Help required for L3 - Policy Based Redirect. Summit x460-24t, ExOS 12.5

  • 0
  • 1
  • Question
  • Updated 5 years ago
Create Date: Sep 12 2012 8:53AM

Hi all,

I am facing a very simple redirection problem while using my Policy based redirect on the Switch.

I have a dynamic policy defined for redirection as below on my Switch. And I apply it as ANY on the switch.

###########################################################################################################################
(vr VR-SIG) CH-SW1.11 # show configuration acl
#
# Module acl configuration.
#
create access-list sctp_int_1_flow " source-address 10.91.0.48/28 ;" " redirect 10.91.0.234 ;" application "Cli"

configure access-list add sctp_int_1_flow last priority 0 zone SYSTEM any ingress


(vr VR-SIG) CH-SW1.15 # show access-list any detail
#Dynamic Entries ((*)- Rule is non-permanent )
# RuleNo Application Zone Sub-Zone
# 9 Cli SYSTEM 0
entry sctp_int_1_flow { if match all {
source-address 10.91.0.48/28 ;
} then {
redirect 10.91.0.234 ;
} }

#########################################################################################

But My redirection is not working. 

(vr VR-SIG) CH-SW1.13 # ping 10.91.0.100 from 10.91.0.62 with record-route
Ping(ICMP) 10.91.0.100: 4 packets, 8 data bytes, interval 1 second(s).
16 bytes from 10.91.0.100: icmp_seq=1 ttl=255 time=7.668 ms
RR: 10.91.0.62
10.91.0.101
10.91.0.62


I would expect the ICMP packet coming with source-address 10.91.0.62 to hit the Policy and redirect the traffic to 10.91.0.234 instead as the route-record shows that the traffic is redirected to 10.91.0.101 - where I do not want my traffic to flow.


It looks to me that for some reason my policy is not active. 

Any help will be appreciated.

Thank you,

./emuzkhn 

(from Muhammad_Khan)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Sep 12 2012 12:19PM

Hi emuzkhn,

maybe you can try something like in:
Concept Guide ->Policy-Based Redirection Redundancy -> Packet Forward/Drop
(http://www.extremenetworks.com/servic...)

--
Jarek

(from Jaroslaw_Kasjaniuk)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Sep 12 2012 1:27PM

Hi Jarek,

We are not looking in to next hop redundancy. I want a simple redirection of one plain traffic. I would be looking forward to solution with plain L3 - Policy based redirect.

Any help in this regards will be highly appreciable.

Thank you,

./emuzkhn

(from Muhammad_Khan)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Sep 12 2012 1:32PM

Also one more thing to add - My policy is not even getting a hit.. 

(from Muhammad_Khan)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Sep 12 2012 1:57PM

Hello emuzkhnIs this not working for ICMP traffic only or are you noticing that all IP traffic is not being redirected? Do you have any static policies configured?I would add a count statement to the ACL and also try it with a protocol statement for ICMP traffic in addition to the IP subnet that you have and see if that gets any hits using the count option as well.Let me know what you find out.P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Sep 12 2012 2:27PM

Hi Prusso,

I am testing it with ICMP, but I want all traffic to be redirected.

And none of my traffic is getting redirected. I have tried the count  as well but the counter is not incrementing
implying that the policy never gets hit.

Br,
./emuzkhn

(from Muhammad_Khan)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Sep 12 2012 2:28PM

Hi Prusso,

I am testing it with ICMP, but I want all traffic to be redirected for the subnet.

And none of my traffic is getting redirected for this subnet. I have tried the count  as well but the counter is not incrementing
implying that the policy never gets hit.

Br,
./emuzkhn

(from Muhammad_Khan)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Sep 13 2012 11:12AM

Hi,

ok that was an example how can you do this.

An example.
We want to redirect all traffic from 10.91.0.48/28 to address 10.91.0.234

create flow-redirect redir1
configure flow-redirect redir1 add nexthop 10.91.0.234 priority 100
configure flow-redirect redir1 nexthop 10.91.0.234 ping health-check interval 60 miss 3

Create an ACL:
entry subnet1 {
if match all {
source-address 10.91.0.48/28 ;
} then {
permit;
redirect-name redir1;
}
}

configure access-list redir1 vlan "vlan_name" ingress

That will redirect traffic in this vlan only from subnet 10.91.0.48/28 to 10.91.0.234.


--
Jarek

(from Jaroslaw_Kasjaniuk)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Sep 13 2012 1:34PM


Hi Jarek,

I tried the suggested but it did not work :-(

(vr VR-SIG) CH-SW1.69 # show vlan "SCTP_INT_1"
VLAN Interface with name SCTP_INT_1 created by user
        Admin State:    Enabled         Tagging:        802.1Q Tag 844
        Virtual router: VR-SIG
        IPv4 Forwarding: Enabled
        Primary IP    : 10.91.0.62/28



(vr VR-SIG) CH-SW1.65 # show configuration acl
#
# Module acl configuration.
#
create flow-redirect redir1
configure flow-redirect redir1 vr VR-SIG
configure flow-redirect redir1 health-check ping
configure flow-redirect redir1 no-active forward
configure flow-redirect redir1 add nexthop 10.91.0.234 priority 200
configure flow-redirect redir1 nexthop 10.91.0.234 ping health-check interval 60 miss 3
configure access-list redir1 vlan "SCTP_INT_1" ingress


(vr VR-SIG) CH-SW1.67 # edit policy redir1
entry subnet1 {
if match all {
source-address 10.91.0.48/28 ;
} then {
permit;
redirect-name redir1;
}
}


Now I am trying to generate traffic from another machine connected directly to the switch on an untagged port from an IP address of subnet 10.91.0.48/28 and VLAN SCTP_INT_1

[emuzkhn@radius1 ~]$ traceroute -s 10.91.0.54 10.91.0.100
traceroute to 10.91.0.100 (10.91.0.100) from 10.91.0.54, 64 hops max, 40 byte packets
 1  10.91.0.62 (10.91.0.62)  1.1 ms  0.653 ms  0.599 ms
 2  10.91.0.101 (10.91.0.101)  0.622 ms *  0.621 ms
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$ ping 10.91.0.100
PING 10.91.0.100 (10.91.0.100): 56 data bytes
64 bytes from 10.91.0.100: icmp_seq=0 ttl=254 time=0.599 ms
64 bytes from 10.91.0.100: icmp_seq=1 ttl=254 time=0.462 ms
64 bytes from 10.91.0.100: icmp_seq=2 ttl=254 time=0.885 ms
64 bytes from 10.91.0.100: icmp_seq=3 ttl=254 time=0.489 ms
--- 10.91.0.100 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.462/0.608/0.885/0.170 ms
[emuzkhn@radius1 ~]$



Switch does not redirect the traffic and instead uses the standard routing table on the swtich to route the traffic.

Any more suggestions :-)

Best regards,

./rameez

(from Muhammad_Khan)

This conversation is no longer open for comments or replies.