[f-nsp] Route-Map Problem

Lazuardi Nasution mrxlazuardin at gmail.com
Tue Jun 15 11:34:38 EDT 2010 

Hi Scott,

Following is the related config. I can do HTTP on both VIP at the same
time but I only can do DNS and PING to VIP2 if VIP1 is disconnected.
Please help.

Best regards,


server source-nat

server real DNS1 192.168.1.5
 port dns
 port dns keepalive
 port dns zone "domain"
 port dns addr_query "host.domain"

server real DNS2 192.168.1.6
 port dns
 port dns keepalive
 port dns zone "domain"
 port dns addr_query "host.domain"

server real HTTP1 192.168.1.1
 port http
 port http keepalive
 port http url "GET /"
 port http status-code  200 399
 port 8080

server real HTTP2 192.168.1.2
 port http
 port http keepalive
 port http url "GET /"
 port http status-code  200 399
 port 8080

server real HTTP3 192.168.1.3
 port http
 port http keepalive
 port http url "GET /"
 port http status-code  200 399
 port 8080

server real HTTP4 192.168.1.4
 port http
 port http keepalive
 port http url "GET /"
 port http status-code  200 399
 port 8080

server virtual VIP1 192.168.0.1
 sticky-age 5
 predictor round-robin
 port dns
 port http sticky
 bind dns DNS1 dns
 bind http HTTP1 http HTTP2 http HTTP3 8080 real-port http HTTP4 8080
real-port http

server virtual VIP2 192.168.255.1
 sticky-age 5
 predictor round-robin
 port dns
 port http sticky
 bind dns DNS2 dns
 bind http HTTP1 8080 real-port http HTTP2 8080 real-port http HTTP3
http HTTP4 http

vlan 1 name DEFAULT-VLAN by port
 router-interface ve 1

vlan 3 name ISP1 by port
 untagged ethe 2
 router-interface ve 3

vlan 2 name ISP2 by port
 untagged ethe 1
 router-interface ve 2

ip policy prefer-direct-route
ip route 0.0.0.0 0.0.0.0 192.168.0.254
ip route 0.0.0.0 0.0.0.0 192.168.255.254 distance 10

ip policy route-map PBR

interface ve 1
 ip address 192.168.1.254 255.255.255.0

interface ve 2
 ip address 192.168.255.253 255.255.255.0

interface ve 3
 ip address 192.168.0.253 255.255.255.0

access-list 100 permit icmp 192.168.255.0 0.0.0.255 any
access-list 100 permit ip 192.168.255.0 0.0.0.255 any
access-list 100 deny icmp any any
access-list 100 deny ip any any

route-map  PBR permit  1
 match ip address  100
 set ip next-hop 192.168.255.254


> From: "Scott T. Cameron" <routehero at gmail.com>
> To: foundry-nsp at puck.nether.net
> Date: Tue, 15 Jun 2010 10:29:25 -0400
> Subject: Re: [f-nsp] Route-Map Problem
> I don't know why you're seeing that, because the route-map's ACL shouldn't care about whether it's DNS or HTTP.  It should just care about src/dst networks at worst.
> Can you show the exact config you're using?
> Scott
>
> On Tue, Jun 15, 2010 at 12:36 AM, Lazuardi Nasution <mrxlazuardin at gmail.com> wrote:
>>
>> Hi Scott,
>>
>> I have done with HTTP, the PBR works for HTTP request. But, there is
>> problem with DNS. It seem that DNS reply doesn't follow PBR. I can see
>> that the VIP receives DNS
>> request but I think the reply is forwarded to the wrong gateway. Any
>> suggestion ? I have tried ip policy
>> frag-match-src/frag-match-dest/frag-match-src-dest with no success.
>>
>> Best regards,
>>
>> > From: "Scott T. Cameron" <routehero at gmail.com>
>> > To: foundry-nsp at puck.nether.net
>> > Date: Fri, 28 May 2010 06:47:23 -0400
>> > Subject: Re: [f-nsp] Route-Map Problem
>> > The ServerIron platform is generally very sensitive to the order of things.  I've had this exact same problem before -- and banged my head against the wall.
>> > However, you are missing one important thing on your config:  ip policy frag-match-source.  This will insure that all packets are treated.
>> >
>> > I'd start over, removing all the relevant PBR lines.  Enter in the ACL first, exit, write mem.  Enter in the route-map, exit, write mem.  Finally, add in the ip policy statements.
>> > Scott
>> >
>> > On Wed, May 26, 2010 at 12:51 PM, Lazuardi Nasution <mrxlazuardin at gmail.com> wrote:
>> >>
>> >> Dear you,
>> >>
>> >> I get some problem to do some demo of ServerIron with PBR (route-map)
>> >> feature. It seem that route-map command give no effect so the link
>> >> become fail over, not active-active. My goal is each port can have its
>> >> own next hop, disregard the routing table or default routes. Any
>> >> suggestion ?
>> >>
>> >> Best regards,
>> >>
>> >>
>> >> Following is the script of my configuration.
>> >>
>> >>
>> >> vlan 2 by port
>> >> untagged ethe 1
>> >> router-interface ve 2
>> >>
>> >> vlan 3 by port
>> >> untagged ethe 2
>> >> router-interface ve 3
>> >>
>> >> ip route 0.0.0.0 0.0.0.0 192.168.0.254 distance 10
>> >> ip route 0.0.0.0 0.0.0.0 192.168.255.254
>> >>
>> >> interface ve 2
>> >> ip address 192.168.0.1 255.255.255.0
>> >> ip policy route-map PBR
>> >>
>> >> interface ve 3
>> >> ip address 192.168.255.1 255.255.255.0
>> >>
>> >> access-list 2 permit 192.168.0.0 0.0.0.255
>> >> access-list 2 deny any
>> >>
>> >> route-map PBR permit 10
>> >> match ip address 2
>> >> set ip next-hop 192.168.0.254
>> >>
>> >>
>> >> Following is the "show version" command.
>> >>
>> >>
>> >> Copyright (c) 1996-2009 Brocade Communications Systems, Inc.
>> >> Boot Version 12.1.00T405 Oct 29 2009 10:12:19 PST label: dob12100
>> >> Monitor Version 12.1.00T405 Oct 29 2009 10:12:19 PST label: dob12100
>> >> System Version 12.1.00T403 Dec 17 2009 10:21:27 PST label: ASR12100
>> >> AXP Version: 1.12 Dated: 2009/12/01 10:22:32
>> >> PAX Version: 0.0 Dated: 2009/07/28 10:35:11
>> >> MBRIDGE Version: 000b, Device ID # bebe
>> >>
>> >> ==========================================================================
>> >> Type:  Stackable 16GC
>> >> Backplane Serial #:  SA19091395
>> >> Chassis Serial #: Not-Present
>> >> Part #:  46458-00DB
>> >> Version #: 11b626-020202ff-111d8036-00
>> >> ==========================================================================
>> >> Active management module:
>> >> 1499 MHz Power PC processor (version 00008021/0030) 599 MHz bus
>> >> 512 KB Boot flash
>> >> 131072 KB Code flash
>> >> 2048 MB DRAM
>> >> The system uptime is 9 minutes 39 seconds
>> >> The system started at 04:21:03, GMT+00, Wed May 26 2010
>> >>
>> >> The system - boot source: secondary, mode: warm startsoft reset, total
>> >> resets:11  soft reset, total resets:11
>> >>
>> >>
>> >> Following is the "show flash" command.
>> >>
>> >>
>> >> Active management module:
>> >> Compressed Pri Code size = 23321502, Version 12.1.00T401 Dec 17 2009
>> >> 10:08:10 PST label: ASM12100
>> >> Compressed Sec Code size = 24392549, Version 12.1.00T403 Dec 17 2009
>> >> 10:21:27 PST label: ASR12100
>> >> Used Configuration Flash Size=4469, Max Configuration Flash Size=1441790
>> >>
>> >> Code flash:
>> >> Size :  134217728 bytes
>> >> Bytes Used :  54544222 bytes
>> >> Bytes Free :  76808192 bytes
>> >>
>> >> USB 0 drive:
>> >> Size : 4102352896 bytes
>> >> Bytes Used :      4096 bytes
>> >> Bytes Free : 4102348800 bytes
>> >>
>> >> No external USB drive found in system

More information about the foundry-nsp mailing list