From: blodwick (blodwick@columbus.rr.com)
Date: Fri Jun 30 2006 - 20:05:43 ART
Once you go and try this local policy routing trick from the link you
sent:
R1(config)#int loopback 0
R1(config-if)#ip ad 1.1.1.1 255.255.255.255
R1(config-if)#exit
R1(config)#route-map LOCAL_POLICY
R1(config-route-map)#set interface loopback 0
R1(config-route-map)#exit
R1(config)#ip local policy route-map LOCAL_POLICY
R1(config)#END
R1#telnet 12.0.0.2
Trying 12.0.0.2 ... Open
doesn't that affect everything else too unless you use an ACL in the
local policy? For instance wouldn't your BGP peering relationships all
end up sourced from the loopback automatically.
What does that do to IGP protocols that do not allow multihop like OSPF?
-Brian L
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian McGahan
Sent: Friday, June 30, 2006 6:35 PM
To: blodwick; CCIEin2006; Koen Zeilstra
Cc: ccielab@groupstudy.com
Subject: RE: router bypasses ACL for locally sourced traffic
You can force it to be reflected by policy routing it and making it
appear as transit traffic to the router:
http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
Either that or you need to statically permit inbound all traffic
destined to the local router that is necessary (routing protocols, icmp
echo-reply, traceroute replies, etc.)
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> blodwick
> Sent: Friday, June 30, 2006 2:38 PM
> To: 'CCIEin2006'; 'Koen Zeilstra'
> Cc: ccielab@groupstudy.com
> Subject: RE: router bypasses ACL for locally sourced traffic
>
> One additional tidbit I'd like to add to this string that I found
> interesting is on a reflexive acl local traffic is not reflected for
> evaluation, but you can explicitly specify to only permit established
> TCP sessions inbound by using the established keyword at the end of
your
> acl statement to provide similar security measures.
>
> Brian L
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> CCIEin2006
> Sent: Friday, June 30, 2006 1:21 PM
> To: Koen Zeilstra
> Cc: ccielab@groupstudy.com
> Subject: Re: router bypasses ACL for locally sourced traffic
>
> Good question. I was also wondering that if the filtering decision is
> made
> after the routing decision then what difference does it make if the
> packet
> is locally generated?
>
> On 6/30/06, Koen Zeilstra <koen@koenzeilstra.com> wrote:
> >
> > This is clear. But why is this behaviour?
> >
> > Is it because there is no routing descision made since there is no
> > incoming interface?
> >
> > -----------------------
> > Try to get all of your posthumous medals in advance.
> >
> > On Fri, 30 Jun 2006, Scott Morris wrote:
> >
> > | It has to do with the order of operations....
> > |
> > | Check out:
> > |
> > |
> >
>
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_
> chap
> > | ter09186a00804fde4d.html
> > |
> > | <snip>
> > | Applying Access Lists to Interfaces
> > |
> > | For some protocols, you can apply up to two access lists to an
> > interface:
> > | one inbound access list and one outbound access list. With other
> > protocols,
> > | you apply only one access list which checks both inbound and
> outbound
> > | packets.
> > |
> > | If the access list is inbound, when the router receives a packet,
> the
> > Cisco
> > | IOS software checks the access list's criteria statements for a
> match.
> > If
> > | the packet is permitted, the software continues to process the
> packet.
> > If
> > | the packet is denied, the software discards the packet.
> > |
> > | If the access list is outbound, after receiving and routing a
packet
> to
> > the
> > | outbound interface, the software checks the access list's criteria
> > | statements for a match. If the packet is permitted, the software
> > transmits
> > | the packet. If the packet is denied, the software discards the
> packet.
> > |
> > | Note Access lists that are applied to interfaces do not filter
> traffic
> > that
> > | originates from that router.
> > | </snip>
> > |
> > | HTH,
> > |
> > |
> > | Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
#4713,
> > JNCIE
> > | #153, CISSP, et al.
> > | CCSI/JNCI
> > | IPExpert CCIE Program Manager
> > | IPExpert Sr. Technical Instructor
> > | smorris@ipexpert.com
> > | http://www.ipexpert.com
> > |
> > |
> > |
> > | -----Original Message-----
> > | From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On
> Behalf Of
> > Koen
> > | Zeilstra
> > | Sent: Friday, June 30, 2006 8:40 AM
> > | To: ccielab@groupstudy.com
> > | Subject: router bypasses ACL for locally sourced traffic
> > |
> > | Hi Group,
> > |
> > | Maybe this has been posted before, however I could not find any
> > reference.
> > | Perhaps other wording is used to describe this.
> > |
> > | What would is the explanation for a router bypassing ACL's applied
> in
> > the
> > | outgoing direction for locally source traffic?
> > |
> > | For example:
> > |
> > |
> > | (R1)e0/0------------e0/0(R2)
> > |
> > |
> > | R1
> > |
> > | int e0/0
> > | ip access-group ACL out
> > | !
> > |
> > | ip access-list ext ACL
> > | deny tcp any any eq telnet
> > | permit ip any any
> > | !
> > |
> > | Telnetting from R1 to R2 works fine even with the ACL denying
> outgoing
> > | packets destined for port 23.
> > |
> > | thanks,
> > |
> > | Koen
> > |
> > | -----------------------
> > | You will feel hungry again in another hour.
> > |
> > |
>
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART