This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: Help required for L3 - Policy Based Redirect. ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Help required for L3 - Policy Based Redirect. Summit x460-24t, ExOS 12.5
Help required for L3 - Policy Based Redirect. Summit x460-24t, ExOS 12.5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:55 PM
Create Date: Sep 12 2012 8:53AM
Hi all,
I am facing a very simple redirection problem while using my Policy based redirect on the Switch.
I have a dynamic policy defined for redirection as below on my Switch. And I apply it as ANY on the switch.
###########################################################################################################################
(vr VR-SIG) CH-SW1.11 # show configuration acl
#
# Module acl configuration.
#
create access-list sctp_int_1_flow " source-address 10.91.0.48/28 ;" " redirect 10.91.0.234 ;" application "Cli"
configure access-list add sctp_int_1_flow last priority 0 zone SYSTEM any ingress
(vr VR-SIG) CH-SW1.15 # show access-list any detail
#Dynamic Entries ((*)- Rule is non-permanent )
# RuleNo Application Zone Sub-Zone
# 9 Cli SYSTEM 0
entry sctp_int_1_flow { if match all {
source-address 10.91.0.48/28 ;
} then {
redirect 10.91.0.234 ;
} }
#########################################################################################
But My redirection is not working.
(vr VR-SIG) CH-SW1.13 # ping 10.91.0.100 from 10.91.0.62 with record-route
Ping(ICMP) 10.91.0.100: 4 packets, 8 data bytes, interval 1 second(s).
16 bytes from 10.91.0.100: icmp_seq=1 ttl=255 time=7.668 ms
RR: 10.91.0.62
10.91.0.101
10.91.0.62
I would expect the ICMP packet coming with source-address 10.91.0.62 to hit the Policy and redirect the traffic to 10.91.0.234 instead as the route-record shows that the traffic is redirected to 10.91.0.101 - where I do not want my traffic to flow.
It looks to me that for some reason my policy is not active.
Any help will be appreciated.
Thank you,
./emuzkhn (from Muhammad_Khan)
Hi all,
I am facing a very simple redirection problem while using my Policy based redirect on the Switch.
I have a dynamic policy defined for redirection as below on my Switch. And I apply it as ANY on the switch.
###########################################################################################################################
(vr VR-SIG) CH-SW1.11 # show configuration acl
#
# Module acl configuration.
#
create access-list sctp_int_1_flow " source-address 10.91.0.48/28 ;" " redirect 10.91.0.234 ;" application "Cli"
configure access-list add sctp_int_1_flow last priority 0 zone SYSTEM any ingress
(vr VR-SIG) CH-SW1.15 # show access-list any detail
#Dynamic Entries ((*)- Rule is non-permanent )
# RuleNo Application Zone Sub-Zone
# 9 Cli SYSTEM 0
entry sctp_int_1_flow { if match all {
source-address 10.91.0.48/28 ;
} then {
redirect 10.91.0.234 ;
} }
#########################################################################################
But My redirection is not working.
(vr VR-SIG) CH-SW1.13 # ping 10.91.0.100 from 10.91.0.62 with record-route
Ping(ICMP) 10.91.0.100: 4 packets, 8 data bytes, interval 1 second(s).
16 bytes from 10.91.0.100: icmp_seq=1 ttl=255 time=7.668 ms
RR: 10.91.0.62
10.91.0.101
10.91.0.62
I would expect the ICMP packet coming with source-address 10.91.0.62 to hit the Policy and redirect the traffic to 10.91.0.234 instead as the route-record shows that the traffic is redirected to 10.91.0.101 - where I do not want my traffic to flow.
It looks to me that for some reason my policy is not active.
Any help will be appreciated.
Thank you,
./emuzkhn (from Muhammad_Khan)
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:55 PM
Create Date: Sep 13 2012 1:34PM
Hi Jarek,
I tried the suggested but it did not work 😞
(vr VR-SIG) CH-SW1.69 # show vlan "SCTP_INT_1"
VLAN Interface with name SCTP_INT_1 created by user
Admin State: Enabled Tagging: 802.1Q Tag 844
Virtual router: VR-SIG
IPv4 Forwarding: Enabled
Primary IP : 10.91.0.62/28
(vr VR-SIG) CH-SW1.65 # show configuration acl
#
# Module acl configuration.
#
create flow-redirect redir1
configure flow-redirect redir1 vr VR-SIG
configure flow-redirect redir1 health-check ping
configure flow-redirect redir1 no-active forward
configure flow-redirect redir1 add nexthop 10.91.0.234 priority 200
configure flow-redirect redir1 nexthop 10.91.0.234 ping health-check interval 60 miss 3
configure access-list redir1 vlan "SCTP_INT_1" ingress
(vr VR-SIG) CH-SW1.67 # edit policy redir1
entry subnet1 {
if match all {
source-address 10.91.0.48/28 ;
} then {
permit;
redirect-name redir1;
}
}
Now I am trying to generate traffic from another machine connected directly to the switch on an untagged port from an IP address of subnet 10.91.0.48/28 and VLAN SCTP_INT_1
[emuzkhn@radius1 ~]$ traceroute -s 10.91.0.54 10.91.0.100
traceroute to 10.91.0.100 (10.91.0.100) from 10.91.0.54, 64 hops max, 40 byte packets
1 10.91.0.62 (10.91.0.62) 1.1 ms 0.653 ms 0.599 ms
2 10.91.0.101 (10.91.0.101) 0.622 ms * 0.621 ms
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$ ping 10.91.0.100
PING 10.91.0.100 (10.91.0.100): 56 data bytes
64 bytes from 10.91.0.100: icmp_seq=0 ttl=254 time=0.599 ms
64 bytes from 10.91.0.100: icmp_seq=1 ttl=254 time=0.462 ms
64 bytes from 10.91.0.100: icmp_seq=2 ttl=254 time=0.885 ms
64 bytes from 10.91.0.100: icmp_seq=3 ttl=254 time=0.489 ms
--- 10.91.0.100 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.462/0.608/0.885/0.170 ms
[emuzkhn@radius1 ~]$
Switch does not redirect the traffic and instead uses the standard routing table on the swtich to route the traffic.
Any more suggestions 🙂
Best regards,
./rameez (from Muhammad_Khan)
Hi Jarek,
I tried the suggested but it did not work 😞
(vr VR-SIG) CH-SW1.69 # show vlan "SCTP_INT_1"
VLAN Interface with name SCTP_INT_1 created by user
Admin State: Enabled Tagging: 802.1Q Tag 844
Virtual router: VR-SIG
IPv4 Forwarding: Enabled
Primary IP : 10.91.0.62/28
(vr VR-SIG) CH-SW1.65 # show configuration acl
#
# Module acl configuration.
#
create flow-redirect redir1
configure flow-redirect redir1 vr VR-SIG
configure flow-redirect redir1 health-check ping
configure flow-redirect redir1 no-active forward
configure flow-redirect redir1 add nexthop 10.91.0.234 priority 200
configure flow-redirect redir1 nexthop 10.91.0.234 ping health-check interval 60 miss 3
configure access-list redir1 vlan "SCTP_INT_1" ingress
(vr VR-SIG) CH-SW1.67 # edit policy redir1
entry subnet1 {
if match all {
source-address 10.91.0.48/28 ;
} then {
permit;
redirect-name redir1;
}
}
Now I am trying to generate traffic from another machine connected directly to the switch on an untagged port from an IP address of subnet 10.91.0.48/28 and VLAN SCTP_INT_1
[emuzkhn@radius1 ~]$ traceroute -s 10.91.0.54 10.91.0.100
traceroute to 10.91.0.100 (10.91.0.100) from 10.91.0.54, 64 hops max, 40 byte packets
1 10.91.0.62 (10.91.0.62) 1.1 ms 0.653 ms 0.599 ms
2 10.91.0.101 (10.91.0.101) 0.622 ms * 0.621 ms
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$
[emuzkhn@radius1 ~]$ ping 10.91.0.100
PING 10.91.0.100 (10.91.0.100): 56 data bytes
64 bytes from 10.91.0.100: icmp_seq=0 ttl=254 time=0.599 ms
64 bytes from 10.91.0.100: icmp_seq=1 ttl=254 time=0.462 ms
64 bytes from 10.91.0.100: icmp_seq=2 ttl=254 time=0.885 ms
64 bytes from 10.91.0.100: icmp_seq=3 ttl=254 time=0.489 ms
--- 10.91.0.100 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.462/0.608/0.885/0.170 ms
[emuzkhn@radius1 ~]$
Switch does not redirect the traffic and instead uses the standard routing table on the swtich to route the traffic.
Any more suggestions 🙂
Best regards,
./rameez (from Muhammad_Khan)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:55 PM
Create Date: Sep 13 2012 11:12AM
Hi,
ok that was an example how can you do this.
An example.
We want to redirect all traffic from 10.91.0.48/28 to address 10.91.0.234
create flow-redirect redir1
configure flow-redirect redir1 add nexthop 10.91.0.234 priority 100
configure flow-redirect redir1 nexthop 10.91.0.234 ping health-check interval 60 miss 3
Create an ACL:
entry subnet1 {
if match all {
source-address 10.91.0.48/28 ;
} then {
permit;
redirect-name redir1;
}
}
configure access-list redir1 vlan "vlan_name" ingress
That will redirect traffic in this vlan only from subnet 10.91.0.48/28 to 10.91.0.234.
--
Jarek (from Jaroslaw_Kasjaniuk)
Hi,
ok that was an example how can you do this.
An example.
We want to redirect all traffic from 10.91.0.48/28 to address 10.91.0.234
create flow-redirect redir1
configure flow-redirect redir1 add nexthop 10.91.0.234 priority 100
configure flow-redirect redir1 nexthop 10.91.0.234 ping health-check interval 60 miss 3
Create an ACL:
entry subnet1 {
if match all {
source-address 10.91.0.48/28 ;
} then {
permit;
redirect-name redir1;
}
}
configure access-list redir1 vlan "vlan_name" ingress
That will redirect traffic in this vlan only from subnet 10.91.0.48/28 to 10.91.0.234.
--
Jarek (from Jaroslaw_Kasjaniuk)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:55 PM
Create Date: Sep 12 2012 2:28PM
Hi Prusso,
I am testing it with ICMP, but I want all traffic to be redirected for the subnet.
And none of my traffic is getting redirected for this subnet. I have tried the count as well but the counter is not incrementing
implying that the policy never gets hit.
Br,
./emuzkhn (from Muhammad_Khan)
Hi Prusso,
I am testing it with ICMP, but I want all traffic to be redirected for the subnet.
And none of my traffic is getting redirected for this subnet. I have tried the count as well but the counter is not incrementing
implying that the policy never gets hit.
Br,
./emuzkhn (from Muhammad_Khan)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:55 PM
Create Date: Sep 12 2012 2:27PM
Hi Prusso,
I am testing it with ICMP, but I want all traffic to be redirected.
And none of my traffic is getting redirected. I have tried the count as well but the counter is not incrementing
implying that the policy never gets hit.
Br,
./emuzkhn (from Muhammad_Khan)
Hi Prusso,
I am testing it with ICMP, but I want all traffic to be redirected.
And none of my traffic is getting redirected. I have tried the count as well but the counter is not incrementing
implying that the policy never gets hit.
Br,
./emuzkhn (from Muhammad_Khan)
