Redirect traffic with acl

  • 16 April 2019
  • 4 replies

I have a switch core x460 with some vlans, one of then is, I created an acl and applied on vlan (, to redirected traffic to other gateway. Why the packet ignore the all route table ? When I applied the acl the traffic is sended to the redirected gateway and the vlan( doesn´t communicate with other vlans directe connect on the switch.

4 replies

Userlevel 5
Hi Piracanjuba,

Is it possible to see the switch config and ACL content?

Kind regards,
Hi Tomasz,
Thanks for your help !
the acl is :
Entry redirect {
If match all {
} then {
redirect-name GYN_redirect;
and, I created flow-redirect and applied acl on vlan

create flow-redirect GYN_redirect
configure flow-redirect GYN_redirect add nexthop priority 100
configure access-list ACL_gyn_teste vlan 113 ingress

Follow, a part of the config :
create vlan "Administrativo"
configure vlan Administrativo tag 24
create vlan "Automacao"
configure vlan Automacao tag 14
create vlan "CFTV"
configure vlan CFTV tag 10
create vlan "Controle_de_Acesso"
configure vlan Controle_de_Acesso tag 12
create vlan "DEPART"
configure vlan DEPART tag 88
create vlan "Engenharia"
configure vlan Engenharia tag 18
create vlan "fort_lan"
configure vlan fort_lan tag 131
create vlan "Gerencia_de_Switches"
configure vlan Gerencia_de_Switches tag 16
create vlan "Impressoras"
configure vlan Impressoras tag 17
create vlan "Marketing"
configure vlan Marketing tag 19
create vlan "Mikrotik"
configure vlan Mikrotik description "MIKROTIK"
configure vlan Mikrotik tag 124
create vlan "SAC"
configure vlan SAC tag 20
create vlan "TI"
configure vlan TI tag 113

configure vlan TI ipaddress
enable ipforwarding vlan TI
configure vlan Automacao ipaddress
enable ipforwarding vlan Automacao
configure vlan CFTV ipaddress
enable ipforwarding vlan CFTV
configure vlan Controle_de_Acesso ipaddress
enable ipforwarding vlan Controle_de_Acesso
configure vlan Engenharia ipaddress
enable ipforwarding vlan Engenharia
configure vlan Gerencia_de_Switches ipaddress
enable ipforwarding vlan Gerencia_de_Switches
configure vlan Impressoras ipaddress
enable ipforwarding vlan Impressoras
configure vlan SAC ipaddress
enable ipforwarding vlan SAC
configure vlan Administrativo ipaddress
enable ipforwarding vlan Administrativo
configure vlan VoIP ipaddress
enable ipforwarding vlan VoIP
configure vlan Marketing ipaddress
enable ipforwarding vlan Marketing
configure vlan DMZ ipaddress
enable ipforwarding vlan DMZ
configure vlan DEPART ipaddress
enable ipforwarding vlan DEPART
configure vlan Mikrotik ipaddress
enable ipforwarding vlan Mikrotik
configure vlan fort_lan ipaddress
enable ipforwarding vlan fort_lan

configure iproute add
configure iproute add
configure iproute add default

# Module acl configuration.

create flow-redirect GYN_redirect
configure flow-redirect GYN_redirect add nexthop priority 100
configure access-list ACL_GYN_redirect vlan "TI" ingress
# Module hal configuration.
configure iproute sharing max-gateways 4

Thanks again !
Userlevel 5
So the ACL you've created applies the PBR behavior to entire TI-originated traffic, that's the purpose - to redirect regardless what's inside a routing table.
Are there some additional criteria you could use so only specific type of traffic (e.g. TCP port) would get redirected? Then all the remaining traffic would be routed based on the routing table.

I don't have any elegant solution in my mind at the moment, you could try to implement routes for TI to other 'local' VLANs at this gateway, but that will lead you to assymetric traffic pattern (from TI to other local VLANs through another gateway, from local VLANs back to TI directly)...

If you want to have local routing performed by X460, is there any point in having that redirection? Is the assymetric traffic flow acceptable?

Kind regards,
I solved the question, putting the gateway on the same vlan of the network and created routes on the new gateway directing back to the extreme switch.
for now this help me.

Tks for help me !