RE: router bypasses ACL for locally sourced traffic

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Fri Jun 30 2006 - 20:23:29 ART

        It depends on the IOS version. In older versions IGP routing
protocol traffic was local policy routable. In newer versions it is
not. Look at the "debug ip policy" output and it will tell you what is
and is not getting policy routed.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: blodwick [mailto:blodwick@columbus.rr.com]
> Sent: Friday, June 30, 2006 6:06 PM
> To: Brian McGahan; 'CCIEin2006'; 'Koen Zeilstra'
> Cc: ccielab@groupstudy.com
> Subject: RE: router bypasses ACL for locally sourced traffic
>
> Once you go and try this local policy routing trick from the link you
> sent:
>
> R1(config)#int loopback 0
> R1(config-if)#ip ad 1.1.1.1 255.255.255.255
> R1(config-if)#exit
> R1(config)#route-map LOCAL_POLICY
> R1(config-route-map)#set interface loopback 0
> R1(config-route-map)#exit
> R1(config)#ip local policy route-map LOCAL_POLICY
> R1(config)#END
> R1#telnet 12.0.0.2
> Trying 12.0.0.2 ... Open
>
> doesn't that affect everything else too unless you use an ACL in the
> local policy? For instance wouldn't your BGP peering relationships all
> end up sourced from the loopback automatically.
>
> What does that do to IGP protocols that do not allow multihop like
OSPF?
>
> -Brian L
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Brian McGahan
> Sent: Friday, June 30, 2006 6:35 PM
> To: blodwick; CCIEin2006; Koen Zeilstra
> Cc: ccielab@groupstudy.com
> Subject: RE: router bypasses ACL for locally sourced traffic
>
> You can force it to be reflected by policy routing it and making it
> appear as transit traffic to the router:
>
> http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
>
> Either that or you need to statically permit inbound all traffic
> destined to the local router that is necessary (routing protocols,
icmp
> echo-reply, traceroute replies, etc.)
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > blodwick
> > Sent: Friday, June 30, 2006 2:38 PM
> > To: 'CCIEin2006'; 'Koen Zeilstra'
> > Cc: ccielab@groupstudy.com
> > Subject: RE: router bypasses ACL for locally sourced traffic
> >
> > One additional tidbit I'd like to add to this string that I found
> > interesting is on a reflexive acl local traffic is not reflected for
> > evaluation, but you can explicitly specify to only permit
established
> > TCP sessions inbound by using the established keyword at the end of
> your
> > acl statement to provide similar security measures.
> >
> > Brian L
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > CCIEin2006
> > Sent: Friday, June 30, 2006 1:21 PM
> > To: Koen Zeilstra
> > Cc: ccielab@groupstudy.com
> > Subject: Re: router bypasses ACL for locally sourced traffic
> >
> > Good question. I was also wondering that if the filtering decision
is
> > made
> > after the routing decision then what difference does it make if the
> > packet
> > is locally generated?
> >
> > On 6/30/06, Koen Zeilstra <koen@koenzeilstra.com> wrote:
> > >
> > > This is clear. But why is this behaviour?
> > >
> > > Is it because there is no routing descision made since there is no
> > > incoming interface?
> > >
> > > -----------------------
> > > Try to get all of your posthumous medals in advance.
> > >
> > > On Fri, 30 Jun 2006, Scott Morris wrote:
> > >
> > > | It has to do with the order of operations....
> > > |
> > > | Check out:
> > > |
> > > |
> > >
> >
>
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_
> > chap
> > > | ter09186a00804fde4d.html
> > > |
> > > | <snip>
> > > | Applying Access Lists to Interfaces
> > > |
> > > | For some protocols, you can apply up to two access lists to an
> > > interface:
> > > | one inbound access list and one outbound access list. With other
> > > protocols,
> > > | you apply only one access list which checks both inbound and
> > outbound
> > > | packets.
> > > |
> > > | If the access list is inbound, when the router receives a
packet,
> > the
> > > Cisco
> > > | IOS software checks the access list's criteria statements for a
> > match.
> > > If
> > > | the packet is permitted, the software continues to process the
> > packet.
> > > If
> > > | the packet is denied, the software discards the packet.
> > > |
> > > | If the access list is outbound, after receiving and routing a
> packet
> > to
> > > the
> > > | outbound interface, the software checks the access list's
criteria
> > > | statements for a match. If the packet is permitted, the software
> > > transmits
> > > | the packet. If the packet is denied, the software discards the
> > packet.
> > > |
> > > | Note Access lists that are applied to interfaces do not filter
> > traffic
> > > that
> > > | originates from that router.
> > > | </snip>
> > > |
> > > | HTH,
> > > |
> > > |
> > > | Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
> #4713,
> > > JNCIE
> > > | #153, CISSP, et al.
> > > | CCSI/JNCI
> > > | IPExpert CCIE Program Manager
> > > | IPExpert Sr. Technical Instructor
> > > | smorris@ipexpert.com
> > > | http://www.ipexpert.com
> > > |
> > > |
> > > |
> > > | -----Original Message-----
> > > | From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On
> > Behalf Of
> > > Koen
> > > | Zeilstra
> > > | Sent: Friday, June 30, 2006 8:40 AM
> > > | To: ccielab@groupstudy.com
> > > | Subject: router bypasses ACL for locally sourced traffic
> > > |
> > > | Hi Group,
> > > |
> > > | Maybe this has been posted before, however I could not find any
> > > reference.
> > > | Perhaps other wording is used to describe this.
> > > |
> > > | What would is the explanation for a router bypassing ACL's
applied
> > in
> > > the
> > > | outgoing direction for locally source traffic?
> > > |
> > > | For example:
> > > |
> > > |
> > > | (R1)e0/0------------e0/0(R2)
> > > |
> > > |
> > > | R1
> > > |
> > > | int e0/0
> > > | ip access-group ACL out
> > > | !
> > > |
> > > | ip access-list ext ACL
> > > | deny tcp any any eq telnet
> > > | permit ip any any
> > > | !
> > > |
> > > | Telnetting from R1 to R2 works fine even with the ACL denying
> > outgoing
> > > | packets destined for port 23.
> > > |
> > > | thanks,
> > > |
> > > | Koen
> > > |
> > > | -----------------------
> > > | You will feel hungry again in another hour.
> > > |
> > > |
> >
>

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART