ACL redirect-port

  • 0
  • 1
  • Question
  • Updated 4 years ago
Hello, colleagues!

I have LAG, for example ports 10-14
#enable sharing 10 grou 10-14 alg address-based L3
I have ACL:
entry ACL{
if {
} then {
redirect-port 10;
} }
#configure access-list ACL ports 1-4 ingress

As I understand traffic have to go not only for port 10, but exit from ports 10-14 based on address-based L3 algorithm.
As I'm right?
Is there some conditions for this ACL? (same vlan in ingress and redirect ports, somthing else)

Main problem that I can see traffic is come to ingress ports (1-4) - counters is groing.
But I can't see traffic in egress ports (10-14).

Any ideas or advices?

Thank you!
Photo of Alexandr P

Alexandr P, Embassador

  • 12,596 Points 10k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,382 Points 4k badge 2x thumb
Yes.this should work.What is the exos version.

there is also another feature 

This feature allows you to apply an ACL that causes matching packets to egress a specific port in a linkaggregation (or load-sharing) group.
Note
This feature applies only to BlackDiamond 8000 series modules and Summit family switches.
The following ACL action is added in support of this feature:
redirect-port-no-sharing <port>
The ACL overrides any load-sharing algorithm hash that is generated based on the lookup results.
Limitations include the following:
• If the selected port in a load-sharing group is down, the packets will be dropped.
• Like the redirect-port action, the specified port must be a member of the egress VLAN.
Following is an example of a configuration and ACL policy that directs traffic matching 10.66.4.10 to
LAG port 3:
enable sharing 2 group 2,3
radiomgmt.pol:
entry one {
if {
destination-address 10.66.4.10/32;
} then {
ACLs
ExtremeXOS 15.6 User Guide 753
redirect-port-no-sharing 3;
}
}
config access-list radiomgmt any
This example would direct inband management traffic to specific radios connected to specific ports
within a load-sharing group

NoteUse of the ACL redirect-port-no-sharing port action overrides any load-sharing algorithm
hash that is generated based on the lookup results. For more information on this action, see
LAG Port Selection on page 753.
Photo of Alexandr P

Alexandr P, Embassador

  • 12,596 Points 10k badge 2x thumb
I don't need redirect-port-no-sharing (I don't need to redirect traffic in one of LAG ports, traffic have to redirecting in all LAG ports).
Main task to balancyng traffic in LAG (on L3 condition).

Concept guide say that redirect-port condition have to be not to LAG port, but for one of LAG ports.

I have traffic that come to ports 1-4 (it's can be LAG or 4 different ports) and this traffic have to go to LAG port (10-14), also balancing on L3 conditions.

I see that traffic is coming to ports 1-4, but I don't see redirected traffic on ports 10-14.
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,382 Points 4k badge 2x thumb
is the traffic ingress in on a specific vlan?
And the Egress lag is on same vlan?
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,382 Points 4k badge 2x thumb
The below information is from concepts guide.
• Using the “redirect-port” action overrides Layer 2 echo kill; the result is that a packet can be made to egress the ingress port at Layer 2.
It seems to me as  Layer 2 traffic
Photo of Alexandr P

Alexandr P, Embassador

  • 12,596 Points 10k badge 2x thumb
this traffic can be in specific vlan or not.
this traffic mirroring from other device to X670 and I have to transmit this traffic onwards to 4 different monitoring devices.

Thats why I built static LAG (but not lacp) with 4 ports. And this traffic have to go to monitoring device. But 1 device have to receive traffic with the same src-IP/dst-IP. This can done by L3 balancing.

Thats why I can configure VLANs on X670 as I want - the same VLAN, or different vlans.

Scheme like this:
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,382 Points 4k badge 2x thumb
Remove the static  lag and try the below acl.

entry ACL{
if {
} then {
redirect-port -list 10,11,12,13,14;
} }
Photo of Alexandr P

Alexandr P, Embassador

  • 12,596 Points 10k badge 2x thumb
OK.

and how traffic will be balancing on src-ip/dst-ip condition?
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,382 Points 4k badge 2x thumb
entry ACL{
if {

sourceip <ip>
dstip <>
} then {
redirect-port -list 10,11,12,13,14;
} }
We can have multiple entries to achieve the end result.
Photo of Alexandr P

Alexandr P, Embassador

  • 12,596 Points 10k badge 2x thumb
Also, as I know - redirect-port-list  is duplikate (propagates) traffic to each port of port-list.
Photo of Alexandr P

Alexandr P, Embassador

  • 12,596 Points 10k badge 2x thumb
Also I have no specific (concrete) src-ip/dst-ip. I have only L3 condition with which traffic have to distributed to different ports (10-14)

:-)
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,382 Points 4k badge 2x thumb
see if multiple entry like this matches ur requirement

if {

sourceip 1.1.1.1
dstip <>
} then {
redirect-port  10;
} }

if {

sourceip 1.1.1.2
dstip <>
} then {
redirect-port  11;
} }
Photo of Alexandr P

Alexandr P, Embassador

  • 12,596 Points 10k badge 2x thumb
I have no specific (concrete) src-ip/dst-ip
Photo of Alexandr P

Alexandr P, Embassador

  • 12,596 Points 10k badge 2x thumb
that's why I need LAG with L3 algorithm - this algorithm will be similar traffic direct to certain monitoring device.