Convert EOS to EXOS policy-based Routing

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Currently i am converting an existing configuration from a legacy N7 device to a current X670 switch.

Converting the EOS route-based policy to EXOS route-based policy i need some help.

Existing EOS route-map:
 ip access-list extended redirectACL
deny ip host 10.1.13.70 192.168.0.0 0.0.255.255
deny ip host 10.1.13.70 10.0.0.0 0.0.0.255
deny ip host 10.1.13.70 172.16.0.0 0.31.255.255
permit ip host 10.1.13.70 any
deny ip host 10.1.13.199 host 2.2.2.2
deny ip host 10.1.13.199 host 3.3.3.3
permit ip host 10.1.13.199 any
exit
!
route-map policy Internet-FW permit 10
match ip address redirectACL
set next-hop 10.1.1.1
exit
I use the deny statements for internal networks which routed based on the routing table. the permit statements have to be redicted to the firewall.

How can i achieve this with EXOS ACL and redirects actions?

Regards

Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Kawawa

Kawawa, GTAC

  • 3,292 Points 3k badge 2x thumb
Hi Matthias,

You can create a policy file containing the deny and redirect rules.  For example to redirect traffic from a subnet 10.1.0.0/16 to 10.1.1.1, the policy would look like:
entry <rule-name> { if { source-address <ip/mask>; } then { redirect <ip> ; } }
entry redirect-rule-1 { if { source-address 10.1.0.0/16 ; } then { redirect 10.1.1.1 ; } }
apply this policy to the ingress traffic of a VLAN

You can also add additional rules for the sources you wish to deny access:
entry deny-rule-1 { if { source-address 192.168.0.1/32 ; } then { deny ; count Deny-1 } }
The count condition on the deny rule is optional, but for troubleshooting purposes can be very helpful in understanding whether the rule is affecting any traffic.

You can add multiple sources to a rule and use the Match Any condition on the rule
entry <rule-name> match any { if { source address <ip-1/mask> ; source address <ip-2/mask>} then { deny ; }}
I hope this helps
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
Hi,  is it possible to negate some of the ACL match-conditions ?
Means if NOT source-address is y.y.y.y and destination-adress is x.x.x.x then action ....
Photo of Kawawa

Kawawa, GTAC

  • 3,292 Points 3k badge 2x thumb
I don't think that is possible, I will ask my colleagues or try a sample ACL and see what it gives
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Kawawa,

Currently there is no option to negate an ACL match-condition.

The match-type available is "match all", that means if ALL match-conditions are true then the actions take place.