Question

VSP-8404 - Redirect IP's with ACL's

  • 3 September 2019
  • 1 reply
  • 108 views

Hey Everyone,

I am trying to create an inPort ACL on our VSP-8404 to send traffic destined to the internet... hit a different firewall instead of the one setup as the default route.

This is what I have:

filter acl 120 type inPort name "Redirect"
filter acl port 120 1/15
filter acl ace 120 100 name "Redirect to Firewall"
filter acl ace action 120 100 permit redirect-next-hop 1.1.1.1
filter acl ace ethernet 120 100 ether-type eq ip
filter acl ace ip 120 100 src-ip mask 0.0.0.0 255.255.255.255
filter acl ace ip 120 100 dst-ip mask 0.0.0.0 255.255.255.255
filter acl ace 120 100 enable

When I do a trace route on a device directly connected to Port 15 - 1.1.1.1 is not the next hop. The default route for the router is.

Any help would greatly be appreciated.

1 reply

Userlevel 3
Please see below for how to configure PBR on VSP.
Same configuration should be applied on VSP8400.
You may apply filter on port or VLAN basis and you don't need to configure src-ip or dst-ip when you want to use any IP address as dip or sip. Also, check if destination routing entry is existed on routing table.
You can check the filter statistics on VSP yo see if the packet hits the filter.

1.GRT: ACL redirect-next-hop

•configuration
filter acl 1 type inVlan
filter acl vlan 1 11
filter acl ace 1 1
filter acl ace action 1 1 permit redirect-next-hop 10.0.49.99
filter acl ace action 1 1 permit unreachable permit
filter acl ace action 1 1 permit count
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip 1 1 dst-ip mask 10.0.0.86 0.0.0.0
filter acl ace 1 1 enable

•Checking filter statistics
VSP4000-B:1#% show filter acl statistics 1 1
====================================================================================================
Acl Ace Statistics Table
====================================================================================================
Acl Id Acl Name Acl Type Ace Id Packets Bytes
----------------------------------------------------------------------------------------------------
1 ACL-1 inVlan 1 155 17050

•Checking traceroute on test PC

PS C:\Users\Administrator> tracert -d 10.0.0.86
Tracing route to 10.0.0.86 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.0.49.99
2 <1 ms <1 ms <1 ms 10.0.49.99
3 1 ms 1 ms 1 ms 10.0.49.40
4 <1 ms <1 ms <1 ms 10.0.0.86
Trace complete.

Reply