Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1119
Views
0
Helpful
3
Replies

Local policy routemap with RACL

Go to solution
snarayanaraju
Level 4
Level 4

‎07-28-2009 12:09 PM - edited ‎03-04-2019 05:34 AM

Dear All,

I have configured "ip local policy route-map " as below to make the

REFLEXIVE ACL work with Router local generated traffic, After configuring

this I am able to telnet from the local router to outside network. The

config is below:

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/0

ip address 192.168.1.2 255.255.255.0

half-duplex

!

interface Ethernet0/1

ip address 218.248.17.114 255.255.255.0

ip access-group OUTIN-SAIRAM in

ip access-group INOUT-SAIRAM out

half-duplex

ip access-list extended INOUT-SAIRAM

permit icmp any any reflect SAIRAM

permit tcp any any reflect SAIRAM

permit udp any any reflect SAIRAM

ip access-list extended LOCALTRAFFIC-SAIRAM

permit tcp any any eq telnet

ip access-list extended OUTIN

ip access-list extended OUTIN-SAIRAM

permit eigrp any any

evaluate SAIRAM

access-list 101 permit tcp any any eq telnet

!

route-map LOCAL-SAIRAM permit 10

match ip address LOCALTRAFFIC-SAIRAM

set interface Loopback0

ip local policy route-map LOCAL-SAIRAM

The debug output when I telnet a remote device from the local router

*Mar 1 00:42:59.539: IP: tableid=0, s=218.248.17.114 (Loopback0),

d=218.248.17.

113 (Ethernet0/1), routed via RIB

*Mar 1 00:42:59.543: IP: s=218.248.17.114 (Loopback0), d=218.248.17.113

(Ethern

et0/1), g=218.248.17.113, len 44, forward

I want to know, how this workaround really works because in the debug output

I am seeing the SOURCE IP address as eth 0/1 interface and not loopback

interface. What this LOCAL POLICY ROUTE-MAP does in this scenario & how the

local generated traffic flows

Thanks in advance

Sairam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to snarayanaraju

‎07-29-2009 12:09 AM

Sairam,

I have read the article you have referenced in your last reply. A nice one :) However, the point of that article was slightly different: they tried to demonstrate that the locally generated traffic is not subject to outbound ACLs placed on interfaces. In order to make it actually go through an outbound ACL, they have "recirculated" it through a loopback interface. The ACL used in that route-map is just to select the traffic that should be recirculated, otherwise, all packets would be resent to the loopback.

It is true that when the traffic is recirculated, it will go through the outbound ACL, in which case the "reflect SAIRAM" keyword is not necessary in the route-map's ACL.

Best regards,

Peter

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-28-2009 03:51 PM

Sairam,

Obviously, when a router generates a packet, its source address is determined by a lookup in the routing table before considering the route-map associated with the control plane. That is why even with the route-map setting the next-hop interface to Lo0, the actual packet's source is set to the IP address of the interface through which the packet would normally be sent out.

Moreover, you have a slight error in your ACL LOCALTRAFFIC-SAIRAM. The "permit" line does not contain the words "reflect SAIRAM". Therefore, the outgoing Telnet connection is not reflected into the reflexive ACL by this ACL. Still, you have written that you are able to telnet to outside routers. I assume that it is because all your packet make an (mostly unnecessary) extra hop out the Lo0 interface. Because of that extra hop, they are received by your router as new packets and thereby they are not considered anymore as self-originated. Therefore, they are subject to the outbound ACL on the Eth0/1 interface that reflects the details to the reflexive ACL. I suspect that if you remove the "set interface" in your route-map, you will not be able to telnet to outside routers until you correct your LOCALTRAFFIC-SAIRAM ACL.

Give it a try.

Best regards,

Peter

0 Helpful

Go to solution
snarayanaraju
Level 4
Level 4
In response to Peter Paluch

‎07-28-2009 08:30 PM

Hi,

Thanks for your comment. As you understood it is working when i include "set interface loop 0" command in the configuration and stops working if remove it.

In fact i tried this config by seeing the article in below link. Please refer

http://blog.ine.com//tag/policy-routing/

Here also they have not added "reflect SAIRAM" keyword in the ACL. I believe "LOCALTRAFFIC-SAIRAM ACL" is to identify the outgoing telnet traffic only

Please give your feedback

Sairam

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to snarayanaraju

‎07-29-2009 12:09 AM

Sairam,

I have read the article you have referenced in your last reply. A nice one :) However, the point of that article was slightly different: they tried to demonstrate that the locally generated traffic is not subject to outbound ACLs placed on interfaces. In order to make it actually go through an outbound ACL, they have "recirculated" it through a loopback interface. The ACL used in that route-map is just to select the traffic that should be recirculated, otherwise, all packets would be resent to the loopback.

It is true that when the traffic is recirculated, it will go through the outbound ACL, in which case the "reflect SAIRAM" keyword is not necessary in the route-map's ACL.

Best regards,

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card