02-04-2011 08:03 AM
Is there a way to build an ACL or a security feature that I can turn off that will allow servers that are loadbalanced by the ACE to traceroute through the ACE to networks outside the ACE module?
02-07-2011 06:07 AM
Hi,
In order to allow traceroute through the ACE, you would just need to add an ACL allowing ICMP and apply it on the interface where the traffic will be generated (if I understood correctly, the server vlan)
For more information on how to create this ACL, please refer to the official documentation:
Regards
Daniel
02-07-2011 06:47 AM
I already have the following access-list applied to all my interfaces.
access-list ALL line 6 extended permit icmp any any
Is there something more I need to do? Currently when we traceroute from a vlan behind the ACE the only address we pickup in the trace is the ACE vlan interface which is the servers default gateway.
02-07-2011 10:11 AM
Be carfull that tracerout can either use udp or icmp. What kind of server do you have? If not mistaken, you have as well to enable inspect icmp error.
So for instance:
access-list 102 line 10 extended permit icmp any any
class-map match-all icmp_traffic
2 match access-list 102
policy-map multi-match icmp_inspect
class icmp_traffic
inspect icmp error
interface vlan 540
service-policy input icmp_inspect
Here's the config on the ACE module when the problem was seen: access-list 2 line 10 extended permit ip any any access-list 4 line 10 extended permit ip host 10.0.10.14 any rserver host linux3 ip address 10.0.10.13 inservice rserver host windows ip address 10.0.10.14 inservice serverfarm host test rserver windows inservice serverfarm host testing class-map match-all ftpnat 3 match port tcp eq ftp 5 match source-address 10.0.10.14 255.255.255.255 class-map match-all icmp 2 match any class-map match-all nat class-map match-all www 3 match virtual-address 172.16.35.33 tcp any policy-map type loadbalance first-match www class class-default serverfarm test policy-map multi-match 80 class www loadbalance vip inservice loadbalance policy www loadbalance vip icmp-reply policy-map multi-match ftpnat class ftpnat nat static 172.16.35.108 netmask 255.255.255.255 vlan 172 inspect ftp policy-map multi-match icmp class icmp inspect icmp error policy-map multi-match nat class nat nat static 172.16.35.107 netmask 255.255.255.255 vlan 172 service-policy input icmp interface vlan 172 ip address 172.16.35.32 255.255.255.128 access-group input 2 access-group output 2 service-policy input 80 no shutdown interface vlan 302 ip address 10.0.10.1 255.255.255.0 access-group input 2 access-group output 2 service-policy input ftpnat service-policy input nat no shutdown To see the problem, a traceroute needs to be initiated from the server behind the ACE (10.0.10.14) to any address on the Cisco network.
Can not view this .txt file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCsg95379&title=DDTS_History&ext=txt&type=FILE
Can not view this .txt file attachment inline, please click on the following link to view the attachment.
http:///cdts/siebel/siebsrvr/input/CSCsj28231/79/CSCsg95379_DDTS_History.txt
Regards,
Olivier
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide