01-17-2008 08:26 AM
Hi to all, i've configured an ace module to load balance traffic on transparent firewall.
this is the relevant part of the configuration:
access-list ACL1 line 10 extended permit ip any any
probe icmp VDOM_FAILED
description VERIFICA LO STATUS DEGLI R-SERVER
interval 2
passdetect interval 2
rserver host CUB_IN_VDOM_1
ip address 10.3.43.66
probe VDOM_FAILED
inservice
rserver host CUB_IN_VDOM_2
ip address 10.3.43.74
probe VDOM_FAILED
inservice
rserver host CUB_IN_VDOM_3
ip address 10.3.43.82
probe VDOM_FAILED
inservice
serverfarm host FW_CUB_IN
transparent
predictor hash address destination 255.255.255.255
rserver CUB_IN_VDOM_1
inservice
rserver CUB_IN_VDOM_2
inservice
rserver CUB_IN_VDOM_3
inservice
class-map match-any TRAFFICO_DA_CORE
2 match virtual-address 0.0.0.0 0.0.0.0 any
policy-map type loadbalance first-match TRAFFICO_CORE_BILANCIATO
class class-default
serverfarm FW_CUB_IN
policy-map multi-match FROM_CORE
class TRAFFICO_DA_CORE
loadbalance vip inservice
loadbalance policy TRAFFICO_CORE_BILANCIATO
interface vlan 420
description MANAGEMENT
ip address 10.3.43.10 255.255.255.248
access-group input ACL1
service-policy input FROM_CORE
no shutdown
interface vlan 432
description CONNESSA A FW1
ip address 10.3.43.65 255.255.255.248
mac-sticky enable
access-group input ACL1
no shutdown
interface vlan 433
description CONNESSA A FW2
ip address 10.3.43.73 255.255.255.248
mac-sticky enable
access-group input ACL1
no shutdown
interface vlan 434
description CONNESSA A FW3
ip address 10.3.43.81 255.255.255.248
mac-sticky enable
access-group input ACL1
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
now we have problem about traceroute, when we make a traceroute to outside world, the "intermediate" router that send us the icmp time exeeded have differenet ip address than the one tracerouted, so the incoming icmp response may be balanced to a different firewall than the one used for the outside traceroute.I 'd try to fix this balancing all icmp traffic only to one firewall (with a backup to another firewall), so the traceroute request and the icmp answer 'd be balanced on the same firewall.This is the relevant part of the configuration:
access-list TRACEROUTE line 10 extended permit icmp any any
serverfarm host FW_TRACERT_IN
transparent
predictor hash address destination 255.255.255.255
rserver CUB_IN_VDOM_1
inservice
serverfarm host BACKUP_TRACERT_IN
transparent
predictor hash address destination 255.255.255.255
rserver CUB_IN_VDOM_2
inservice
class-map match-all TRACEROUTE_DA_CORE
2 match access-list TRACEROUTE
policy-map type loadbalance first-match TRAFFICO_TRACEROUTE_BAL
class class-default
serverfarm FW_TRACERT_IN backup BACKUP_TRACERT_IN
policy-map multi-match FROM_CORE
class TRACEROUTE_DA_CORE
loadbalance vip inservice
loadbalance policy TRAFFICO_TRACEROUTE_BAL
class TRAFFICO_DA_CORE
loadbalance vip inservice
loadbalance policy TRAFFICO_CORE_BILANCIATO
What do you thin about? Insted of using different policy-map multi-match i used only one nested, but i don't know if 'd be correct, i don't have an ACE to make test...
Also i ve another dubt about :
policy-map type loadbalance first-match TRAFFICO_TRACEROUTE_BAL
class class-default
serverfarm FW_TRACERT_IN backup BACKUP_TRACERT_IN
should the class TRACEROUTE_DA_CORE applied insted of class class-default ?
which is the difference beetween apply class from "policy-map type loadbalance" and "policy-map multi-match" ?
many thanks in advance for help?
Max
01-18-2008 02:17 AM
looks like a colleague asked the same question :
Be aware that only windows client uses icmp for traceroute.
In the unix/linux/mac world, they use udp packets.
So, your solution will only partially work.
I think the only option is to permit icmp ttl expired messages through the firewall.
Gilles.
01-18-2008 02:34 AM
I know this, but traceroute is isssued only from specific network, so i'm able to choose the right traffic and force it to pass only on one firewall.Is the configuration i posted right in your opinion ? which is the difference between class command in multi-match policy map and in loadbalance policy map ( i know loadbalance policy map is a L7 policy map and the multi-match ones is a L3/4 )
01-18-2008 04:38 AM
after talking a security experts who told me not to allow all icmp ttl messages on the firewall and that the ace module should look into the icmp payload to identify the correct firewall, I went into the code to see that indeed we look at the payload to select the same firewall.
However, there was a bug that was fixed with CSCsk68396. Not yet integrated in A1.x
Also, the ACE module will apparently nat the intermediate router with ip address with the destination ip address of your traceroute - so you don't see the router.
To prevent this behavior you need to configure inspect icmp error.
your workaround to send all icmp traffic to 1 firewall should work.
Just wanted to say this is normally not required.
Gilles.
01-18-2008 06:11 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: