Re: Traceroute through the ACE

shday · ‎02-04-2011

Is there a way to build an ACL or a security feature that I can turn off that will allow servers that are loadbalanced by the ACE to traceroute through the ACE to networks outside the ACE module?

Daniel Arrondo Ostiz · ‎02-07-2011

Hi,

In order to allow traceroute through the ACE, you would just need to add an ACL allowing ICMP and apply it on the interface where the traffic will be generated (if I understood correctly, the server vlan)

For more information on how to create this ACL, please refer to the official documentation:

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/security/guide/acl.html

Regards

Daniel

shday · ‎02-07-2011

I already have the following access-list applied to all my interfaces.

access-list ALL line 6 extended permit icmp any any

Is there something more I need to do? Currently when we traceroute from a vlan behind the ACE the only address we pickup in the trace is the ACE vlan interface which is the servers default gateway.

ohynderi · ‎02-07-2011

Be carfull that tracerout can either use udp or icmp. What kind of server do you have? If not mistaken, you have as well to enable inspect icmp error.

So for instance:

access-list 102 line 10 extended permit icmp any any

class-map match-all icmp_traffic
  2 match access-list 102

policy-map multi-match icmp_inspect
  class icmp_traffic
    inspect icmp error

interface vlan 540
  service-policy input icmp_inspect

Regards,

Olivier