Tuesday, October 7, 2008

ACLs and locally generated traffic

Configured router access lists do NOT apply to locally generated traffic. This default behaviour does not always meet requirements but there are ways around this feature.

With policy based routing there is the 'ip local policy route-map {name}' command to ensure locally based traffic runs through the said route-map.

With an outbound ACL traffic generated locally will not have the ACLs rules applied. Again there are workarounds to this problem. One clever method i came across was to utilise the aforementioned local policy routing command in conjunction with an attached loopback interface.
Effectively the locally generated traffic is PBR'd out of the loopback interface. This is enough to 'trick' the router that the traffic has been generated externally and it thus applies outgoing ACL logic to the traffic.

I provide an example here. I apply an outbound acl on R1 to prevent telnet traffic to R2.

ip access-list extended 100
deny tcp any any eq telnet
permit ip any any

int fa0/0
ip access-group 100 out

At first telnet traffic originating from R1 is allowed - the outbound access list is ignored. I implement PBR to ensure locally generated traffic first passes through the loopback interface.

int lo0
ip address 1.1.1.1 255.255.255.255

route-map RICH
set interface lo0

ip local policy route-map RICH

Now telnet traffic destined for R2 is blocked as required!

No comments: