Question

Redirect traffic with acl

  • 16 April 2019
  • 4 replies
  • 352 views

I have a switch core x460 with some vlans, one of then is 10.10.22.0/24, I created an acl and applied on vlan (10.10.22.0/24), to redirected traffic to other gateway. Why the packet ignore the all route table ? When I applied the acl the traffic is sended to the redirected gateway and the vlan(10.10.22.0/24) doesn´t communicate with other vlans directe connect on the switch.

4 replies

Userlevel 5
Hi Piracanjuba,

Is it possible to see the switch config and ACL content?

Kind regards,
Tomasz
Hi Tomasz,
Thanks for your help !
the acl is :
Entry redirect {
If match all {
source-address 10.10.22.0/24;
} then {
permit;
redirect-name GYN_redirect;
}
}
and, I created flow-redirect and applied acl on vlan

create flow-redirect GYN_redirect
configure flow-redirect GYN_redirect add nexthop 172.16.31.1 priority 100
configure access-list ACL_gyn_teste vlan 113 ingress

Follow, a part of the config :
create vlan "Administrativo"
configure vlan Administrativo tag 24
create vlan "Automacao"
configure vlan Automacao tag 14
create vlan "CFTV"
configure vlan CFTV tag 10
create vlan "Controle_de_Acesso"
configure vlan Controle_de_Acesso tag 12
create vlan "DEPART"
configure vlan DEPART tag 88
create vlan "Engenharia"
configure vlan Engenharia tag 18
create vlan "fort_lan"
configure vlan fort_lan tag 131
create vlan "Gerencia_de_Switches"
configure vlan Gerencia_de_Switches tag 16
create vlan "Impressoras"
configure vlan Impressoras tag 17
create vlan "Marketing"
configure vlan Marketing tag 19
create vlan "Mikrotik"
configure vlan Mikrotik description "MIKROTIK"
configure vlan Mikrotik tag 124
create vlan "SAC"
configure vlan SAC tag 20
create vlan "TI"
configure vlan TI tag 113



configure vlan TI ipaddress 10.10.22.1 255.255.255.0
enable ipforwarding vlan TI
configure vlan Automacao ipaddress 10.10.14.1 255.255.254.0
enable ipforwarding vlan Automacao
configure vlan CFTV ipaddress 10.10.10.1 255.255.254.0
enable ipforwarding vlan CFTV
configure vlan Controle_de_Acesso ipaddress 10.10.12.1 255.255.254.0
enable ipforwarding vlan Controle_de_Acesso
configure vlan Engenharia ipaddress 10.10.18.1 255.255.255.0
enable ipforwarding vlan Engenharia
configure vlan Gerencia_de_Switches ipaddress 10.10.16.1 255.255.255.0
enable ipforwarding vlan Gerencia_de_Switches
configure vlan Impressoras ipaddress 10.10.17.1 255.255.255.0
enable ipforwarding vlan Impressoras
configure vlan SAC ipaddress 10.10.20.1 255.255.255.0
enable ipforwarding vlan SAC
configure vlan Administrativo ipaddress 10.10.24.1 255.255.254.0
enable ipforwarding vlan Administrativo
configure vlan VoIP ipaddress 10.10.8.1 255.255.254.0
enable ipforwarding vlan VoIP
configure vlan Marketing ipaddress 10.10.19.1 255.255.255.0
enable ipforwarding vlan Marketing
configure vlan DMZ ipaddress 172.31.0.2 255.255.255.248
enable ipforwarding vlan DMZ
configure vlan DEPART ipaddress 10.10.88.1 255.255.255.0
enable ipforwarding vlan DEPART
configure vlan Mikrotik ipaddress 172.31.10.2 255.255.255.0
enable ipforwarding vlan Mikrotik
configure vlan fort_lan ipaddress 172.16.31.2 255.255.255.0
enable ipforwarding vlan fort_lan


#
configure iproute add 10.40.26.0 255.255.255.0 172.31.10.1
configure iproute add 10.40.30.0 255.255.255.0 172.31.10.1
configure iproute add default 172.31.0.1

#
# Module acl configuration.
#

create flow-redirect GYN_redirect
configure flow-redirect GYN_redirect add nexthop 172.16.31.1 priority 100
configure access-list ACL_GYN_redirect vlan "TI" ingress
#
# Module hal configuration.
#
configure iproute sharing max-gateways 4

Thanks again !
Userlevel 5
So the ACL you've created applies the PBR behavior to entire TI-originated traffic, that's the purpose - to redirect regardless what's inside a routing table.
Are there some additional criteria you could use so only specific type of traffic (e.g. TCP port) would get redirected? Then all the remaining traffic would be routed based on the routing table.

I don't have any elegant solution in my mind at the moment, you could try to implement routes for TI to other 'local' VLANs at this 172.16.31.1 gateway, but that will lead you to assymetric traffic pattern (from TI to other local VLANs through another gateway, from local VLANs back to TI directly)...

If you want to have local routing performed by X460, is there any point in having that redirection? Is the assymetric traffic flow acceptable?

Kind regards,
Tomasz
Tomasz,
I solved the question, putting the gateway on the same vlan of the network 10.10.22.0/24 and created routes on the new gateway directing back to the extreme switch.
for now this help me.

Tks for help me !

Reply