topic RE: Convert EOS to EXOS policy-based Routing in ExtremeSwitching (EOS)

Convert EOS to EXOS policy-based Routing

M_Nees — Mon, 14 Mar 2016 18:34:00 GMT

Currently i am converting an existing configuration from a legacy N7 device to a current X670 switch.

Converting the EOS route-based policy to EXOS route-based policy i need some help.

Existing EOS route-map:
ip access-list extended redirectACL
deny ip host 10.1.13.70 192.168.0.0 0.0.255.255
deny ip host 10.1.13.70 10.0.0.0 0.0.0.255
deny ip host 10.1.13.70 172.16.0.0 0.31.255.255
permit ip host 10.1.13.70 any
deny ip host 10.1.13.199 host 2.2.2.2
deny ip host 10.1.13.199 host 3.3.3.3
permit ip host 10.1.13.199 any
exit
!
route-map policy Internet-FW permit 10
match ip address redirectACL
set next-hop 10.1.1.1
exit
I use the deny statements for internal networks which routed based on the routing table. the permit statements have to be redicted to the firewall.

How can i achieve this with EXOS ACL and redirects actions?

Regards

RE: Convert EOS to EXOS policy-based Routing

Kawawa — Mon, 14 Mar 2016 19:06:00 GMT

Hi Matthias,

You can create a policy file containing the deny and redirect rules. For example to redirect traffic from a subnet 10.1.0.0/16 to 10.1.1.1, the policy would look like:
entry { if { source-address ; } then { redirect ; } }entry redirect-rule-1 { if { source-address 10.1.0.0/16 ; } then { redirect 10.1.1.1 ; } }apply this policy to the ingress traffic of a VLAN

You can also add additional rules for the sources you wish to deny access:
entry deny-rule-1 { if { source-address 192.168.0.1/32 ; } then { deny ; count Deny-1 } }The count condition on the deny rule is optional, but for troubleshooting purposes can be very helpful in understanding whether the rule is affecting any traffic.

You can add multiple sources to a rule and use the Match Any condition on the rule
entry match any { if { source address ; source address } then { deny ; }}I hope this helps

RE: Convert EOS to EXOS policy-based Routing

M_Nees — Tue, 15 Mar 2016 11:51:00 GMT

Hi, is it possible to negate some of the ACL match-conditions ?
Means if NOT source-address is y.y.y.y and destination-adress is x.x.x.x then action ....

RE: Convert EOS to EXOS policy-based Routing

Kawawa — Tue, 15 Mar 2016 15:21:00 GMT

I don't think that is possible, I will ask my colleagues or try a sample ACL and see what it gives

RE: Convert EOS to EXOS policy-based Routing

Henrique — Tue, 15 Mar 2016 19:33:00 GMT

Hi Kawawa,

Currently there is no option to negate an ACL match-condition.

The match-type available is "match all", that means if ALL match-conditions are true then the actions take place.