Layer 2 Policy-Based Redirect

This feature allows matching packets to override the normal forwarding decision and be Layer 2 switched to the specified physical port. This is accomplished using an additional packet ACL lookup. While similar to the Layer 3 Policy-Based Redirect feature, it differs in that the packet is not modified for Layer 3 routing based on a new IP redirect next-hop. Instead, the packet uses the packet format based on the forwarding decision. When the packet is Layer 2-switched, the packet egresses the redirect port unmodified. When the packet is Layer 3-switched, the packet egresses with the Layer 3 packet modifications of the next-hop found by the normal Layer 3 forwarding lookups.

The following ACL actions are added in support of this feature:

redirect-port port; redirect-port-list port-list
Note

Note

The redirect-port or redirect-port-list commands will not work for L3 switched packets matching ACL, if distributed IP ARP feature is turned ON.

You must specify the port argument in the correct format for the switch platform. On supporting switches, this argument must be in the format slot:port and this argument must be in the format port.

The port-list argument is simply a comma-separated list of port arguments. White space between port arguments is not allowed.

Here is an example of valid port-list syntax:

redirect-port-list 2:1,2:5,5:3; and redirect-port-list 3,24,5;

Here is an example of invalid port-list syntax :

redirect-port-list 2:1 2:5 5:3;
redirect-port-list 2, 4, 5;

The policy shown below redirects any TCP traffic with source Layer 4 port 81 to physical port 3:2.

entry one {
	if {
		protocol tcp;
		source-port 81;
		destination-port 200 ;
	} then {
		count num_pkts_redirected;
		redirect-port 3:2;
	}

The policy shown below redirects any in-profile traffic as defined by the meter configuration to physical port 14. The out-of-profile traffic is subject to the action specified in the meter “out-action” configuration.

entry one {
	if {
	} then {
		meter redirected_traffic;
		count num_pkts_redirected;
		redirect-port 14;
	}

The policy shown below redirects all traffic with source IP matching 192.168.1.1/24; to physical ports 2:10 and 4:7.

entry one {
if {
source-address 192.168.1.1/24;
} then {
count num_pkts_redirected;
redirect-port-list 2:10,4:7;
}

If an incorrect port format is used or if the port number specified is out of range, the following error message is displayed:

X670G2-72x.5 # check policy l2pbr
Error:  Policy l2pbr has syntax errors
Line 7 : 12:3 is not a valid port.
X670G2-72x.6 # check policy l2pbr
Error:  Policy l2pbr has syntax errors
Line 7 : 77 is not a valid port.

When this feature is used on Summit switches, the traffic egressing the redirect-port can be either tagged or untagged depending on the redirect-port VLAN configuration. The following table provides the details.

expand icon

VLAN Format of Traffic Egressing Redirect-Port

ACL Hardware Type Redirect-Port Not in Egress VLAN Redirect-Port Tagged in Egress VLAN Redirect-Port Untagged in Egress VLAN
Summit Switches Dropped VLAN Tagged Untagged
Be aware of the following important implementation notes:
  • Using the “redirect-port” action with a disabled port causes traffic to be dropped.

  • For systems with a- and e- series hardware that has the larger table size, packets with IP options do not match ACLs using the “redirect-port” action. Systems with hardware that has the smaller table size do not have this capability. On these systems, packets with IP options will match ACLs that use the “redirect-port” action, and will be dropped.

  • The redirect-port-list action modifier is targeted towards L2 scenarios. This action is not supported in slow path ACLs. The following list summarizes the behavior of the redirect-port-list action modifier under certain situations.

    The following list summarizes the behavior of redirect-port-list action modifier under certain situations.

    • When a Unicast packet matches the applied ACL, the packet is redirected to all ports specified in the redirect port-list as long as these ports are part of the true egress VLAN.

    • When a Broadcast/Multicast packet matches the applied ACL, the packet is redirected only to ports specified in the redirect port-list that are part of the ingress VLAN. Matched multicast packets will get L2 switched.

    • When a LAG port is part of redirect-port-list, then packets matching applied ACL will be load shared between LAG member ports based on Layer 2 source and destination MAC addresses.