Policy
The following scenarios show how to configure different
traffic policies. Policies can be used to manage and
classify network packets. traffic selectors can be
configured to filter packets based on certain fields.
Test Policy Actions
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different traffic actions are
configured to accept, drop or limit incoming traffic.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in POLICY set traffic policy POLICY rule 1 action accept
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.611 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.611/0.611/0.611/0.000 ms
Step 4: Set the following configuration in DUT0:
del traffic policy POLICY set traffic policy POLICY rule 1 action drop
Step 5: Expect a failure in the following command:
Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 udp admin@DUT1$ monitor test connection client 10.0.0.1 8080 udp
Step 6: Set the following configuration in DUT0:
del traffic policy POLICY set traffic policy POLICY rule 1 action rate-limit 10
Step 7: Initiate a bandwidth test from DUT1 to DUT0
admin@DUT0$ monitor test performance server port 5001 admin@DUT1$ monitor test performance client 10.0.0.1 duration 5 port 5001Expect this output in
DUT1:Connecting to host 10.0.0.1, port 5001 [ 5] local 10.0.0.2 port 42800 connected to 10.0.0.1 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 3.04 MBytes 25.5 Mbits/sec 181 19.8 KBytes [ 5] 1.00-2.00 sec 1.24 MBytes 10.4 Mbits/sec 140 33.9 KBytes [ 5] 2.00-3.00 sec 827 KBytes 6.78 Mbits/sec 147 15.6 KBytes [ 5] 3.00-4.00 sec 1.24 MBytes 10.4 Mbits/sec 132 17.0 KBytes [ 5] 4.00-5.00 sec 1.18 MBytes 9.91 Mbits/sec 132 31.1 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-5.00 sec 7.51 MBytes 12.6 Mbits/sec 732 sender [ 5] 0.00-5.00 sec 6.94 MBytes 11.6 Mbits/sec receiver iperf Done.
Note
Previous test should show a very low bandwidth rate.
Test Policy Copy
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different copy actions are
configured to store the ToS value in the conntrack mark
and extra conntrack mark fields.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in POLICY set traffic policy POLICY rule 1 copy tos connmark
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 tos 12 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.437 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.332 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=2.60 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.328 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.296 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 73ms rtt min/avg/max/mdev = 0.296/0.798/2.601/0.903 ms
Step 4: Run command system conntrack show at DUT0 and check if output contains the following tokens:
mark=12Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=233 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=233 packets=5 bytes=420 mark=12 use=1 conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.
Step 5: Set the following configuration in DUT0:
del traffic policy POLICY set traffic policy POLICY rule 1 copy tos extra-connmark 1
Step 6: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 tos 12 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.334 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.357 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.367 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.418 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.280 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 15ms rtt min/avg/max/mdev = 0.280/0.351/0.418/0.046 ms
Step 7: Run command system conntrack show at DUT0 and check if output contains the following tokens:
emark1=12Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=234 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=234 packets=5 bytes=420 mark=0 emark1=12 use=1 conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.
Test Policy Set
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different set actions are
configured to change the conntrack mark, the app-id and the
VRF.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in POLICY set traffic policy POLICY rule 1 set connmark 15
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.536 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.291 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.280 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.276 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.403 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 66ms rtt min/avg/max/mdev = 0.276/0.357/0.536/0.101 ms
Step 4: Run command system conntrack show at DUT0 and check if output contains the following tokens:
mark=15Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=235 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=235 packets=5 bytes=420 mark=15 use=1 conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.
Step 5: Set the following configuration in DUT0:
del traffic policy POLICY set traffic policy POLICY rule 1 set app-id custom 80
Step 6: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.340 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.305 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.405 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.339 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.497 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 54ms rtt min/avg/max/mdev = 0.305/0.377/0.497/0.069 ms
Step 7: Run command system conntrack show at DUT0 and check if output contains the following tokens:
appdetect[U:80]Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=236 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=236 packets=5 bytes=420 mark=0 use=1 appdetect[U:80] conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.
Step 8: Set the following configuration in DUT0:
del traffic policy POLICY set traffic policy POLICY rule 1 set vrf RED set system vrf RED set interfaces ethernet eth0 vrf RED
Step 9: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.530 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.334 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.310 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.311 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.360 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 81ms rtt min/avg/max/mdev = 0.310/0.369/0.530/0.082 ms
Step 10: Run command system conntrack show at DUT0 and check if output contains the following tokens:
vrf=REDShow output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=237 vrf=RED packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=237 vrf=RED packets=5 bytes=420 mark=0 use=1 conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.
Test Policy Log
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). The log option is configured to
show system messages that help debug and analyze the
network status.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in POLICY set traffic policy POLICY rule 1 log prefix "DEBUG-" set traffic policy POLICY rule 1 log level err
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.682 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.682/0.682/0.682/0.000 ms
Step 4: Run command system journal show | tail at DUT0 and check if output contains the following tokens:
[DEBUG--1] ACCEPT IN=eth0Show output
Dec 02 18:35:43.745500 osdx OSDxCLI[3734]: User 'admin' entered the configuration menu. Dec 02 18:35:43.953593 osdx OSDxCLI[3734]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.0.0.1/24'. Dec 02 18:35:44.074844 osdx OSDxCLI[3734]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 traffic policy in POLICY'. Dec 02 18:35:44.210168 osdx OSDxCLI[3734]: User 'admin' added a new cfg line: 'set traffic policy POLICY rule 1 log prefix "DEBUG-"'. Dec 02 18:35:44.351193 osdx OSDxCLI[3734]: User 'admin' added a new cfg line: 'set traffic policy POLICY rule 1 log level err'. Dec 02 18:35:44.559656 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 02 18:35:44.780954 osdx cfgd[1120]: [3734]Completed change to active configuration Dec 02 18:35:44.785083 osdx OSDxCLI[3734]: User 'admin' committed the configuration. Dec 02 18:35:44.844980 osdx OSDxCLI[3734]: User 'admin' left the configuration menu. Dec 02 18:35:45.728574 osdx kernel: [DEBUG--1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=10.0.0.2 DST=10.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=33432 DF PROTO=ICMP TYPE=8 CODE=0 ID=238 SEQ=1