Local policy routing
The following topology illustrates a simple OSPF network. Traffic from R1 to R5 is load-balanced across the two equal-cost paths provided by R3 and R4. However, an excessive security policy has been erroneously applied at R3, blocking Telnet traffic through the router.
As a result, Telnet traffic toward R5 is being dropped if sent via R3 but permitted if sent via R4, appearing to users as intermittent connectivity issues. (A note for anyone labbing this out: this example ignores real-world CEF load-sharing behavior, where all traffic to a single destination is sent across only one path by default, by disabling CEF on R2.) As a temporary fix until the administrator of R3 can be contacted, policy routing has been employed on R2 to force all Telnet traffic across R4:
interface FastEthernet1/0 ip policy route-map Send_Telnet_Via_R4 ! ip access-list extended Match_Telnet permit tcp any any eq telnet ! route-map Send_Telnet_Via_R4 permit 10 match ip address Match_Telnet set ip next-hop 10.0.24.4
This works great for Telnet traffic originating from R1, but what about traffic coming from R2 itself? Normal policy routing like that configured above applies only to transit traffic; Telnet traffic originating from R2 is still being load-balanced via the two equal-cost OSPF routes. Fortunately, we can extend our configuration to implement local policy routing with a single command:
R2(config)# ip local policy route-map Send_Telnet_Via_R4
This command applies our policy route-map to the router's control plane in the same manner ip policy route-map applies it to traffic entering an interface. Now all Telnet traffic originating from R2 itself is forwarded via R4. Note that in a real-world deployment, you would want to employ more granular access lists in the policy route-map so as not to force all Telnet traffic toward R4 (we still want Telnet traffic for R1 to go toward R1, for example).
About the Author
Jeremy Stretch is a freelance networking engineer, instructor, and the maintainer of PacketLife.net. He currently lives in Fairfax, Virginia, on the edge of the Washington, DC metro area. Although primarily an R&S guy, he likes to get into everything, and runs a free network training lab out of his basement for fun. You can contact him by email or follow him on Twitter.
Comments
very often forgotten, nice
If we want to take loopback as outgoing interface for telnet session, in that case will this work?
regards shivlu jain
@shivlu, if you mean as the source interface, then the /source-interface parameter should work.
I don't know if there is a way to leave that as a default, though.
I always forget about the local policy and then complain when it doesn't work. Thanks for this one, Stretch.
@alvarezp "ip telnet source-interface loopback 0" in global config will accomplish that.
Fach,
Yes you are right.
The command will accomplish policy base routing even traffic originating from Loopack Int.
Regards,
Not sure why telnet traffic originated from R2 would not Match the ACL.
Can someone enlight me ?
Thanks
@MCL.Nicolas: It would, but locally-originated traffic is never examined by the ACL since it never enters that (or any) interface; it is generated by the router itself.
very informative and usefull.
hi..i have same setup in my lab.R1 - R2 - R3 - R4 are connected like ur setup.
i want to block telnet traffic from R4, via R2 to R1.Pls guide me how to configure.
and also i want to allow internet traffic from R4 via R2 to R1.
Nice.