Local policy routemap with RACL

Answered Question
Jul 28th, 2009

Dear All,

I have configured "ip local policy route-map " as below to make the

REFLEXIVE ACL work with Router local generated traffic, After configuring

this I am able to telnet from the local router to outside network. The

config is below:

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/0

ip address 192.168.1.2 255.255.255.0

half-duplex

!

interface Ethernet0/1

ip address 218.248.17.114 255.255.255.0

ip access-group OUTIN-SAIRAM in

ip access-group INOUT-SAIRAM out

half-duplex

ip access-list extended INOUT-SAIRAM

permit icmp any any reflect SAIRAM

permit tcp any any reflect SAIRAM

permit udp any any reflect SAIRAM

ip access-list extended LOCALTRAFFIC-SAIRAM

permit tcp any any eq telnet

ip access-list extended OUTIN

ip access-list extended OUTIN-SAIRAM

permit eigrp any any

evaluate SAIRAM

access-list 101 permit tcp any any eq telnet

!

route-map LOCAL-SAIRAM permit 10

match ip address LOCALTRAFFIC-SAIRAM

set interface Loopback0

ip local policy route-map LOCAL-SAIRAM

The debug output when I telnet a remote device from the local router

*Mar 1 00:42:59.539: IP: tableid=0, s=218.248.17.114 (Loopback0),

d=218.248.17.

113 (Ethernet0/1), routed via RIB

*Mar 1 00:42:59.543: IP: s=218.248.17.114 (Loopback0), d=218.248.17.113

(Ethern

et0/1), g=218.248.17.113, len 44, forward

I want to know, how this workaround really works because in the debug output

I am seeing the SOURCE IP address as eth 0/1 interface and not loopback

interface. What this LOCAL POLICY ROUTE-MAP does in this scenario & how the

local generated traffic flows

Thanks in advance

Sairam

I have this problem too.
0 votes
Correct Answer by Peter Paluch about 7 years 4 months ago

Sairam,

I have read the article you have referenced in your last reply. A nice one :) However, the point of that article was slightly different: they tried to demonstrate that the locally generated traffic is not subject to outbound ACLs placed on interfaces. In order to make it actually go through an outbound ACL, they have "recirculated" it through a loopback interface. The ACL used in that route-map is just to select the traffic that should be recirculated, otherwise, all packets would be resent to the loopback.

It is true that when the traffic is recirculated, it will go through the outbound ACL, in which case the "reflect SAIRAM" keyword is not necessary in the route-map's ACL.

Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Peter Paluch Tue, 07/28/2009 - 15:51

Sairam,

Obviously, when a router generates a packet, its source address is determined by a lookup in the routing table before considering the route-map associated with the control plane. That is why even with the route-map setting the next-hop interface to Lo0, the actual packet's source is set to the IP address of the interface through which the packet would normally be sent out.

Moreover, you have a slight error in your ACL LOCALTRAFFIC-SAIRAM. The "permit" line does not contain the words "reflect SAIRAM". Therefore, the outgoing Telnet connection is not reflected into the reflexive ACL by this ACL. Still, you have written that you are able to telnet to outside routers. I assume that it is because all your packet make an (mostly unnecessary) extra hop out the Lo0 interface. Because of that extra hop, they are received by your router as new packets and thereby they are not considered anymore as self-originated. Therefore, they are subject to the outbound ACL on the Eth0/1 interface that reflects the details to the reflexive ACL. I suspect that if you remove the "set interface" in your route-map, you will not be able to telnet to outside routers until you correct your LOCALTRAFFIC-SAIRAM ACL.

Give it a try.

Best regards,

Peter

snarayanaraju Tue, 07/28/2009 - 20:30

Hi,

Thanks for your comment. As you understood it is working when i include "set interface loop 0" command in the configuration and stops working if remove it.

In fact i tried this config by seeing the article in below link. Please refer

http://blog.ine.com//tag/policy-routing/

Here also they have not added "reflect SAIRAM" keyword in the ACL. I believe "LOCALTRAFFIC-SAIRAM ACL" is to identify the outgoing telnet traffic only

Please give your feedback

Sairam

Correct Answer
Peter Paluch Wed, 07/29/2009 - 00:09

Sairam,

I have read the article you have referenced in your last reply. A nice one :) However, the point of that article was slightly different: they tried to demonstrate that the locally generated traffic is not subject to outbound ACLs placed on interfaces. In order to make it actually go through an outbound ACL, they have "recirculated" it through a loopback interface. The ACL used in that route-map is just to select the traffic that should be recirculated, otherwise, all packets would be resent to the loopback.

It is true that when the traffic is recirculated, it will go through the outbound ACL, in which case the "reflect SAIRAM" keyword is not necessary in the route-map's ACL.

Best regards,

Peter

Actions

This Discussion