Local Out Policy
The following scenario shows how to configure a global
traffic policy. This policy is not linked to a specific
interface, meaning it is run in every locally generated
packet.
Test System Traffic Local-Out
Description
A traffic policy is configured in DUT0 to drop all outgoing locally-generated traffic with packet length larger than 128 bytes.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set system traffic policy local-out P1 set traffic selector BIG_PKT rule 1 length min 128 set traffic policy P1 rule 1 selector BIG_PKT set traffic policy P1 rule 1 action drop
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.440 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.440/0.440/0.440/0.000 ms
Step 4: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 256 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 256(284) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 5: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+BIG_PKT\s+[1-9]\d*\s+[1-9]\d*Show output
Policy P1 -- system -- hook local-out prio very-high --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 BIG_PKT 4 7 692 928 --------------------------------------------------------------- Total 4 7 692 928