This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Question About Filter Redirect-Next-Hop Routed-Only Option In 8.4

Question About Filter Redirect-Next-Hop Routed-Only Option In 8.4

Go to solution
jnowakowski
New Contributor II

‎03-02-2022 10:21 AM

We are implementing a dedicated VRF to communicate to our firewall. The goal is that any routed traffic coming into the VRF gets redirected to the firewall. Simple enough with Ludovico's standard template.
filter acl ace          1 1 name "No-PBR-for-IPMC" 
filter acl ace action   1 1 permit count
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip       1 1 dst-ip mask 224.0.0.0 31.255.255.255
filter acl ace          1 1 enable

filter acl ace          1 999 name "Rest-force-PBR-to-FW"
filter acl ace action   1 999 permit redirect-next-hop 172.16.0.250 vrf red unreachable deny count
filter acl ace ethernet 1 999 ether-type eq ip
filter acl ace          1 999 enable​

However, I'm running 8.4.1 and up on my VSP's and I'm wondering if this will work instead with the new routed-only option? Is ace 1 still needed? I'm primarily concerned about VRRP and other IP multicast applications.

filter acl ace          1 999 name "Rest-force-PBR-to-FW"
filter acl ace action   1 999 permit redirect-next-hop 172.16.0.250 vrf red unreachable deny count
filter acl ace ethernet 1 999 ether-type eq ip
filter acl ace ip       1 999 routed-only
filter acl ace          1 999 enable
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ludovico_Steven
Extreme Employee

‎03-03-2022 02:57 AM

Yes, the routed-only ACE match criteria was added in VOSS 8.4.0.0 and the recommendation is that it must always be used one ACEs using the redirect-next-hop action. Because redirect-next-hop is an action that should only apply to traffic which would otherwise be IP routed in the IP routing table.
Unfortunately ACLs can be blunt instruments, and the redirect-next-hop will actually re-direct even packets which are not IP routed (e.g. VRRP Hellos) which can have unpleasant consequences when you have two VSPs doing the same.
Hence the ACE 1 in the original template above to prevent anything with an IP Multicast address being redirected by the redirect-next-hop action in ACE 999.
So yes, going forward the new template is what you have come to, with routed-only match on ACE 999 and no need for ACE 1 anymore.

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
jnowakowski
New Contributor II

‎03-03-2022 08:41 AM

Thank you for confirming this Ludovico. As always, you are a wealth of knowledge and an asset to this community.
0 Kudos

Go to solution
Ludovico_Steven
Extreme Employee

‎03-03-2022 02:57 AM

Yes, the routed-only ACE match criteria was added in VOSS 8.4.0.0 and the recommendation is that it must always be used one ACEs using the redirect-next-hop action. Because redirect-next-hop is an action that should only apply to traffic which would otherwise be IP routed in the IP routing table.
Unfortunately ACLs can be blunt instruments, and the redirect-next-hop will actually re-direct even packets which are not IP routed (e.g. VRRP Hellos) which can have unpleasant consequences when you have two VSPs doing the same.
Hence the ACE 1 in the original template above to prevent anything with an IP Multicast address being redirected by the redirect-next-hop action in ACE 999.
So yes, going forward the new template is what you have come to, with routed-only match on ACE 999 and no need for ACE 1 anymore.
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN