cancel
Showing results for 
Search instead for 
Did you mean: 

Help required for L3 - Policy Based Redirect. Summit x460-24t, ExOS 12.5

Help required for L3 - Policy Based Redirect. Summit x460-24t, ExOS 12.5

EtherNation_Use
Contributor II
Create Date: Sep 12 2012 8:53AM

Hi all,

I am facing a very simple redirection problem while using my Policy based redirect on the Switch.

I have a dynamic policy defined for redirection as below on my Switch. And I apply it as ANY on the switch.

###########################################################################################################################
(vr VR-SIG) CH-SW1.11 # show configuration acl
#
# Module acl configuration.
#
create access-list sctp_int_1_flow " source-address 10.91.0.48/28 ;" " redirect 10.91.0.234 ;" application "Cli"

configure access-list add sctp_int_1_flow last priority 0 zone SYSTEM any ingress

(vr VR-SIG) CH-SW1.15 # show access-list any detail
#Dynamic Entries ((*)- Rule is non-permanent )
# RuleNo Application Zone Sub-Zone
# 9 Cli SYSTEM 0
entry sctp_int_1_flow { if match all {
source-address 10.91.0.48/28 ;
} then {
redirect 10.91.0.234 ;
} }

#########################################################################################

But My redirection is not working.

(vr VR-SIG) CH-SW1.13 # ping 10.91.0.100 from 10.91.0.62 with record-route
Ping(ICMP) 10.91.0.100: 4 packets, 8 data bytes, interval 1 second(s).
16 bytes from 10.91.0.100: icmp_seq=1 ttl=255 time=7.668 ms
RR: 10.91.0.62
10.91.0.101
10.91.0.62

I would expect the ICMP packet coming with source-address 10.91.0.62 to hit the Policy and redirect the traffic to 10.91.0.234 instead as the route-record shows that the traffic is redirected to 10.91.0.101 - where I do not want my traffic to flow.

It looks to me that for some reason my policy is not active.

Any help will be appreciated.

Thank you,

./emuzkhn (from Muhammad_Khan)
8 REPLIES 8

EtherNation_Use
Contributor II
Create Date: Sep 12 2012 1:57PM

Hello emuzkhnIs this not working for ICMP traffic only or are you noticing that all IP traffic is not being redirected? Do you have any static policies configured?I would add a count statement to the ACL and also try it with a protocol statement for ICMP traffic in addition to the IP subnet that you have and see if that gets any hits using the count option as well.Let me know what you find out.P (from Paul_Russo)

EtherNation_Use
Contributor II
Create Date: Sep 12 2012 1:32PM

Also one more thing to add - My policy is not even getting a hit.. (from Muhammad_Khan)

EtherNation_Use
Contributor II
Create Date: Sep 12 2012 1:27PM

Hi Jarek,

We are not looking in to next hop redundancy. I want a simple redirection of one plain traffic. I would be looking forward to solution with plain L3 - Policy based redirect.

Any help in this regards will be highly appreciable.

Thank you,

./emuzkhn (from Muhammad_Khan)

EtherNation_Use
Contributor II
Create Date: Sep 12 2012 12:19PM

Hi emuzkhn,

maybe you can try something like in:
Concept Guide ->Policy-Based Redirection Redundancy -> Packet Forward/Drop
(http://www.extremenetworks.com/services/software-userguide-archives.aspx)

--
Jarek (from Jaroslaw_Kasjaniuk)
GTM-P2G8KFN