This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VSP-8404 - Redirect IP's with ACL's

VSP-8404 - Redirect IP's with ACL's

aksidents
New Contributor

‎09-03-2019 06:41 PM

Hey Everyone,

I am trying to create an inPort ACL on our VSP-8404 to send traffic destined to the internet... hit a different firewall instead of the one setup as the default route.

This is what I have:

filter acl 120 type inPort name "Redirect"
filter acl port 120 1/15
filter acl ace 120 100 name "Redirect to Firewall"
filter acl ace action 120 100 permit redirect-next-hop 1.1.1.1
filter acl ace ethernet 120 100 ether-type eq ip
filter acl ace ip 120 100 src-ip mask 0.0.0.0 255.255.255.255
filter acl ace ip 120 100 dst-ip mask 0.0.0.0 255.255.255.255
filter acl ace 120 100 enable

When I do a trace route on a device directly connected to Port 15 - 1.1.1.1 is not the next hop. The default route for the router is.

Any help would greatly be appreciated.
0 Kudos
1 REPLY 1

Jongseok_Won
Extreme Employee

‎09-19-2019 06:39 AM

Please see below for how to configure PBR on VSP.
Same configuration should be applied on VSP8400.
You may apply filter on port or VLAN basis and you don't need to configure src-ip or dst-ip when you want to use any IP address as dip or sip. Also, check if destination routing entry is existed on routing table.
You can check the filter statistics on VSP yo see if the packet hits the filter.

1.GRT: ACL redirect-next-hop

•configuration
filter acl 1 type inVlan
filter acl vlan 1 11
filter acl ace 1 1
filter acl ace action 1 1 permit redirect-next-hop 10.0.49.99
filter acl ace action 1 1 permit unreachable permit
filter acl ace action 1 1 permit count
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip 1 1 dst-ip mask 10.0.0.86 0.0.0.0
filter acl ace 1 1 enable

•Checking filter statistics
VSP4000-B:1#% show filter acl statistics 1 1
====================================================================================================
Acl Ace Statistics Table
====================================================================================================
Acl Id Acl Name Acl Type Ace Id Packets Bytes
----------------------------------------------------------------------------------------------------
1 ACL-1 inVlan 1 155 17050

•Checking traceroute on test PC

PS C:\Users\Administrator> tracert -d 10.0.0.86
Tracing route to 10.0.0.86 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.0.49.99
2 <1 ms <1 ms <1 ms 10.0.49.99
3 1 ms 1 ms 1 ms 10.0.49.40
4 <1 ms <1 ms <1 ms 10.0.0.86
Trace complete.
0 Kudos
GTM-P2G8KFN