This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Convert EOS to EXOS policy-based Routing

Convert EOS to EXOS policy-based Routing

M_Nees
Contributor III

‎03-14-2016 11:34 AM

Currently i am converting an existing configuration from a legacy N7 device to a current X670 switch.

Converting the EOS route-based policy to EXOS route-based policy i need some help.

Existing EOS route-map:
ip access-list extended redirectACL
deny ip host 10.1.13.70 192.168.0.0 0.0.255.255
deny ip host 10.1.13.70 10.0.0.0 0.0.0.255
deny ip host 10.1.13.70 172.16.0.0 0.31.255.255
permit ip host 10.1.13.70 any
deny ip host 10.1.13.199 host 2.2.2.2
deny ip host 10.1.13.199 host 3.3.3.3
permit ip host 10.1.13.199 any
exit
!
route-map policy Internet-FW permit 10
match ip address redirectACL
set next-hop 10.1.1.1
exit
I use the deny statements for internal networks which routed based on the routing table. the permit statements have to be redicted to the firewall.

How can i achieve this with EXOS ACL and redirects actions?

Regards
0 Kudos
4 REPLIES 4

Henrique
Extreme Employee

‎03-15-2016 12:33 PM

Hi Kawawa,

Currently there is no option to negate an ACL match-condition.

The match-type available is "match all", that means if ALL match-conditions are true then the actions take place.
0 Kudos

Kawawa
Extreme Employee

‎03-15-2016 08:21 AM

I don't think that is possible, I will ask my colleagues or try a sample ACL and see what it gives
0 Kudos

M_Nees
Contributor III

‎03-15-2016 04:51 AM

Hi, is it possible to negate some of the ACL match-conditions ?
Means if NOT source-address is y.y.y.y and destination-adress is x.x.x.x then action ....

0 Kudos

Kawawa
Extreme Employee

‎03-14-2016 12:06 PM

Hi Matthias,

You can create a policy file containing the deny and redirect rules. For example to redirect traffic from a subnet 10.1.0.0/16 to 10.1.1.1, the policy would look like:
entry { if { source-address ; } then { redirect ; } }entry redirect-rule-1 { if { source-address 10.1.0.0/16 ; } then { redirect 10.1.1.1 ; } }apply this policy to the ingress traffic of a VLAN

You can also add additional rules for the sources you wish to deny access:
entry deny-rule-1 { if { source-address 192.168.0.1/32 ; } then { deny ; count Deny-1 } }The count condition on the deny rule is optional, but for troubleshooting purposes can be very helpful in understanding whether the rule is affecting any traffic.

You can add multiple sources to a rule and use the Match Any condition on the rule
entry match any { if { source address ; source address } then { deny ; }}I hope this helps
0 Kudos
GTM-P2G8KFN