[c-nsp] does PBR apply to traffic from connected interfaces to router itself?

[Vincent C Jones]

On Mon, 2009-10-05 at 22:49 +0300, Tassos Chatzithomaoglou wrote:
> I'm doing some tests and i have a case where a vpdn user is able to send snmp requests to 
> the router's loopback where he's connected, although i have a route-map under his 
> vtemplate sending all snmp to null0. I have verified that snmp cannot go outside of router 
> (so route-map is indeed working), but i had the impression that he shouldn't be able to 
> snmp anobody, including the router itself.
> 
> There is a trick, because vtemplate is using Loopback's ip, but i don't know if that's the 
> reason snmp is allowed to "bypass" the route-map.
> 
> ip access-list extended SNMP-ACL
>   permit udp any any eq snmp
> 
> route-map TEST-ROUTEMAP permit 10
>   match ip address SNMP-ACL
>   set interface Null0
> 
> interface Virtual-Template1
>   ip unnumbered Loopback0
>   ip policy route-map TEST-ROUTEMAP
> 
> 
> Router is a 7200 running 12.2(31)SB14.
> I'm going to repeat the test using icmp, but it seems quite strange until now.
> 
> PS1 : Local PBR is used for router generated traffic (router=src), so it shouldn't have 
> any effect in my case.
> 
> PS2 : I know there are other ways to stop snmp traffic from reaching the router or to 
> block snmp traffic leaving an interface, but that's not my issue right now.

Cisco loopback interfaces are not like normal interfaces. Apply the
policy globally using the "ip local policy route-map TEST-ROUTEMAP"
command. Royal pain because if you have multiple loopbacks and want a
different policy on each, you need to define all choices in a single
monster policy.

Vince
-- 
Vincent C Jones
Networking Unlimited, Inc
14 Dogwood Lane, Tenafly NJ
Voice: 201 568-7810