To solve this problem,here we offer a method to troubleshoot this problem.
First of all,making sure that traffic-policy is configured correctly,also ACL and applying traffic-policy in the appropriate interface.Especially the direction used in traffic-policy,inbound direction only effect the traffic enter the port,outbound only influence the traffic forwarded out of the interface.
eg:#acl 3001rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255traffic classifier to_inboundif-match acl 3001traffic behavior to_inboundredirect ip-nexthop 172.16.1.1traffic policy to_inboundclassifier to_inbound behavior to_inboundint g0/0/1traffic-policy to_inbound inbound#
But if the traffic-policy is used as :
int g0/0/1
traffic-policy to_inbound outbound
Particularly, when configured with outbound,but swap the source IP address and destination IP address in ACL,this may be valid,just like
acl 3001rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255traffic classifier to_inboundif-match acl 3001traffic behavior to_inboundredirect ip-nexthop 172.16.1.1traffic policy to_inboundclassifier to_inbound behavior to_inboundint g0/0/1traffic-policy to_inbound outbound
Althrough this two scenarios may have same result,but in fact,they work completely differently.
In the first situation,traffics are inspected before traveling through device.
In the second secnario,traffics are inspected when the forward out of the device,in some situation,this may happen when traffic on their return trip.
NOTE:some guys has figured out that redirect ip-nexthop wouldn't take effcet on the outbound direction,I have noticed this problem, and sorry for the mistake that I made.
Thanks for figuring this out.What I want to expression is process of the device processing the traffic, but I chosed wrong example,sorry for that.
After checking the configuration,we'd better test if the redirected IP address is accessible.
we can do the test by ping or checking if the device has learned the MAC address of the redirected adddress.
Then,we can inspect the interface configuration,checking if there is other command that will influence the traffic forwarding.
eg: traffic-filter
traffic-filter is added from V200R002C00 when traffic-filter and traffic-policy both configured under the very same interface,traffic-filter will take effect first.
When traffic matches traffic-filter,it wouldn't check if it matches traffic-policy.
This problem is quite concealed.
What's more, when traffic-filter configured,if the traveling traffic doesn't match any rules in traffic-filter,it will be forwarded as usual,quite different with ACL.
If you guys find any errors in this post,plz figure it out,and it's pleasure to see you sharing your thoughts~
This post was last edited by cWX611640 at 2018-10-26 04:15.