S9700 switch traffic policy redirect action does not work

1 Issue Description: S9700 switch traffic policy redirect action does not work.

(1)In order to statistic the traffic from the access network, configured the traffic policy “wifi-combined” on the inside logic eth-trunk.
A. The configuration to statistic the traffic from the access network:
#
acl number 3001                                                                
 rule 10 permit ip source 192.168.1.0 0.0.0.255
 rule 15 permit ip source 192.200.2.0 0.0.0.255
 ……                                                                     
#                       
traffic classifier port operator or precedence 50                              
 if-match acl 3001        
#  
traffic behavior port                                                          
 permit                                                                        
 statistic enable     
#                                                                                                                                 
traffic policy wifi-combined match-order auto                               
 classifier port behavior port
#      

B. Configure the traffic policy on every inside logic eth-trunk
#
interface Eth-Trunk104
 port link-type trunk
 port trunk allow-pass vlan 892
 traffic-policy wifi-combined inbound
#

(2)Configurethe redirect traffic policy on the vlan
A. Configure the redirection traffic policy:
#
acl name match-guest-traffic 3901 
 rule 10 permit ip source 192.168.1.0 0.0.0.255
#
traffic classifier match-pfsense-traffic operator or
 if-match acl match-guest-traffic
#
traffic behavior punt-pfsense-traffic
 redirect ip-nexthop 100.0.0.1
 statistic enable
#
traffic policy punt-pfsense-traffic
 classifier match-pfsense-traffic behavior punt-pfsense-traffic
#

B. Configure the traffic policy on the access VLAN:
#
vlan 892
 traffic-policy punt-pfsense-traffic inbound
#

(3)Since the priority on the port is higher than on the VLAN and configured the conflicted action on the port and on the VLAN, the action on the VLAN will not take effect.

(4)Delete the policy on the vlan. Add new configuration classifier and behavior pair in traffic policy “wifi-combined” and the new pair priority must be higher than the original. It works normally.

#
acl number 3001                                                                
 rule 10 permit ip source 192.168.1.0 0.0.0.255
 rule 15 permit ip source 192.200.2.0 0.0.0.255
 ……                                                                            
#
acl match-guest-traffic 3901 
 rule 10 permit ip source 192.168.1.0 0.0.0.255
#
traffic classifier port operator or precedence 50
 if-match acl 3001
#
traffic classifier redirect operator or precedence 20           // let Redirect classifier priority higher than other classifier priority (the smaller the value , the higher the classifier priority)
 if-match acl match-guest-traffic
#
traffic behavior port
 permit
 statistic enable
#
traffic behavior punt-pfsense-traffic
 permit
 redirect ip-nexthop 100.0.0.1
 statistic enable
#
traffic policy wifi-combined match-order auto
 classifier redirect behavior punt-pfsense-traffic  // add new classifier and behavior pair
 classifier port behavior port        // Original access control     
#

2 Root Cause:
Since the traffic behavior permit on the traffic policy “wifi-combined” conflicted with the traffic behavior redirect on the traffic policy “punt-pfsense-traffic”, and the priority on the port is higher than on the VLAN, the redirection action on the VLAN will not take effect.

3 Solution:
Add new configuration classifier and behavior pair in traffic policy “wifi-combined” and the new pair priority must be higher than the original.