traffic-redirect acl
Function
The traffic-redirect acl command configures ACL-based packet redirection.
The undo traffic-redirect acl command deletes the ACL configured for packet redirection.
By default, ACL-based packet redirection is not configured.
This command is supported only by the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI.
Format
traffic-redirect inbound acl { acl-number | name acl-name } [ vpn-instance vpn-instance-name ] ip-nexthop nexthop-address
traffic-redirect inbound acl { acl-number | name acl-name } vpn-instance vpn-instance-name
undo traffic-redirect inbound acl { acl-number | name acl-name }
Only S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the traffic-redirect inbound acl { acl-number | name acl-name } vpn-instance vpn-instance-name command.
Parameters
| Parameter | Description | Value |
|---|---|---|
| inbound | Configures packet redirection in the inbound direction of the interface. |
- |
| acl acl-number | Specifies the ID of the ACL configured for packet redirection. |
The value is an integer that ranges from 6000 to 9999. |
| name acl-name | Filters packets based on a specified named ACL. acl-name specifies the name of the ACL. |
The value must be the name of an existing user ACL. |
| vpn-instance vpn-instance-name | Redirects packets to a VPN instance. |
The value must be the name of an existing VPN instance. |
| ip-nexthop nexthop-address | Redirects packets to a next-hop IPv4 address. |
The value is in dotted decimal notation. |
Usage Guidelines
Usage Scenario
In NAC network deployment, you can run the ucl-group command to classify users and configure user ACL rules numbered from 6000 to 9999. You can then implement intra-group isolation (users in a group cannot communicate with each other) and inter-group isolation (users in the user group cannot communicate with users in other user groups.), and control network access rights based on the UCL group.
After configuring ACL rules 6000 to 9999, you can run the traffic-redirect acl command to configure ACL-based packet redirection. The ACL rules then can take effect for the users in the UCL group.
- If the deny action is configured in the ACL rule, traffic is discarded.
- If the permit action is configured in the ACL rule, traffic is redirected.
Precautions
If the destination address information about the packets to be filtered based on a user ACL rule contains UCL group, the ACL rule takes effect only for S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S.