cancel
Showing results for 
Search instead for 
Did you mean: 

Configure Flow Redirect with Multiple Match Conditions

Configure Flow Redirect with Multiple Match Conditions

Trevor_Jackson
New Contributor II

I have successfully configured flow redirect a few times using examples from other posts here on the Extreme site such as:

https://extremeportal.force.com/ExtrArticleDetail?an=000083175
and
https://extremeportal.force.com/ExtrArticleDetail?an=000083345

However, in some cases I need to be able to enable flow redirect in a very specific manner for specific hosts. For example I might need host 10.22.70.10 to not be matched for flow redirect when accessing the Internet (0.0.0.0/0) but I do want it to be matched for flow redirect when it is destined for any private network (10.0.0.0/8, 192.168.0.0/16 or 172.16.0.0/12).

I realize this question is more about configuring access lists than flow redirect. I am fairly new to access list configurations on the Extreme devices.

I would think I could do something similar to this:
entry one {
if match all {
source-address 10.22.70.10/32 ;
destination-address 10.0.0.0/8 ;
} then {
deny ;
} if match all {
source-address 10.22.70.10/32 ;
destination-address 192.168.0.0/16 ;
} then {
deny ;
}
if match all {
source-address 172.16.0.0/16;
destination-address 172.16.0.0/12;
} then {
deny ;
if match all {
source-address 10.0.0.0/8 ;
} then {
permit ;
}

Does anyone have any thoughts or advice on this?

11 REPLIES 11

Thanks for the hard work on this. I am going to be implementing this a little later this week. I will post back with the results.

Also, I just noticed you had all the match conditions/actions in one large entry. There needs to be an entry per match condition/action pair. See below for an example:
entry allow_10{ if { source-address 10.22.70.10/32; destination-address 10.0.0.0/8; } then { permit; } } entry allow_192{ if { source-address 10.22.70.10/32; destination-address 192.168.0.0/16; } then { permit; } } entry allow_172{ if { source-address 10.22.70.10/32; destination-address 172.16.0.0/12; } then { permit; } } entry redirect_internet{ if { source-address 10.22.70.10/32; } then { redirect-name internet_redirect; } }

No, the 'deny' will drop the traffic. If you want to allow it to be forwarded through the normal routing process, you would need a 'permit' action in the entry.

Jarek
New Contributor II
Hi Trevor,

if you want:
- host 10.22.70.10 to not be matched for flow redirect when accessing the Internet (0.0.0.0/0)
- flow redirect for network (10.0.0.0/8, 192.168.0.0/16 or 172.16.0.0/12).

Your ingress vlan/port ACL may look like below:

entry acl_10 { if {
source-address 10.22.70.10/32 ;
destination-address 10.0.0.0/8 ;
} then {
permit;
redirect-name My_GW ;
}}

entry acl_192 { if {
source-address 10.22.70.10/32 ;
destination-address 192.168.0.0/16 ;
} then {
permit;
redirect-name My_GW ;
}}

entry acl_172 { if {
source-address 10.22.70.10/32 ;
destination-address 172.16.0.0/12 ;
} then {
permit;
redirect-name My_GW ;
}}

--
Jarek

Jarek
New Contributor II
Ok, then delete the redirect-name My_GW from ACL entries 
and add last ACL entry with

entry acl_all { if {
source-address 10.22.70.10/32 ;
} then {
permit;
redirect-name My_GW ;
}}

--
Jarek
GTM-P2G8KFN