Cisco IOS has a special feature called local policy routing, which permits to apply a route-map to local (router-generated) traffic. The first way we can use this feature is to re-circulate local traffic (and force it re-enter the router). Here's an example. By default, locally-generated packets are not inspected by outgoing access-lists. This may cause issues when local traffic is not being reflected under relfexive access-list entries. Say with configuration like that:

!

! Reflect all "session-oriented" traffic

!

ip access-list extended EGRESS

 permit tcp any any reflect MIRROR

 permit icmp any any reflect MIRROR

 permit udp any any reflect MIRROR

!

! Evalute the reflected entries

!

ip access-list extended INGRESS

 evaluate MIRROR

 permit ospf any any

!

interface Serial 0/0

 ip address 54.1.1.6 255.255.255.0

 ip access-group INGRESS in

 ip access-group EGRESS out

You would not be able to telnet out of a router to destinations behind the Serial interface, even though TCP sessions are reflected in access-list. To fix the issue, we may use local-policy to force the local traffic re-enter the router and be inspected by outgoing access-list:

!

! Redirect local telnet traffic via the Loopback interface

!

ip access-list extended LOCAL_TRAFFIC

 permit tcp any any eq 23

!

route-map LOCAL_POLICY 10

 match ip address LOCAL_TRAFFIC

 set interface Loopback0

!

! Traffic sent to Loopback interface re-enters the router

!

interface Loopback0

 ip address 150.1.6.6 255.255.255.50
!

! Apply the local-policy

!

ip local policy route-map LOCAL_POLICY

With this configuration, local telnet session will re-enter the router and hit the outgoing access-list, thereby triggering a reflected entry. This same idea may be utilized to force CBAC inspection of locally-generated traffic, by since 12.3T there has been a special IOS feature to do this natively.

The other useful application of local policy routing is using it for traffic filtering. For example you may want to prohibit outgoing telnet sessions from local router to a certain destination:

ip access-list extended BLOCK_TELNET

 permit tcp any host 150.1.1.1 eq 23

!

route-map LOCAL_POLICY 10

 match ip address BLOCK_TELNET

 set interface Null 0
!

! Apply the local-policy

!

ip local policy route-map LOCAL_POLICY

The syntax is somewhat similar to the vlan access-maps used on Catalyst switches, and similarly the route-map is applied "globally", i.e. to all router traffic, going out on any interface. Note that you may use the same idea to block incoming session, simply by reversing entries in access-list. (e.g. "permit tcp any eq 23 host 150.1.1.1"). Best of all, with PBR you may apply additional criteria to incoming traffic, e.g. match packet sizes.

The last example is the use of local PBR to apply special treatment to management/control plane traffic - e.g. use different output interfaces for out-of-band management. With local PBR you may also apply special marking for control traffic, e.g. selectively assign IP precedence values.

ip access-list extended MANAGEMENT_TRAFFIC

 permit tcp any eq 23 any

 permit tcp any eq 22 any

!

route-map LOCAL_POLICY 10

 match ip address MANAGEMENT_TRAFFIC

 set interface Serial 0/1

 set ip precedence 7

!

ip local policy route-map LOCAL_POLICY

Keep these simple features in mind, while considering options for you CCIE lab task solution.