 1023 any log
remark ****** DENY everything else ...
deny ip any any
May this have anything to do with 'log' matches being punted to the
MSFC?
Also, a 'show fm summary' outputs:
Interface: Vlan226 is up
TCAM screening for features: ACTIVE inbound
TCAM screening for features: ACTIVE outbound
This is despite the fact that I don't have an inbound ACL configured on
that SVI.
Weird? What's going on?
Thanks,
Mark
Mark Tohill
UTV Internet
T:+44 (0)28 90 262196
M:+44 (0)7786 278716
E:mark at u.tv <blocked::mailto:mark at u.tv>
More information about the cisco-nsp
mailing list