07-28-2009 12:09 PM - edited 03-04-2019 05:34 AM
Dear All,
I have configured "ip local policy route-map " as below to make the
REFLEXIVE ACL work with Router local generated traffic, After configuring
this I am able to telnet from the local router to outside network. The
config is below:
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 218.248.17.114 255.255.255.0
ip access-group OUTIN-SAIRAM in
ip access-group INOUT-SAIRAM out
half-duplex
ip access-list extended INOUT-SAIRAM
permit icmp any any reflect SAIRAM
permit tcp any any reflect SAIRAM
permit udp any any reflect SAIRAM
ip access-list extended LOCALTRAFFIC-SAIRAM
permit tcp any any eq telnet
ip access-list extended OUTIN
ip access-list extended OUTIN-SAIRAM
permit eigrp any any
evaluate SAIRAM
access-list 101 permit tcp any any eq telnet
!
route-map LOCAL-SAIRAM permit 10
match ip address LOCALTRAFFIC-SAIRAM
set interface Loopback0
ip local policy route-map LOCAL-SAIRAM
The debug output when I telnet a remote device from the local router
*Mar 1 00:42:59.539: IP: tableid=0, s=218.248.17.114 (Loopback0),
d=218.248.17.
113 (Ethernet0/1), routed via RIB
*Mar 1 00:42:59.543: IP: s=218.248.17.114 (Loopback0), d=218.248.17.113
(Ethern
et0/1), g=218.248.17.113, len 44, forward
I want to know, how this workaround really works because in the debug output
I am seeing the SOURCE IP address as eth 0/1 interface and not loopback
interface. What this LOCAL POLICY ROUTE-MAP does in this scenario & how the
local generated traffic flows
Thanks in advance
Sairam
Solved! Go to Solution.
07-29-2009 12:09 AM
Sairam,
I have read the article you have referenced in your last reply. A nice one :) However, the point of that article was slightly different: they tried to demonstrate that the locally generated traffic is not subject to outbound ACLs placed on interfaces. In order to make it actually go through an outbound ACL, they have "recirculated" it through a loopback interface. The ACL used in that route-map is just to select the traffic that should be recirculated, otherwise, all packets would be resent to the loopback.
It is true that when the traffic is recirculated, it will go through the outbound ACL, in which case the "reflect SAIRAM" keyword is not necessary in the route-map's ACL.
Best regards,
Peter
07-28-2009 03:51 PM
Sairam,
Obviously, when a router generates a packet, its source address is determined by a lookup in the routing table before considering the route-map associated with the control plane. That is why even with the route-map setting the next-hop interface to Lo0, the actual packet's source is set to the IP address of the interface through which the packet would normally be sent out.
Moreover, you have a slight error in your ACL LOCALTRAFFIC-SAIRAM. The "permit" line does not contain the words "reflect SAIRAM". Therefore, the outgoing Telnet connection is not reflected into the reflexive ACL by this ACL. Still, you have written that you are able to telnet to outside routers. I assume that it is because all your packet make an (mostly unnecessary) extra hop out the Lo0 interface. Because of that extra hop, they are received by your router as new packets and thereby they are not considered anymore as self-originated. Therefore, they are subject to the outbound ACL on the Eth0/1 interface that reflects the details to the reflexive ACL. I suspect that if you remove the "set interface" in your route-map, you will not be able to telnet to outside routers until you correct your LOCALTRAFFIC-SAIRAM ACL.
Give it a try.
Best regards,
Peter
07-28-2009 08:30 PM
Hi,
Thanks for your comment. As you understood it is working when i include "set interface loop 0" command in the configuration and stops working if remove it.
In fact i tried this config by seeing the article in below link. Please refer
http://blog.ine.com//tag/policy-routing/
Here also they have not added "reflect SAIRAM" keyword in the ACL. I believe "LOCALTRAFFIC-SAIRAM ACL" is to identify the outgoing telnet traffic only
Please give your feedback
Sairam
07-29-2009 12:09 AM
Sairam,
I have read the article you have referenced in your last reply. A nice one :) However, the point of that article was slightly different: they tried to demonstrate that the locally generated traffic is not subject to outbound ACLs placed on interfaces. In order to make it actually go through an outbound ACL, they have "recirculated" it through a loopback interface. The ACL used in that route-map is just to select the traffic that should be recirculated, otherwise, all packets would be resent to the loopback.
It is true that when the traffic is recirculated, it will go through the outbound ACL, in which case the "reflect SAIRAM" keyword is not necessary in the route-map's ACL.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: