Posts Tagged ‘reflexive-acls’
Cisco IOS has a special feature called local policy routing, which permits to apply a route-map to local (router-generated) traffic. The first way we can use this feature is to re-circulate local traffic (and force it re-enter the router). Here’s an example. By default, locally-generated packets are not inspected by outgoing access-lists. This may cause issues when local traffic is not being reflected under relfexive access-list entries. Say with configuration like that:
! ! Reflect all "session-oriented" traffic ! ip access-list extended EGRESS permit tcp any any reflect MIRROR permit icmp any any reflect MIRROR permit udp any any reflect MIRROR ! ! Evalute the reflected entries ! ip access-list extended INGRESS evaluate MIRROR permit ospf any any ! interface Serial 0/0 ip address 22.214.171.124 255.255.255.0 ip access-group INGRESS in ip access-group EGRESS out
You would not be able to telnet out of a router to destinations behind the Serial interface, even though TCP sessions are reflected in access-list. To fix the issue, we may use local-policy to force the local traffic re-enter the router and be inspected by outgoing access-list:
! ! Redirect local telnet traffic via the Loopback interface ! ip access-list extended LOCAL_TRAFFIC permit tcp any any eq 23 ! route-map LOCAL_POLICY 10 match ip address LOCAL_TRAFFIC set interface Loopback0 ! ! Traffic sent to Loopback interface re-enters the router ! interface Loopback0 ip address 126.96.36.199 255.255.255.50 ! ! Apply the local-policy ! ip local policy route-map LOCAL_POLICY
With this configuration, local telnet session will re-enter the router and hit the outgoing access-list, thereby triggering a reflected entry. This same idea may be utilized to force CBAC inspection of locally-generated traffic, by since 12.3T there has been a special IOS feature to do this natively.
The other useful application of local policy routing is using it for traffic filtering. For example you may want to prohibit outgoing telnet sessions from local router to a certain destination:
ip access-list extended BLOCK_TELNET permit tcp any host 188.8.131.52 eq 23 ! route-map LOCAL_POLICY 10 match ip address BLOCK_TELNET set interface Null 0 ! ! Apply the local-policy ! ip local policy route-map LOCAL_POLICY
The syntax is somewhat similar to the vlan access-maps used on Catalyst switches, and similarly the route-map is applied “globally”, i.e. to all router traffic, going out on any interface. Note that you may use the same idea to block incoming session, simply by reversing entries in access-list. (e.g. “permit tcp any eq 23 host 184.108.40.206″). Best of all, with PBR you may apply additional criteria to incoming traffic, e.g. match packet sizes.
The last example is the use of local PBR to apply special treatment to management/control plane traffic – e.g. use different output interfaces for out-of-band management. With local PBR you may also apply special marking for control traffic, e.g. selectively assign IP precedence values.
ip access-list extended MANAGEMENT_TRAFFIC permit tcp any eq 23 any permit tcp any eq 22 any ! route-map LOCAL_POLICY 10 match ip address MANAGEMENT_TRAFFIC set interface Serial 0/1 set ip precedence 7 ! ip local policy route-map LOCAL_POLICY
Keep these simple features in mind, while considering options for you CCIE lab task solution.