Go CCIE Go!! - A Cisco Certified Internetwork Expert

Once you go and try this local policy routing trick from the link you sent:
R1(config)#int loopback 0 R1(config-if)#ip ad 1.1.1.1 255.255.255.255 R1(config-if)#exit R1(config)#route-map LOCAL_POLICY R1(config-route-map)#set interface loopback 0 R1(config-route-map)#exit R1(config)#ip local policy route-map LOCAL_POLICY R1(config)#END R1#telnet 12.0.0.2 Trying 12.0.0.2 … Open
doesn’t that affect everything else too unless you use an ACL in the local policy? For instance wouldn’t your BGP peering relationships all end up sourced from the loopback automatically.
What does that do to IGP protocols that do not allow multihop like OSPF?
-Brian L
—–Original Message—– From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Brian McGahan Sent: Friday, June 30, 2006 6:35 PM To: blodwick; CCIEin2006; Koen Zeilstra Cc: ccielab@groupstudy.com Subject: RE: router bypasses ACL for locally sourced traffic
You can force it to be reflected by policy routing it and making it appear as transit traffic to the router:
http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
Either that or you need to statically permit inbound all traffic destined to the local router that is necessary (routing protocols, icmp echo-reply, traceroute replies, etc.)
HTH,
Brian McGahan, CCIE #8593 bmcgahan@internetworkexpert.com
Internetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 x 705 Outside US: 775-826-4344 x 705 24/7 Support: http://forum.internetworkexpert.com Live Chat: http://www.internetworkexpert.com/chat/
> —–Original Message—– > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > blodwick > Sent: Friday, June 30, 2006 2:38 PM > To: ‘CCIEin2006′; ‘Koen Zeilstra’ > Cc: ccielab@groupstudy.com > Subject: RE: router bypasses ACL for locally sourced traffic > > One additional tidbit I’d like to add to this string that I found > interesting is on a reflexive acl local traffic is not reflected for > evaluation, but you can explicitly specify to only permit established > TCP sessions inbound by using the established keyword at the end of your > acl statement to provide similar security measures. > > Brian L > > —–Original Message—– > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > CCIEin2006 > Sent: Friday, June 30, 2006 1:21 PM > To: Koen Zeilstra > Cc: ccielab@groupstudy.com > Subject: Re: router bypasses ACL for locally sourced traffic > > Good question. I was also wondering that if the filtering decision is > made > after the routing decision then what difference does it make if the > packet > is locally generated? > > On 6/30/06, Koen Zeilstra wrote: > > > > This is clear. But why is this behaviour? > > > > Is it because there is no routing descision made since there is no > > incoming interface? > > > > ———————– > > Try to get all of your posthumous medals in advance. > > > > On Fri, 30 Jun 2006, Scott Morris wrote: > > > > | It has to do with the order of operations…. > > | > > | Check out: > > | > > | > > > http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_ > chap > > | ter09186a00804fde4d.html > > | > > | > > | Applying Access Lists to Interfaces > > | > > | For some protocols, you can apply up to two access lists to an > > interface: > > | one inbound access list and one outbound access list. With other > > protocols, > > | you apply only one access list which checks both inbound and > outbound > > | packets. > > | > > | If the access list is inbound, when the router receives a packet, > the > > Cisco > > | IOS software checks the access list’s criteria statements for a > match. > > If > > | the packet is permitted, the software continues to process the > packet. > > If > > | the packet is denied, the software discards the packet. > > | > > | If the access list is outbound, after receiving and routing a packet > to > > the > > | outbound interface, the software checks the access list’s criteria > > | statements for a match. If the packet is permitted, the software > > transmits > > | the packet. If the packet is denied, the software discards the > packet. > > | > > | Note Access lists that are applied to interfaces do not filter > traffic > > that > > | originates from that router. > > | > > | > > | HTH, > > | > > | > > | Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, > > JNCIE > > | #153, CISSP, et al. > > | CCSI/JNCI > > | IPExpert CCIE Program Manager > > | IPExpert Sr. Technical Instructor > > | smorris@ipexpert.com > > | http://www.ipexpert.com > > | > > | > > | > > | —–Original Message—– > > | From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On > Behalf Of > > Koen > > | Zeilstra > > | Sent: Friday, June 30, 2006 8:40 AM > > | To: ccielab@groupstudy.com > > | Subject: router bypasses ACL for locally sourced traffic > > | > > | Hi Group, > > | > > | Maybe this has been posted before, however I could not find any > > reference. > > | Perhaps other wording is used to describe this. > > | > > | What would is the explanation for a router bypassing ACL’s applied > in > > the > > | outgoing direction for locally source traffic? > > | > > | For example: > > | > > | > > | (R1)e0/0————e0/0(R2) > > | > > | > > | R1 > > | > > | int e0/0 > > | ip access-group ACL out > > | ! > > | > > | ip access-list ext ACL > > | deny tcp any any eq telnet > > | permit ip any any > > | ! > > | > > | Telnetting from R1 to R2 works fine even with the ACL denying > outgoing > > | packets destined for port 23. > > | > > | thanks, > > | > > | Koen > > | > > | ———————– > > | You will feel hungry again in another hour. > > | > > | >