Local Policy Routing

Task 

● Configure R3 with an IPv4 static route for R5's Loopback0 through the DMVPN cloud and for R1's Loopback0 through VLAN 13. 

● Configure R5 with IPv4 static routes for R1's and R3's Loopback0 through the DMVPN cloud. 

● Create two access-lists named TO_R3 and TO_R5 on R1. 

● Access-list TO_R3 should match all packets sourced from R1's Loopback0 going to the Loopback0 network of R3. 

● Access-list TO_R5 should match all packets sourced from R1's Loopback0 going to the Loopback0 network of R5. 

Configure local policy-routing on R1 as follows: 

● Locally generated traffic matched by the list TO_R3 is routed out the DMVPN cloud to R5. 

● Locally generated traffic matched by the list TO_R5 is routed out the Ethernet link to R3. 

● Use traceroute on R1 for R3's and R5’s Loopback0 networks to verify that this configuration is functional. 

Explanation  

Local policy routing is similar in operation to normal policy routing, except that it affects locally generated traffic from the router instead of traffic transiting the router, like received inbound on an interface.

In the output below, we can see that R1 does not have a route to either of the destinations 10.1.3.3 or 10.1.5.5, but traffic is successfully routed because of the locally configured policy: 

R1

show ip route 10.1.3.3 📋

% Subnet not in table 

traceroute 10.1.3.3  📋

show ip route 10.1.5.5 📋

% Subnet not in table 

traceroute 10.1.5.5 📋

Verify policy-routing configuration and that traffic has matched the ACL: 

show ip policy 📋

show route-map 📋

Pitfall 

Note that when the remote devices receive traffic from R1, it is sourced from the Loopback0 interface of R1. Normally the router uses the IP address of the outgoing interface in the routing table as the source IP address in its own packets.

However, because the routing table is not consulted for the lookup, you may see inconsistencies in the source address of the local traffic. This behavior could have a negative impact on protocols such as BGP, which need to agree on the source and destination IP addresses for a peering. 

R1

debug ip icmp 📋

ICMP packet debugging is on 

ping 10.1.3.3 📋

traceroute 10.1.3.3 📋

Configuration  

ip access-list extended TO_R3
 permit ip host 10.1.1.1 host 10.1.3.3
!
ip access-list extended TO_R5
 permit ip host 10.1.1.1 host 10.1.5.5
!
route-map LOCAL_POLICY permit 10
 match ip address TO_R3
 set ip next-hop 172.16.0.5
!
route-map LOCAL_POLICY permit 20
 match ip address TO_R5
 set ip next-hop 172.16.13.3
!
ip local policy route-map LOCAL_POLICY
📋

R3: 

ip route 10.1.1.1 255.255.255.255 172.16.13.1 
ip route 10.1.5.5 255.255.255.255 172.16.0.5    📋

R5:

ip route 10.1.1.1 255.255.255.255 172.16.0.1 
ip route 10.1.3.3 255.255.255.255 172.16.0.3  📋