This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (VSP/Fabric Engine)
- Re-Route Host Address To Different Next Hop?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Re-Route Host Address To Different Next Hop?
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-11-2021 04:12 PM
Hi,
Have the following route map in EOS config that is basically re-routing only the host IP address 10.119.200.158 to a 10.119.0.35 for internet access only.
The deny entries are all the internal subnets, which means when going to an internal address follow the usual route.
ip access-list extended WebTraffic
deny ip any 10.119.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 10.119.200.158 any
exit
route-map policy traffic permit 15
match ip address WebTraffic
set next-hop 10.119.0.35
exit
interface vlan.0.1020
ip address 10.119.200.2 255.255.254.0 primary
ip policy route-map traffic
vrrp create 2 v2-IPv4
vrrp address 2 10.119.200.1
vrrp accept-mode 2
vrrp enable 2
no shutdown
exitI’m not sure if this is the best way to do it, but as far as I have got is below that would route the host address for all routes not just internet routes
filter acl 102 type inVLAN
filter acl ace 102 1
filter acl ace ip 102 1 src-ip eq 10.119.200.158
filter acl ace action 102 1 permit redirect-next-hop 10.119.0.35
filter acl ace 102 1 enable
filter acl vlan 102 1020
#########################
filter acl <acl-id> type inVLAN
filter acl ace <acl-id> <ace-id>
filter acl ace ip <acl-id> <ace-id> src-ip eq 10.119.200.158
filter acl ace action <acl-id> <ace-id> permit redirect-next-hop 10.119.0.35
filter acl ace <acl-id> <ace-id> enable
filter acl vlan <acl-id> 1020
I will maybe need to introduce a not equal list to RFC 1918 address?
This would equal all RFC1918 addresses:
filter acl ace ip 120 1 dst-ip mask 10.0.0.0 0.255.255.255
filter acl ace ip 120 1 dst-ip mask 172.16.0.0 0.15.255.255
filter acl ace ip 120 1 dst-ip mask 192.168.0.0 0.0.255.255This would be not equal to all RFC1918 addresses, and maybe what I need to add?
filter acl ace ip 120 1 dst-ip mask 10.0.0.0 255.0.0.0
filter acl ace ip 120 1 dst-ip mask 172.16.0.0 255.224.0.0
filter acl ace ip 120 1 dst-ip mask 192.168.0.0 255.255.0.0Many thanks in advance
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-26-2021 08:43 PM
Martin, I don’t think your “not equal to all RFC1918 addresses” match criteria will work.
dst-ip mask 10.0.0.0 255.0.0.0Will match any IP address like X.0.0.0. So 8.0.0.0, 9.0.0.0, 10.0.0.0, 11.0.0.0, etc..
So probably not what you want.
If you want the redirect-next-hop only for flows where the IP destination is not a private range, then 1st have 3 ACL ACEs which match those private ranges, with action permit. Then your 4th ACE will have action redirect-next-hop.
Be careful with ACL action redirect-next-hop. It will redirect any packet, including broadcasts and IP multicast (e.g. VRRP Hellos). So you can easily get loops if you apply the same config on 2 VSPs on the same VLAN. Make sure the ACE with the action redirect-next-hop matches ethertype IP. And before the redirect-next-hop ACE, insert an ACE which matches IP Multicast with action permit, so as to skip IP Multicast before you reach the redirect-next-hop ACE.
This is the template I normally use for PBR:
filter acl ace 1 1 name "No-PBR-for-IPMC"
filter acl ace action 1 1 permit count
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip 1 1 dst-ip mask 224.0.0.0 31.255.255.255
filter acl ace 1 1 enable
filter acl ace 1 999 name "Rest-force-PBR-to-FW"
filter acl ace action 1 999 permit redirect-next-hop 172.16.0.250 unreachable deny count
filter acl ace ethernet 1 999 ether-type eq ip
filter acl ace 1 999 enable
In VOSS 8.4 there will be a new match criteria which will make things easier:
filter acl ace ip <acl> <ace> routed-only
3 REPLIES 3
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-08-2021 09:57 PM
To share the config I ultimately used see below:
filter acl 1 type inVLAN
filter acl ace 1 5 name "No-PBR-for-IPMC"
filter acl ace action 1 5 permit count
filter acl ace ethernet 1 5 ether-type eq ip
filter acl ace ip 1 5 dst-ip mask 224.0.0.0 31.255.255.255
filter acl ace 1 10 name "No-PBR-for-158.x.x.x"
filter acl ace action 1 10 permit count
filter acl ace ethernet 1 10 ether-type eq ip
filter acl ace ip 1 10 dst-ip mask 10.0.0.0 0.255.255.255
filter acl ace 1 15 name "No-PBR-for-172.16.x.x"
filter acl ace action 1 15 permit count
filter acl ace ethernet 1 15 ether-type eq ip
filter acl ace ip 1 15 dst-ip mask 172.16.0.0 0.15.255.255
filter acl ace 1 20 name "No-PBR-for-192.168.x.x"
filter acl ace action 1 20 permit count
filter acl ace ethernet 1 20 ether-type eq ip
filter acl ace ip 1 20 dst-ip mask 192.168.0.0 0.0.255.255
filter acl ace 1 999 name "Rest-force-PBR-to-FW"
filter acl ace ethernet 1 999 ether-type eq ip
filter acl ace ip 1 999 src-ip eq 10.119.200.158
filter acl ace action 1 999 permit redirect-next-hop 10.119.0.35 unreachable deny count
filter acl ace action 1 999 permit count
filter acl vlan 1 1020
filter acl ace 1 5 enable
filter acl ace 1 10 enable
filter acl ace 1 15 enable
filter acl ace 1 20 enable
filter acl ace 1 999 enableAnd the following to view the counters:
show filter acl statistics 1 5
show filter acl statistics 1 10
show filter acl statistics 1 15
show filter acl statistics 1 20
show filter acl statistics 1 999
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-26-2021 09:44 PM
Thanks Ludovico, a lot of useful information in there, much appreciated.
When I get it working I will post back the results.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-26-2021 08:43 PM
Martin, I don’t think your “not equal to all RFC1918 addresses” match criteria will work.
dst-ip mask 10.0.0.0 255.0.0.0Will match any IP address like X.0.0.0. So 8.0.0.0, 9.0.0.0, 10.0.0.0, 11.0.0.0, etc..
So probably not what you want.
If you want the redirect-next-hop only for flows where the IP destination is not a private range, then 1st have 3 ACL ACEs which match those private ranges, with action permit. Then your 4th ACE will have action redirect-next-hop.
Be careful with ACL action redirect-next-hop. It will redirect any packet, including broadcasts and IP multicast (e.g. VRRP Hellos). So you can easily get loops if you apply the same config on 2 VSPs on the same VLAN. Make sure the ACE with the action redirect-next-hop matches ethertype IP. And before the redirect-next-hop ACE, insert an ACE which matches IP Multicast with action permit, so as to skip IP Multicast before you reach the redirect-next-hop ACE.
This is the template I normally use for PBR:
filter acl ace 1 1 name "No-PBR-for-IPMC"
filter acl ace action 1 1 permit count
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip 1 1 dst-ip mask 224.0.0.0 31.255.255.255
filter acl ace 1 1 enable
filter acl ace 1 999 name "Rest-force-PBR-to-FW"
filter acl ace action 1 999 permit redirect-next-hop 172.16.0.250 unreachable deny count
filter acl ace ethernet 1 999 ether-type eq ip
filter acl ace 1 999 enable
In VOSS 8.4 there will be a new match criteria which will make things easier:
filter acl ace ip <acl> <ace> routed-only
