Issue Description
Here is the topo:
Microtik router is connecting with BRAS GE1/0/3 interface
Customer have configured traffic-policy with redirect ip-nexthop for BRAS users on NE40E
acl number 6091
description "Expired-User"
rule 5 permit ip source ip-address 10.1.0.0 0.0.3.255
rule 10 permit ip source ip-address 10.1.0.0 0.0.3.255 destination ip-address any
#
traffic classifier expired operator or
if-match acl 6091
#
traffic behavior expired
redirect ip-nexthop 172.18.32.22
#
traffic policy expired
share-mode
classifier expired behavior expired precedence 101
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 172.18.32.21 255.255.255.252
traffic-policy expired outbound
dcn
As customer expectation, they need the green color traffic, 10.1.0.0/22 segment should go via Microtik, normal user will take mpls ring to reach IGW
e.g.: 10.1.3.X -> BRAS(172.18.32.21) -> Microtik router(172.18.32.22)
other segment e.g.: 100.106.X.X -> BRAS -> MPLS Network -> IGW
But the traffic-policy didn’t work, the 10.1.0.0/22 segment also go to IGW via mpls network.
Handling Process
1. Since these users who want to redirect are BRAS users, cannot match these users with ip address, need match these users with user-group
2. Since the interface GE1/0/3 is outbound interface to Microtik router, so cannot apply the traffic-policy on this interface, and checked the inbound interface is BRAS port, so only apply the traffic-policy on global.
Root Cause
In fact, this is a configuration problem. Need note that traffic-policy should match user-group for BRAS users, and need apply the traffic-policy on flow inbound interface or global.
Solution
Create a new user-group named “suspend” for these users who want to redirect, then create a new domain to ensure users can be online normally, then modify the traffic-policy as follow:
acl number 6091
description "Expired-User"
rule 5 permit ip source user-group suspend
rule 10 permit tcp source user-group suspend
rule 15 permit udp source user-group suspend
rule 20 permit icmp source user-group suspend
#
traffic classifier expired operator or
if-match acl 6091
#
traffic behavior expired
redirect ip-nexthop 172.18.32.22
#
traffic policy expired
share-mode
classifier expired behavior expired precedence 101
#
traffic-policy expired inbound