Solved

Re-Route Host Address To Different Next Hop?

  • 11 March 2021
  • 3 replies
  • 67 views

Userlevel 6
Badge

Hi,

Have the following route map in EOS config that is basically re-routing only the host IP address 10.119.200.158 to a 10.119.0.35 for internet access only.

The deny entries are all the internal subnets, which means when going to an internal address follow the usual route.

 ip access-list extended WebTraffic
  deny ip any 10.119.0.0 0.0.255.255
  deny ip any 172.16.0.0 0.15.255.255
  deny ip any 192.168.0.0 0.0.255.255
  permit ip host 10.119.200.158 any
  exit

 route-map policy traffic permit 15
  match ip address WebTraffic
  set next-hop 10.119.0.35
  exit

 interface vlan.0.1020
  ip address 10.119.200.2 255.255.254.0 primary
  ip policy route-map traffic
  vrrp create 2 v2-IPv4
  vrrp address 2 10.119.200.1 
  vrrp accept-mode 2
  vrrp enable 2
  no shutdown
  exit

I’m not sure if this is the best way to do it, but as far as I have got is below that would route the host address for all routes not just internet routes

filter acl 102 type inVLAN 
filter acl ace 102 1
filter acl ace ip 102 1 src-ip eq 10.119.200.158
filter acl ace action 102 1 permit redirect-next-hop 10.119.0.35
filter acl ace 102 1 enable
filter acl vlan 102 1020

#########################

filter acl <acl-id> type inVLAN
filter acl ace <acl-id> <ace-id>
filter acl ace ip <acl-id> <ace-id> src-ip eq 10.119.200.158
filter acl ace action <acl-id> <ace-id> permit redirect-next-hop 10.119.0.35
filter acl ace <acl-id> <ace-id> enable
filter acl vlan <acl-id> 1020

I will maybe need to introduce a not equal list to RFC 1918 address?

This would equal all RFC1918 addresses:

filter acl ace ip 120 1 dst-ip mask 10.0.0.0 0.255.255.255
filter acl ace ip 120 1 dst-ip mask 172.16.0.0 0.15.255.255
filter acl ace ip 120 1 dst-ip mask 192.168.0.0 0.0.255.255

This would be not equal to all RFC1918 addresses, and maybe what I need to add?

filter acl ace ip 120 1 dst-ip mask 10.0.0.0 255.0.0.0
filter acl ace ip 120 1 dst-ip mask 172.16.0.0 255.224.0.0
filter acl ace ip 120 1 dst-ip mask 192.168.0.0 255.255.0.0

Many thanks in advance

icon

Best answer by Ludovico Stevens 26 March 2021, 21:43

Martin, I don’t think your “not equal to all RFC1918 addresses” match criteria will work.

dst-ip mask 10.0.0.0 255.0.0.0

Will match any IP address like X.0.0.0. So 8.0.0.0, 9.0.0.0, 10.0.0.0, 11.0.0.0, etc..

So probably not what you want.

If you want the redirect-next-hop only for flows where the IP destination is not a private range, then 1st have 3 ACL ACEs which match those private ranges, with action permit. Then your 4th ACE will have action redirect-next-hop.

Be careful with ACL action redirect-next-hop. It will redirect any packet, including broadcasts and IP multicast (e.g. VRRP Hellos). So you can easily get loops if you apply the same config on 2 VSPs on the same VLAN. Make sure the ACE with the action redirect-next-hop matches ethertype IP. And before the redirect-next-hop ACE, insert an ACE which matches IP Multicast with action permit, so as to skip IP Multicast before you reach the redirect-next-hop ACE.

This is the template I normally use for PBR:

filter acl ace          1 1 name "No-PBR-for-IPMC" 
filter acl ace action 1 1 permit count
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip 1 1 dst-ip mask 224.0.0.0 31.255.255.255
filter acl ace 1 1 enable

filter acl ace 1 999 name "Rest-force-PBR-to-FW"
filter acl ace action 1 999 permit redirect-next-hop 172.16.0.250 unreachable deny count
filter acl ace ethernet 1 999 ether-type eq ip
filter acl ace 1 999 enable

In VOSS 8.4 there will be a new match criteria which will make things easier:

filter acl ace ip <acl> <ace> routed-only 

 

View original

3 replies

Userlevel 5

Martin, I don’t think your “not equal to all RFC1918 addresses” match criteria will work.

dst-ip mask 10.0.0.0 255.0.0.0

Will match any IP address like X.0.0.0. So 8.0.0.0, 9.0.0.0, 10.0.0.0, 11.0.0.0, etc..

So probably not what you want.

If you want the redirect-next-hop only for flows where the IP destination is not a private range, then 1st have 3 ACL ACEs which match those private ranges, with action permit. Then your 4th ACE will have action redirect-next-hop.

Be careful with ACL action redirect-next-hop. It will redirect any packet, including broadcasts and IP multicast (e.g. VRRP Hellos). So you can easily get loops if you apply the same config on 2 VSPs on the same VLAN. Make sure the ACE with the action redirect-next-hop matches ethertype IP. And before the redirect-next-hop ACE, insert an ACE which matches IP Multicast with action permit, so as to skip IP Multicast before you reach the redirect-next-hop ACE.

This is the template I normally use for PBR:

filter acl ace          1 1 name "No-PBR-for-IPMC" 
filter acl ace action 1 1 permit count
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip 1 1 dst-ip mask 224.0.0.0 31.255.255.255
filter acl ace 1 1 enable

filter acl ace 1 999 name "Rest-force-PBR-to-FW"
filter acl ace action 1 999 permit redirect-next-hop 172.16.0.250 unreachable deny count
filter acl ace ethernet 1 999 ether-type eq ip
filter acl ace 1 999 enable

In VOSS 8.4 there will be a new match criteria which will make things easier:

filter acl ace ip <acl> <ace> routed-only 

 

Userlevel 6
Badge

Thanks Ludovico, a lot of useful information in there, much appreciated.

When I get it working I will post back the results.

Userlevel 6
Badge

To share the config I ultimately used see below:

filter acl 1 type inVLAN
filter acl ace 1 5 name "No-PBR-for-IPMC"
filter acl ace action 1 5 permit count
filter acl ace ethernet 1 5 ether-type eq ip
filter acl ace ip 1 5 dst-ip mask 224.0.0.0 31.255.255.255

filter acl ace 1 10 name "No-PBR-for-158.x.x.x"
filter acl ace action 1 10 permit count
filter acl ace ethernet 1 10 ether-type eq ip
filter acl ace ip 1 10 dst-ip mask 10.0.0.0 0.255.255.255

filter acl ace 1 15 name "No-PBR-for-172.16.x.x"
filter acl ace action 1 15 permit count
filter acl ace ethernet 1 15 ether-type eq ip
filter acl ace ip 1 15 dst-ip mask 172.16.0.0 0.15.255.255

filter acl ace 1 20 name "No-PBR-for-192.168.x.x"
filter acl ace action 1 20 permit count
filter acl ace ethernet 1 20 ether-type eq ip
filter acl ace ip 1 20 dst-ip mask 192.168.0.0 0.0.255.255

filter acl ace 1 999 name "Rest-force-PBR-to-FW"
filter acl ace ethernet 1 999 ether-type eq ip
filter acl ace ip 1 999 src-ip eq 10.119.200.158
filter acl ace action 1 999 permit redirect-next-hop 10.119.0.35 unreachable deny count
filter acl ace action 1 999 permit count

filter acl vlan 1 1020

filter acl ace 1 5 enable
filter acl ace 1 10 enable
filter acl ace 1 15 enable
filter acl ace 1 20 enable
filter acl ace 1 999 enable

And the following to view the counters:

show filter acl statistics 1 5
show filter acl statistics 1 10
show filter acl statistics 1 15
show filter acl statistics 1 20
show filter acl statistics 1 999

 

Reply