Cisco IOS has a special feature called local policy routing, which permits to apply a route-map to local (router-generated) traffic. The first way we can use this feature is to re-circulate local traffic (and force it re-enter the router). Here’s an example. By default, locally-generated packets are not inspected by outgoing access-lists. This may cause issues when local traffic is not being reflected under relfexive access-list entries. Say with configuration like that:
! ! Reflect all "session-oriented" traffic ! ip access-list extended EGRESS permit tcp any any reflect MIRROR permit icmp any any reflect MIRROR permit udp any any reflect MIRROR ! ! Evalute the reflected entries ! ip access-list extended INGRESS evaluate MIRROR permit ospf any any ! interface Serial 0/0 ip address 220.127.116.11 255.255.255.0 ip access-group INGRESS in ip access-group EGRESS out
You would not be able to telnet out of a router to destinations behind the Serial interface, even though TCP sessions are reflected in access-list. To fix the issue, we may use local-policy to force the local traffic re-enter the router and be inspected by outgoing access-list:
! ! Redirect local telnet traffic via the Loopback interface ! ip access-list extended LOCAL_TRAFFIC permit tcp any any eq 23 ! route-map LOCAL_POLICY 10 match ip address LOCAL_TRAFFIC set interface Loopback0 ! ! Traffic sent to Loopback interface re-enters the router ! interface Loopback0 ip address 18.104.22.168 255.255.255.50 ! ! Apply the local-policy ! ip local policy route-map LOCAL_POLICY
With this configuration, local telnet session will re-enter the router and hit the outgoing access-list, thereby triggering a reflected entry. This same idea may be utilized to force CBAC inspection of locally-generated traffic, by since 12.3T there has been a special IOS feature to do this natively.
The other useful application of local policy routing is using it for traffic filtering. For example you may want to prohibit outgoing telnet sessions from local router to a certain destination:
ip access-list extended BLOCK_TELNET permit tcp any host 22.214.171.124 eq 23 ! route-map LOCAL_POLICY 10 match ip address BLOCK_TELNET set interface Null 0 ! ! Apply the local-policy ! ip local policy route-map LOCAL_POLICY
The syntax is somewhat similar to the vlan access-maps used on Catalyst switches, and similarly the route-map is applied “globally”, i.e. to all router traffic, going out on any interface. Note that you may use the same idea to block incoming session, simply by reversing entries in access-list. (e.g. “permit tcp any eq 23 host 126.96.36.199″). Best of all, with PBR you may apply additional criteria to incoming traffic, e.g. match packet sizes.
The last example is the use of local PBR to apply special treatment to management/control plane traffic – e.g. use different output interfaces for out-of-band management. With local PBR you may also apply special marking for control traffic, e.g. selectively assign IP precedence values.
ip access-list extended MANAGEMENT_TRAFFIC permit tcp any eq 23 any permit tcp any eq 22 any ! route-map LOCAL_POLICY 10 match ip address MANAGEMENT_TRAFFIC set interface Serial 0/1 set ip precedence 7 ! ip local policy route-map LOCAL_POLICY
Keep these simple features in mind, while considering options for you CCIE lab task solution.
About Petr Lapukhov, 4xCCIE/CCDE:
Petr Lapukhov's career in IT begain in 1988 with a focus on computer programming, and progressed into networking with his first exposure to Novell NetWare in 1991. Initially involved with Kazan State University's campus network support and UNIX system administration, he went through the path of becoming a networking consultant, taking part in many network deployment projects. Petr currently has over 12 years of experience working in the Cisco networking field, and is the only person in the world to have obtained four CCIEs in under two years, passing each on his first attempt. Petr is an exceptional case in that he has been working with all of the technologies covered in his four CCIE tracks (R&S, Security, SP, and Voice) on a daily basis for many years. When not actively teaching classes, developing self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied Mathematics.
7 Responses to “Tricks with Local Policy Routing”
Leave a Reply