Configure Flow Redirect with Multiple Match Conditions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-22-2017 11:24 AM
I have successfully configured flow redirect a few times using examples from other posts here on the Extreme site such as:
https://extremeportal.force.com/ExtrArticleDetail?an=000083175
and
https://extremeportal.force.com/ExtrArticleDetail?an=000083345
However, in some cases I need to be able to enable flow redirect in a very specific manner for specific hosts. For example I might need host 10.22.70.10 to not be matched for flow redirect when accessing the Internet (0.0.0.0/0) but I do want it to be matched for flow redirect when it is destined for any private network (10.0.0.0/8, 192.168.0.0/16 or 172.16.0.0/12).
I realize this question is more about configuring access lists than flow redirect. I am fairly new to access list configurations on the Extreme devices.
I would think I could do something similar to this:
entry one {
if match all {
source-address 10.22.70.10/32 ;
destination-address 10.0.0.0/8 ;
} then {
deny ;
} if match all {
source-address 10.22.70.10/32 ;
destination-address 192.168.0.0/16 ;
} then {
deny ;
}
if match all {
source-address 172.16.0.0/16;
destination-address 172.16.0.0/12;
} then {
deny ;
if match all {
source-address 10.0.0.0/8 ;
} then {
permit ;
}
Does anyone have any thoughts or advice on this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-22-2017 02:17 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-22-2017 02:10 PM
What you have above should work. The first matching entry will be taken, so you would catch a packet from that host going to any of the RFC1918 addresses before it hits the last permit.
Of course, if you wanted to flow-redirect the traffic, the action in those entries should be 'redirect-name', not 'deny'.
