09-09-2009 01:58 AM
Hello,
I'm using an ACE4710 as load balancer.
I have 3 Interface
INTERNET 10.47.100.249 255.255.255.0
INTRANET 10.47.99.240 255.255.255.0
PROXY 10.47.98.240 255.255.255.0
Traffic coming from INTRANET is balanced on interface PROXY if is HTTP.
Routing table is
0.0.0.0 10.47.100.190
10.44.0.0/14 10.47.99.254
!
When I issue a tracert to i.e www.cisco.com
tracert www.cisco.com
www.cisco.com [198.133.219.25]
my.router.com [10.47.2.234]
www.cisco.com [198.133.219.25]
www.cisco.com [198.133.219.25]
www.cisco.com [198.133.219.25]
www.cisco.com [198.133.219.25]
etc ...
..
It seams that once the ICMP ECHO TTL Exceeded reply pass through the ACE the ACE instead to Send the ECHO TTL Exceeded with IP source is IP is sending back the SOurce IP of the requested destinatin in this case www.cisco.com. Is that correct ?
09-09-2009 05:01 AM
That's a security feature to prevent people to lear network topology with traceroute.
To make it work, you need to enable icmp inspection.
Create a class-map to match icmp traffic.
Then under a multimatch policy, and the icmp class-map configure 'inspect icmp error'.
Gilles.
09-10-2009 06:27 AM
I tried that but is not working ..
!
access-list icmp_traffic line 10 extended permit icmp any any
!
class-map match-any ICMP_traffic
description ip inspect ICMP
2 match access-list icmp_traffic
!
policy-map multi-match L4_SLB_POLICY
class L4_WEB_TRAFFIC
loadbalance vip inservice
loadbalance policy HTTP_SLB_POLICY
class ICMP_traffic
inspect icmp error
!
and I also did
interface vlan 950
no normalization
no icmp-guard
interface vlan 953
no normalization
no icmp-guard
interface vlan 954
no normalization
no icmp-guard
!
the ACE seams always replace the IP header addres of the error packet ..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide