Re: Ace ,dubts on nested policy map

Massimiliano Tognon · ‎01-17-2008

Hi to all, i've configured an ace module to load balance traffic on transparent firewall.

this is the relevant part of the configuration:

access-list ACL1 line 10 extended permit ip any any

probe icmp VDOM_FAILED

description VERIFICA LO STATUS DEGLI R-SERVER

interval 2

passdetect interval 2

rserver host CUB_IN_VDOM_1

ip address 10.3.43.66

probe VDOM_FAILED

inservice

rserver host CUB_IN_VDOM_2

ip address 10.3.43.74

probe VDOM_FAILED

inservice

rserver host CUB_IN_VDOM_3

ip address 10.3.43.82

probe VDOM_FAILED

inservice

serverfarm host FW_CUB_IN

transparent

predictor hash address destination 255.255.255.255

rserver CUB_IN_VDOM_1

inservice

rserver CUB_IN_VDOM_2

inservice

rserver CUB_IN_VDOM_3

inservice

class-map match-any TRAFFICO_DA_CORE

2 match virtual-address 0.0.0.0 0.0.0.0 any

policy-map type loadbalance first-match TRAFFICO_CORE_BILANCIATO

class class-default

serverfarm FW_CUB_IN

policy-map multi-match FROM_CORE

class TRAFFICO_DA_CORE

loadbalance vip inservice

loadbalance policy TRAFFICO_CORE_BILANCIATO

interface vlan 420

description MANAGEMENT

ip address 10.3.43.10 255.255.255.248

access-group input ACL1

service-policy input FROM_CORE

no shutdown

interface vlan 432

description CONNESSA A FW1

ip address 10.3.43.65 255.255.255.248

mac-sticky enable

access-group input ACL1

no shutdown

interface vlan 433

description CONNESSA A FW2

ip address 10.3.43.73 255.255.255.248

mac-sticky enable

access-group input ACL1

no shutdown

interface vlan 434

description CONNESSA A FW3

ip address 10.3.43.81 255.255.255.248

mac-sticky enable

access-group input ACL1

no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.1

now we have problem about traceroute, when we make a traceroute to outside world, the "intermediate" router that send us the icmp time exeeded have differenet ip address than the one tracerouted, so the incoming icmp response may be balanced to a different firewall than the one used for the outside traceroute.I 'd try to fix this balancing all icmp traffic only to one firewall (with a backup to another firewall), so the traceroute request and the icmp answer 'd be balanced on the same firewall.This is the relevant part of the configuration:

access-list TRACEROUTE line 10 extended permit icmp any any

serverfarm host FW_TRACERT_IN

transparent

predictor hash address destination 255.255.255.255

rserver CUB_IN_VDOM_1

inservice

serverfarm host BACKUP_TRACERT_IN

transparent

predictor hash address destination 255.255.255.255

rserver CUB_IN_VDOM_2

inservice

class-map match-all TRACEROUTE_DA_CORE

2 match access-list TRACEROUTE

policy-map type loadbalance first-match TRAFFICO_TRACEROUTE_BAL

class class-default

serverfarm FW_TRACERT_IN backup BACKUP_TRACERT_IN

policy-map multi-match FROM_CORE

class TRACEROUTE_DA_CORE

loadbalance vip inservice

loadbalance policy TRAFFICO_TRACEROUTE_BAL

class TRAFFICO_DA_CORE

loadbalance vip inservice

loadbalance policy TRAFFICO_CORE_BILANCIATO

What do you thin about? Insted of using different policy-map multi-match i used only one nested, but i don't know if 'd be correct, i don't have an ACE to make test...

Also i ve another dubt about :

policy-map type loadbalance first-match TRAFFICO_TRACEROUTE_BAL

class class-default

serverfarm FW_TRACERT_IN backup BACKUP_TRACERT_IN

should the class TRACEROUTE_DA_CORE applied insted of class class-default ?

which is the difference beetween apply class from "policy-map type loadbalance" and "policy-map multi-match" ?

many thanks in advance for help?

Max

Gilles Dufour · ‎01-18-2008

looks like a colleague asked the same question :

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=Application%20Networking&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbf3718

Be aware that only windows client uses icmp for traceroute.

In the unix/linux/mac world, they use udp packets.

So, your solution will only partially work.

I think the only option is to permit icmp ttl expired messages through the firewall.

Gilles.

Massimiliano Tognon · ‎01-18-2008

I know this, but traceroute is isssued only from specific network, so i'm able to choose the right traffic and force it to pass only on one firewall.Is the configuration i posted right in your opinion ? which is the difference between class command in multi-match policy map and in loadbalance policy map ( i know loadbalance policy map is a L7 policy map and the multi-match ones is a L3/4 )

Gilles Dufour · ‎01-18-2008

after talking a security experts who told me not to allow all icmp ttl messages on the firewall and that the ace module should look into the icmp payload to identify the correct firewall, I went into the code to see that indeed we look at the payload to select the same firewall.

However, there was a bug that was fixed with CSCsk68396. Not yet integrated in A1.x

Also, the ACE module will apparently nat the intermediate router with ip address with the destination ip address of your traceroute - so you don't see the router.

To prevent this behavior you need to configure inspect icmp error.

your workaround to send all icmp traffic to 1 firewall should work.

Just wanted to say this is normally not required.

Gilles.

Massimiliano Tognon · ‎01-18-2008

I already use a policy-map to inspect icmp traffic, but it's seems not to be enough...

in attach you can find my full config.

Many thanks for the help