1 Issue Description: S9700 switch traffic policy redirect action does not work.
(1)In order to statistic the traffic from the access network, configured the traffic policy “wifi-combined” on the inside logic eth-trunk.
A. The configuration to statistic the traffic from the access network:
#
acl number 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255
rule 15 permit ip source 192.200.2.0 0.0.0.255
……
#
traffic classifier port operator or precedence 50
if-match acl 3001
#
traffic behavior port
permit
statistic enable
#
traffic policy wifi-combined match-order auto
classifier port behavior port
#
B. Configure the traffic policy on every inside logic eth-trunk
#
interface Eth-Trunk104
port link-type trunk
port trunk allow-pass vlan 892
traffic-policy wifi-combined inbound
#
(2)Configurethe redirect traffic policy on the vlan
A. Configure the redirection traffic policy:
#
acl name match-guest-traffic 3901
rule 10 permit ip source 192.168.1.0 0.0.0.255
#
traffic classifier match-pfsense-traffic operator or
if-match acl match-guest-traffic
#
traffic behavior punt-pfsense-traffic
redirect ip-nexthop 100.0.0.1
statistic enable
#
traffic policy punt-pfsense-traffic
classifier match-pfsense-traffic behavior punt-pfsense-traffic
#
B. Configure the traffic policy on the access VLAN:
#
vlan 892
traffic-policy punt-pfsense-traffic inbound
#
(3)Since the priority on the port is higher than on the VLAN and configured the conflicted action on the port and on the VLAN, the action on the VLAN will not take effect.
(4)Delete the policy on the vlan. Add new configuration classifier and behavior pair in traffic policy “wifi-combined” and the new pair priority must be higher than the original. It works normally.
#
acl number 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255
rule 15 permit ip source 192.200.2.0 0.0.0.255
……
#
acl match-guest-traffic 3901
rule 10 permit ip source 192.168.1.0 0.0.0.255
#
traffic classifier port operator or precedence 50
if-match acl 3001
#
traffic classifier redirect operator or precedence 20 // let Redirect classifier priority higher than other classifier priority (the smaller the value , the higher the classifier priority)
if-match acl match-guest-traffic
#
traffic behavior port
permit
statistic enable
#
traffic behavior punt-pfsense-traffic
permit
redirect ip-nexthop 100.0.0.1
statistic enable
#
traffic policy wifi-combined match-order auto
classifier redirect behavior punt-pfsense-traffic // add new classifier and behavior pair
classifier port behavior port // Original access control
#
2 Root Cause:
Since the traffic behavior permit on the traffic policy “wifi-combined” conflicted with the traffic behavior redirect on the traffic policy “punt-pfsense-traffic”, and the priority on the port is higher than on the VLAN, the redirection action on the VLAN will not take effect.
3 Solution:
Add new configuration classifier and behavior pair in traffic policy “wifi-combined” and the new pair priority must be higher than the original.