https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/question-about-filter-redirect-next-hop-routed-only-option-in-8/m-p/79268#M1223 Thank you for confirming this Ludovico. As always, you are a wealth of knowledge and an asset to this community. Thu, 03 Mar 2022 16:41:49 GMT jnowakowski 2022-03-03T16:41:49Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/question-about-filter-redirect-next-hop-routed-only-option-in-8/m-p/79266#M1221 We are implementing a dedicated VRF to communicate to our firewall. The goal is that any routed traffic coming into the VRF gets redirected to the firewall. Simple enough with Ludovico's standard template.<BR /> <PRE class="language-markup"><CODE>filter acl ace 1 1 name "No-PBR-for-IPMC" filter acl ace action 1 1 permit count filter acl ace ethernet 1 1 ether-type eq ip filter acl ace ip 1 1 dst-ip mask 224.0.0.0 31.255.255.255 filter acl ace 1 1 enable filter acl ace 1 999 name "Rest-force-PBR-to-FW" filter acl ace action 1 999 permit redirect-next-hop 172.16.0.250 vrf red unreachable deny count filter acl ace ethernet 1 999 ether-type eq ip filter acl ace 1 999 enable​</CODE></PRE> <P>However, I'm running 8.4.1 and up on my VSP's and I'm wondering if this will work instead with the new routed-only option? Is ace 1 still needed? I'm primarily concerned about VRRP and other IP multicast applications.</P> <PRE class="language-markup"><CODE>filter acl ace 1 999 name "Rest-force-PBR-to-FW" filter acl ace action 1 999 permit redirect-next-hop 172.16.0.250 vrf red unreachable deny count filter acl ace ethernet 1 999 ether-type eq ip filter acl ace ip 1 999 routed-only filter acl ace 1 999 enable</CODE></PRE> Wed, 02 Mar 2022 18:21:23 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/question-about-filter-redirect-next-hop-routed-only-option-in-8/m-p/79266#M1221 jnowakowski 2022-03-02T18:21:23Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/question-about-filter-redirect-next-hop-routed-only-option-in-8/m-p/79267#M1222 Yes, the routed-only ACE match criteria was added in VOSS 8.4.0.0 and the recommendation is that it must always be used one ACEs using the redirect-next-hop action. Because redirect-next-hop is an action that should only apply to traffic which would otherwise be IP routed in the IP routing table.<BR />Unfortunately ACLs can be blunt instruments, and the redirect-next-hop will actually re-direct even packets which are not IP routed (e.g. VRRP Hellos) which can have unpleasant consequences when you have two VSPs doing the same.<BR />Hence the ACE 1 in the original template above to prevent anything with an IP Multicast address being redirected by the redirect-next-hop action in ACE 999.<BR />So yes, going forward the new template is what you have come to, with routed-only match on ACE 999 and no need for ACE 1 anymore. Thu, 03 Mar 2022 10:57:05 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/question-about-filter-redirect-next-hop-routed-only-option-in-8/m-p/79267#M1222 Ludovico_Steven 2022-03-03T10:57:05Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/question-about-filter-redirect-next-hop-routed-only-option-in-8/m-p/79268#M1223 Thank you for confirming this Ludovico. As always, you are a wealth of knowledge and an asset to this community. Thu, 03 Mar 2022 16:41:49 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/question-about-filter-redirect-next-hop-routed-only-option-in-8/m-p/79268#M1223 jnowakowski 2022-03-03T16:41:49Z