Denied Macs
The following scenario shows how to configure the hardware switch so that it drops all packets from a given MAC address or only accepts packets from the configured ones at port level.
Test Switch Denied List
Description
In this scenario, the hardware switch is configured to
deny all traffic from DUT2’s eth2 MAC
address (DE:AD:BE:EF:6C:22), but not from DUT2.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces br0 set interfaces eth1 bridge-group bridge br0 set interfaces eth0p0 bridge-group bridge br0 set interfaces eth0p1 bridge-group bridge br0 set interfaces br0 hardware-offload eth0
Step 2: Set the following configuration in DUT1:
set interfaces eth0 address 192.168.1.2/24
Step 3: Set the following configuration in DUT2:
set system vrf LAN_PORT0 set system vrf LAN_PORT1 set interfaces eth2 address 192.168.1.3/24 set interfaces eth2 vrf LAN_PORT0 set interfaces eth3 address 192.168.1.4/24 set interfaces eth3 vrf LAN_PORT1
Step 4: Ping IP address 192.168.1.4 from DUT2:
admin@DUT2$ ping 192.168.1.4 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than LAN_PORT0. PING 192.168.1.4 (192.168.1.4) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=400 ms --- 192.168.1.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 399.628/399.628/399.628/0.000 ms
Step 5: Ping IP address 192.168.1.3 from DUT1:
admin@DUT1$ ping 192.168.1.3 count 1 size 56 timeout 1Show output
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data. 64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=1.01 ms --- 192.168.1.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.009/1.009/1.009/0.000 ms
Step 6: Ping IP address 192.168.1.4 from DUT1:
admin@DUT1$ ping 192.168.1.4 count 1 size 56 timeout 1Show output
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=1.12 ms --- 192.168.1.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.121/1.121/1.121/0.000 ms
Step 7: Set the following configuration in DUT0:
set interfaces br0 hardware-offload eth0 denied-macs DE:AD:BE:EF:6C:22
Step 8: Expect a failure in the following command:
Ping IP address 192.168.1.4 from DUT2:
admin@DUT2$ ping 192.168.1.4 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than LAN_PORT0. PING 192.168.1.4 (192.168.1.4) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. --- 192.168.1.4 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 9: Expect a failure in the following command:
Ping IP address 192.168.1.2 from DUT2:
admin@DUT2$ ping 192.168.1.2 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than LAN_PORT0. PING 192.168.1.2 (192.168.1.2) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. --- 192.168.1.2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test Switch Allowed List
Description
In this scenario, the bridge port eth0p0,
which is connected to DUT2 is configured to allow traffic
only from DUT2’s eth2 MAC address
(DE:AD:BE:EF:6C:22). Then, the allowed MAC address
is changed to another one to deny traffic from that port.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces br0 set interfaces eth1 bridge-group bridge br0 set interfaces eth0p0 bridge-group bridge br0 set interfaces eth0p1 bridge-group bridge br0 set interfaces br0 hardware-offload eth0
Step 2: Set the following configuration in DUT1:
set interfaces eth0 address 192.168.1.2/24
Step 3: Set the following configuration in DUT2:
set system vrf LAN_PORT0 set system vrf LAN_PORT1 set interfaces eth2 address 192.168.1.3/24 set interfaces eth2 vrf LAN_PORT0 set interfaces eth3 address 192.168.1.4/24 set interfaces eth3 vrf LAN_PORT1
Step 4: Ping IP address 192.168.1.4 from DUT2:
admin@DUT2$ ping 192.168.1.4 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than LAN_PORT0. PING 192.168.1.4 (192.168.1.4) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=0.435 ms --- 192.168.1.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.435/0.435/0.435/0.000 ms
Step 5: Ping IP address 192.168.1.3 from DUT1:
admin@DUT1$ ping 192.168.1.3 count 1 size 56 timeout 1Show output
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data. 64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=1.29 ms --- 192.168.1.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.291/1.291/1.291/0.000 ms
Step 6: Ping IP address 192.168.1.4 from DUT1:
admin@DUT1$ ping 192.168.1.4 count 1 size 56 timeout 1Show output
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=1.09 ms --- 192.168.1.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.091/1.091/1.091/0.000 ms
Step 7: Set the following configuration in DUT0:
set interfaces eth0p0 bridge-group allowed-macs DE:AD:BE:EF:6C:22
Step 8: Ping IP address 192.168.1.4 from DUT2:
admin@DUT2$ ping 192.168.1.4 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than LAN_PORT0. PING 192.168.1.4 (192.168.1.4) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=0.450 ms --- 192.168.1.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.450/0.450/0.450/0.000 ms
Step 9: Ping IP address 192.168.1.2 from DUT2:
admin@DUT2$ ping 192.168.1.2 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than LAN_PORT0. PING 192.168.1.2 (192.168.1.2) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.793 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.793/0.793/0.793/0.000 ms
Step 10: Set the following configuration in DUT0:
del interfaces eth0p0 bridge-group allowed-macs set interfaces eth0p0 bridge-group allowed-macs DE:AD:BE:EF:6C:23
Step 11: Expect a failure in the following command:
Ping IP address 192.168.1.4 from DUT2:
admin@DUT2$ ping 192.168.1.4 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than LAN_PORT0. PING 192.168.1.4 (192.168.1.4) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. --- 192.168.1.4 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 12: Expect a failure in the following command:
Ping IP address 192.168.1.2 from DUT2:
admin@DUT2$ ping 192.168.1.2 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than LAN_PORT0. PING 192.168.1.2 (192.168.1.2) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. --- 192.168.1.2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms