Hello, We have a 6509-E(single Sup720/MSFC3/PFC3) are running modular 12.2(18)SXF4 ADVANCEDIP on 2 x 6509-E(single Sup720/MSFC3/PFC3).
We would like to implement IOS SLB (no CSM, as yet). ! ip slb serverfarm WEB nat server real 192.168.30.11 weight 1 inservice ! ! ip slb vserver WEB-WWW virtual 192.168.16.239 tcp www serverfarm WEB inservice ! ! interface Vlan226 description client ip address 192.168.26.60 255.255.255.128 ip access-group VLAN226_OUTBOUND out <ommitted...> ! ! The real servers in VLAN 600(192.168.30.0/27) are behind the FWSM: ! firewall module 6 vlan-group 1 firewall vlan-group 1 <remaining vlans ommitted>,600 ! ip route 192.168.30.0 255.255.255.224 192.168.1.196<FWSM> ! We have found that we can SLB to the VIP, 192.168.16.239, from any VLAN configured on the MSFC, for example, VLAN 226 but only when we remove the ACL from VLAN226, VLAN226_OUTBOUND, or insert a 'log' statement somewhere into the ACL. A snippet of this ACL: remark . remark ****** Established TCP permit tcp any any established <...output ommitted...> remark ****** SLB workaround deny tcp any gt 1023 any log remark ****** DENY everything else ... deny ip any any May this have anything to do with 'log' matches being punted to the MSFC? Also, a 'show fm summary' outputs: Interface: Vlan226 is up TCAM screening for features: ACTIVE inbound TCAM screening for features: ACTIVE outbound This is despite the fact that I don't have an inbound ACL configured on that SVI. Weird? What's going on? Thanks, Mark Mark Tohill UTV Internet T:+44 (0)28 90 262196 M:+44 (0)7786 278716 E:[EMAIL PROTECTED] <blocked::mailto:[EMAIL PROTECTED]> _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/