cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Convert EOS to EXOS policy-based Routing

Convert EOS to EXOS policy-based Routing

M_Nees
Contributor III
Currently i am converting an existing configuration from a legacy N7 device to a current X670 switch.

Converting the EOS route-based policy to EXOS route-based policy i need some help.

Existing EOS route-map:
ip access-list extended redirectACL
deny ip host 10.1.13.70 192.168.0.0 0.0.255.255
deny ip host 10.1.13.70 10.0.0.0 0.0.0.255
deny ip host 10.1.13.70 172.16.0.0 0.31.255.255
permit ip host 10.1.13.70 any
deny ip host 10.1.13.199 host 2.2.2.2
deny ip host 10.1.13.199 host 3.3.3.3
permit ip host 10.1.13.199 any
exit
!
route-map policy Internet-FW permit 10
match ip address redirectACL
set next-hop 10.1.1.1
exit
I use the deny statements for internal networks which routed based on the routing table. the permit statements have to be redicted to the firewall.

How can i achieve this with EXOS ACL and redirects actions?

Regards
4 REPLIES 4

Henrique
Extreme Employee
Hi Kawawa,

Currently there is no option to negate an ACL match-condition.

The match-type available is "match all", that means if ALL match-conditions are true then the actions take place.

Kawawa
Extreme Employee
I don't think that is possible, I will ask my colleagues or try a sample ACL and see what it gives

M_Nees
Contributor III
Hi, is it possible to negate some of the ACL match-conditions ?
Means if NOT source-address is y.y.y.y and destination-adress is x.x.x.x then action ....

Kawawa
Extreme Employee
Hi Matthias,

You can create a policy file containing the deny and redirect rules. For example to redirect traffic from a subnet 10.1.0.0/16 to 10.1.1.1, the policy would look like:
entry { if { source-address ; } then { redirect ; } }entry redirect-rule-1 { if { source-address 10.1.0.0/16 ; } then { redirect 10.1.1.1 ; } }apply this policy to the ingress traffic of a VLAN

You can also add additional rules for the sources you wish to deny access:
entry deny-rule-1 { if { source-address 192.168.0.1/32 ; } then { deny ; count Deny-1 } }The count condition on the deny rule is optional, but for troubleshooting purposes can be very helpful in understanding whether the rule is affecting any traffic.

You can add multiple sources to a rule and use the Match Any condition on the rule
entry match any { if { source address ; source address } then { deny ; }}I hope this helps

GTM-P2G8KFN