Header Only - DO NOT REMOVE - Extreme Networks

Help writing a flow redirect acl


What I am attempting to do is to push any outbound port 80 traffic (https too but not in this example) to the internet with a flow redirect command but skip if the traffic is local. So here's what I have so far: the ** are comments for the sake of this post. Does this make sense?

ACL

entry Allhttp {
if {
protocol tcp;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
source-port 80;
}
then {
Deny; ** in essence skip
}

** so if not the above do this.

if {
protocol tcp;
source-address 10.234.0.0/16;
source-port 80;
}
then {

redirect-name ToBluecoat;
count WebHTTP;
}
}

2 replies

Userlevel 6
Hi Dave,

The rules which you have mentioned needs to be modified a bit.

Instead of "deny" using the "permit" action modifier will apply the normal forwarding logic.

All the below rules must be in same policy file.

Here is a sample.
entry HTTP_PACKETS_TO_10.234.0.0 {
If match all {
Protocol TCP;
destination-port 80;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
} then {
permit;
}
}

# same subnet but matching https traffic
entry HTTPS_PACKETS_TO_10.234.0.0 {
If match all {
Protocol TCP;
destination-port 443;
source-address 10.234.0.0/16;
destination-address 10.234.0.0/16;
} then {
permit;
}
}

entry HTTP_to_other_than_10.234.0.0/16 {
if match all {
protocol TCP ;
destination-port 80 ;
source-address 10.234.0.0/16 ;
}
then {
redirect-name ToBluecoat;
count WebHTTP;
}
}

entry HTTPS_to_other_than_10.234.0.0/16 {
if match all {
protocol TCP ;
destination-port 443 ;
source-address 10.234.0.0/16 ;
}
then {
redirect-name ToBluecoat;
count WebHTTPS;
}
}

Here is an article on how to configure flow redirect.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-flow-redirect

I hope this is helps!
Perfect!! Thank you. I'll test it later this week.

Reply