Feb
13

Cisco IOS has a special feature called local policy routing, which permits to apply a route-map to local (router-generated) traffic. The first way we can use this feature is to re-circulate local traffic (and force it re-enter the router). Here’s an example. By default, locally-generated packets are not inspected by outgoing access-lists. This may cause issues when local traffic is not being reflected under relfexive access-list entries. Say with configuration like that:


!
! Reflect all "session-oriented" traffic
!
ip access-list extended EGRESS
 permit tcp any any reflect MIRROR
 permit icmp any any reflect MIRROR
 permit udp any any reflect MIRROR
!
! Evalute the reflected entries
!
ip access-list extended INGRESS
 evaluate MIRROR
 permit ospf any any
!
interface Serial 0/0
 ip address 54.1.1.6 255.255.255.0
 ip access-group INGRESS in
 ip access-group EGRESS out

You would not be able to telnet out of a router to destinations behind the Serial interface, even though TCP sessions are reflected in access-list. To fix the issue, we may use local-policy to force the local traffic re-enter the router and be inspected by outgoing access-list:


!
! Redirect local telnet traffic via the Loopback interface
!
ip access-list extended LOCAL_TRAFFIC
 permit tcp any any eq 23
!
route-map LOCAL_POLICY 10
 match ip address LOCAL_TRAFFIC
 set interface Loopback0
!
! Traffic sent to Loopback interface re-enters the router
!
interface Loopback0
 ip address 150.1.6.6 255.255.255.50

!
! Apply the local-policy
!
ip local policy route-map LOCAL_POLICY

With this configuration, local telnet session will re-enter the router and hit the outgoing access-list, thereby triggering a reflected entry. This same idea may be utilized to force CBAC inspection of locally-generated traffic, by since 12.3T there has been a special IOS feature to do this natively.

The other useful application of local policy routing is using it for traffic filtering. For example you may want to prohibit outgoing telnet sessions from local router to a certain destination:


ip access-list extended BLOCK_TELNET
 permit tcp any host 150.1.1.1 eq 23
!
route-map LOCAL_POLICY 10
 match ip address BLOCK_TELNET
 set interface Null 0

!
! Apply the local-policy
!
ip local policy route-map LOCAL_POLICY

The syntax is somewhat similar to the vlan access-maps used on Catalyst switches, and similarly the route-map is applied “globally”, i.e. to all router traffic, going out on any interface. Note that you may use the same idea to block incoming session, simply by reversing entries in access-list. (e.g. “permit tcp any eq 23 host 150.1.1.1″). Best of all, with PBR you may apply additional criteria to incoming traffic, e.g. match packet sizes.

The last example is the use of local PBR to apply special treatment to management/control plane traffic – e.g. use different output interfaces for out-of-band management. With local PBR you may also apply special marking for control traffic, e.g. selectively assign IP precedence values.


ip access-list extended MANAGEMENT_TRAFFIC
 permit tcp any eq 23 any
 permit tcp any eq 22 any
!
route-map LOCAL_POLICY 10
 match ip address MANAGEMENT_TRAFFIC
 set interface Serial 0/1
 set ip precedence 7
!
ip local policy route-map LOCAL_POLICY

Keep these simple features in mind, while considering options for you CCIE lab task solution.

About Petr Lapukhov, 4xCCIE/CCDE:

Petr Lapukhov's career in IT begain in 1988 with a focus on computer programming, and progressed into networking with his first exposure to Novell NetWare in 1991. Initially involved with Kazan State University's campus network support and UNIX system administration, he went through the path of becoming a networking consultant, taking part in many network deployment projects. Petr currently has over 12 years of experience working in the Cisco networking field, and is the only person in the world to have obtained four CCIEs in under two years, passing each on his first attempt. Petr is an exceptional case in that he has been working with all of the technologies covered in his four CCIE tracks (R&S, Security, SP, and Voice) on a daily basis for many years. When not actively teaching classes, developing self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied Mathematics.

Find all posts by Petr Lapukhov, 4xCCIE/CCDE | Visit Website


You can leave a response, or trackback from your own site.

7 Responses to “Tricks with Local Policy Routing”

 
  1. Azher says:

    Hi,

    I was trying to implement local policy for telnet using above example, however i get this message:

    R12(config-route-map)#set interface lo0
    % route-map:can not set interface.
    % Use P2P interfaces for set interface clause

    I am running C3640 12.4(19) on dynamips. Can you explain why this error occurs and what alternate can be done to achieve local policy.

    Thanks

  2. Armand says:

    Hi!

    Are there more references, examples and more information to deal tricky ip local policy outside of cisco CCO?
    Thanks!

  3. Xavier B. says:

    ‘set interface lo0′ in a route-map is now deprecated :

    (config-route-map)#set int lo0
    % route-map:can not set interface.
    % Use P2P interfaces for set interface clause

    Workaround : “set ip next-hop ” in the route-map

  4. Meki Chan says:

    hi, thank you for this great information

    Regards,
    Meki Chan
    Cisco Trick

  5. Sergio Polizer says:

    Hi, At Voice World This is necessary to mark Gatekeeper originate traffic.
    Let’s see how it does:

    ip access-list extended acl-mark-gk
    permit udp any range 1718 1720 any
    permit ip any any
    !
    route-map LOCAL_TRAFFIC
    match ip address acl-mark-gk
    set ip precedence flash

    ip local policy route-map LOCAL_TRAFFIC

  6. Hello Petr,

    I wonder if you can tell me whether there is a way to make local route-map applied to the incoming traffic going to the local addresses?

    Regards,
    Alex

  7. [...] network as well. I found a good link at INE regarding a possible use of this technology here. Share this:TwitterFacebookLike this:Like Loading… Categories: IP Routing Comments (0) [...]

 

Leave a Reply

Categories

CCIE Bloggers