Question

Can flow-redirect be used on layer 2 ? if yes, Syntax please


Userlevel 1
I want to redirect flows based on port numbers. Is there a way to achieve that?

11 replies

Userlevel 5
You can do L2 Redirects and this is documented in the user guide and there are examples as well: https://documentation.extremenetworks.com/exos_22.4/exos_21_1/acl/r_layer-2-policybased-redirect.sht... I am not sure what you mean by "redirect based on port numbers"...are you referring to using physical ports as the source condition? Not possible, Or using physical ports as the destination of the redirected traffic? Possible as outlined in link!
Userlevel 1
yes i mean using physical ports. can i use physical ports as the destination of the redirected traffic?
Userlevel 5
yes i mean using physical ports. can i use physical ports as the destination of the redirected traffic?Yes, the redirect-port and ´╗┐redirect-port-list action-modifiers help achieve this. Please see examples in links I provided the link I shared in my previous comment.
Userlevel 1
yes i mean using physical ports. can i use physical ports as the destination of the redirected traffic?But it is not working. I have the following configuration.. I am receiving the traffic with no tags nothing just normal Ethernet frames on port 47 but somehow the ACL is not redirecting them port 48. Am I missing something?

* X670V-48x.54 # show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
================================================================
* 47 testing ingress 1 0

* X670V-48x.55 #vi testing.pol
entry rule {
if match all {
} then {
redirect-port 48
}
}

* X670V-48x.59 # show ports 47-48 statistics
Port Statistics Thu Apr 12 10:09:00 2018
Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Pkt Rx Pkt Tx Pkt Tx Pkt
State Count Count Count Count Bcast Mcast Bcast Mcast
========= ===== =========== =========== =========== ===========
47 A 0 0 8469676 1084118656 0 0 0 0
48 A 0 0 0 0 0 0 0 0

========= ===== =========== =========== =========== ===========
Userlevel 1
yes i mean using physical ports. can i use physical ports as the destination of the redirected traffic?Any help here guys?
Userlevel 5
yes i mean using physical ports. can i use physical ports as the destination of the redirected traffic?Are both ports in the same VLAN? You cannot do an L2 redirect across VLANs. Here's a simple output I took from the lab

# vi redir.pol entry l2_redir { if {} then { count redirected ; redirect-port 10 ; }}[/code]# create vlan v10 tag 10 # configure vlan v10 add ports 1-2,10 untagged
# configure access-list redir port 1 ingress # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
redir * 1 ingress
redirected 42 [/code]
A second take after a minute:
# show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
redir * 1 ingress
redirected 157 [/code]# show ports 1,10 statistics
Port Statistics Mon Apr 16 09:26:26 2018
Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Pkt Rx Pkt Tx Pkt Tx Pkt
State Count Count Count Count Bcast Mcast Bcast Mcast
========= ===== =========== =========== =========== =========== =========== =========== =========== ===========
1 A 8 972 14 896 14 0 1 7
10 A 19 1789 0 0 0 0 13 5
========= ===== =========== =========== =========== =========== =========== =========== =========== ===========[/code]
Userlevel 1
yes i mean using physical ports. can i use physical ports as the destination of the redirected traffic?yes, this works, but what about the tagged packets. if packets come with some specfic tag and i want to redirect them how would i do that? because i am expecting untagged, single tagged and double tagged packets in my traffic? & i wont be knowing the tag of the traffic in case of tagged traffic... so i cannot set it as a vlan tag ..
Userlevel 1
yes i mean using physical ports. can i use physical ports as the destination of the redirected traffic?any help regarding this question???
Userlevel 1
yes i mean using physical ports. can i use physical ports as the destination of the redirected traffic???
Userlevel 7
yes i mean using physical ports. can i use physical ports as the destination of the redirected traffic?I would suggest contacting the GTAC if you still have some questions outstanding.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-contact-Extreme-Networks-Global-Tec...
You can do L2 Redirects and this is documented in the user guide and there are examples as well: https://documentation.extremenetworks.com/exos_22.4/exos_21_1/acl/r_layer-2-policybased-redirect.sht... I am not sure what you mean by "redirect based on port numbers"...are you referring to using physical ports as the source condition? Not possible, Or using physical ports as the destination of the redirected traffic? Possible as outlined in link!

Kawawa, Did you actually try to do this or did you just quote the manual?

Has anyone had success?

I am trying to redirect back to the sending port and the whole "echo kill overide" thing was removed from the newr manuals I am running 15.6. Was this because the wording of both "egress port change" and "overides echo kill" is redundant or because it doesn't work and is it not possible? However, I cannot get redirection to any other ports, either. Which seems like it never worked to begin with. If you google this topic there are several messages found where people ask the question but no one ever answers - or extreme goes out and sanitizes the answers so they can get paid for them. Any one know?

entry cdnal {
if {
#SUBSTITUTE A VALID MAC ADDRESS
ethernet-destination-address XX:XX:XX:XX:XX:XX;
} then {
#default action
permit;
redirect-port-list 1,4;
count cdnal;

}
}
entry cdnac {
if {
#SUBSTITUTE A VALID MAC ADDRESS
ethernet-destination-address XX:XX:XX:XX:XX:XX;
} then {
#default action
permit;
redirect-port-list 3,4;
count cdnac;
}
}
entry cdnar {
if {
#SUBSTITUTE A VALID MAC ADDRESS
ethernet-destination-address XX:XX:XX:XX:XX:XX;
} then {
#default action
permit;
redirect-port-list 5,4;
count cdnar;
}
}

Tried applying both as an access-list to a vlan or redirect-port-list to a vlan or port-list. Amyriad of combinatoins has been attempted and not one frame was ever seen redirected. My counters count. But monitoring any segment of the structure with wireshark (and an old HUB) I never see anything sent back to the sender.

Reply