Policy

The following scenarios show how to configure different traffic policies. Policies can be used to manage and classify network packets. traffic selectors can be configured to filter packets based on certain fields.

../../../_images/topology8.svg

Test Policy Actions

Description

In this scenario, an ingress traffic policy is configured in DUT0 (‘eth0’ interface). Different traffic actions are configured to accept, drop or limit incoming traffic.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.0.0.1/24
set interfaces ethernet eth0 traffic policy in POLICY
set traffic policy POLICY rule 1 action accept

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 10.0.0.2/24

Step 3: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1
Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.434 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.434/0.434/0.434/0.000 ms

Step 4: Set the following configuration in DUT0:

del traffic policy POLICY
set traffic policy POLICY rule 1 action drop

Step 5: Expect a failure in the following command: Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints

admin@DUT0$ monitor test connection server 8080 udp
admin@DUT1$ monitor test connection client 10.0.0.1 8080 udp

Step 6: Set the following configuration in DUT0:

del traffic policy POLICY
set traffic policy POLICY rule 1 action rate-limit 10

Step 7: Initiate a bandwidth test from DUT1 to DUT0

admin@DUT0$ monitor test performance server port 5001
admin@DUT1$ monitor test performance client 10.0.0.1 duration 5 port 5001
Expect this output in DUT1:
Connecting to host 10.0.0.1, port 5001
[  5] local 10.0.0.2 port 49140 connected to 10.0.0.1 port 5001
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  3.11 MBytes  26.1 Mbits/sec  300   15.6 KBytes
[  5]   1.00-2.00   sec   954 KBytes  7.82 Mbits/sec  160   8.48 KBytes
[  5]   2.00-3.00   sec  1.30 MBytes  10.9 Mbits/sec  125   9.90 KBytes
[  5]   3.00-4.00   sec  1.24 MBytes  10.4 Mbits/sec  126   25.5 KBytes
[  5]   4.00-5.00   sec   954 KBytes  7.82 Mbits/sec  129   22.6 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.00   sec  7.53 MBytes  12.6 Mbits/sec  840             sender
[  5]   0.00-5.00   sec  6.97 MBytes  11.7 Mbits/sec                  receiver

iperf Done.

Note

Previous test should show a very low bandwidth rate.

Test Policy Copy

Description

In this scenario, an ingress traffic policy is configured in DUT0 (‘eth0’ interface). Different copy actions are configured to store the ToS value in the conntrack mark and extra conntrack mark fields.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.0.0.1/24
set interfaces ethernet eth0 traffic policy in POLICY
set traffic policy POLICY rule 1 copy tos connmark

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 10.0.0.2/24

Step 3: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 tos 12 count 1 size 56 timeout 1
Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.449 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.449/0.449/0.449/0.000 ms

Step 4: Run command system conntrack show at DUT0 and check if output contains the following tokens:

mark=12
Show output
icmp     1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=234 packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=234 packets=1 bytes=84 mark=12 use=1
conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.

Step 5: Set the following configuration in DUT0:

del traffic policy POLICY
set traffic policy POLICY rule 1 copy tos extra-connmark 1

Step 6: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 tos 12 count 1 size 56 timeout 1
Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.280 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.280/0.280/0.280/0.000 ms

Step 7: Run command system conntrack show at DUT0 and check if output contains the following tokens:

emark1=12
Show output
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=52252 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=52252 packets=0 bytes=0 mark=0 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=40831 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=40831 packets=0 bytes=0 mark=0 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=35523 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=35523 packets=0 bytes=0 mark=0 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=54730 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=54730 packets=0 bytes=0 mark=0 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=46874 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=46874 packets=0 bytes=0 mark=0 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=57261 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=57261 packets=0 bytes=0 mark=0 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=39732 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=39732 packets=0 bytes=0 mark=0 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=37036 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=37036 packets=0 bytes=0 mark=0 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=44865 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=44865 packets=0 bytes=0 mark=0 use=1
icmp     1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=235 packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=235 packets=1 bytes=84 mark=0 emark1=12 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=56283 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=56283 packets=0 bytes=0 mark=0 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=32955 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=32955 packets=0 bytes=0 mark=0 use=1
udp      17 29 src=127.0.0.1 dst=127.0.0.1 sport=38867 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=38867 packets=0 bytes=0 mark=0 use=2
conntrack v1.4.5 (conntrack-tools): 13 flow entries have been shown.

Test Policy Set

Description

In this scenario, an ingress traffic policy is configured in DUT0 (‘eth0’ interface). Different set actions are configured to change the conntrack mark, the app-id and the VRF.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.0.0.1/24
set interfaces ethernet eth0 traffic policy in POLICY
set traffic policy POLICY rule 1 set connmark 15

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 10.0.0.2/24

Step 3: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1
Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.846 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.846/0.846/0.846/0.000 ms

Step 4: Run command system conntrack show at DUT0 and check if output contains the following tokens:

mark=15
Show output
icmp     1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=236 packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=236 packets=1 bytes=84 mark=15 use=1
conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.

Step 5: Set the following configuration in DUT0:

del traffic policy POLICY
set traffic policy POLICY rule 1 set app-id custom 80

Step 6: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1
Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.321 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.321/0.321/0.321/0.000 ms

Step 7: Run command system conntrack show at DUT0 and check if output contains the following tokens:

appdetect[U:80]
Show output
icmp     1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=237 packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=237 packets=1 bytes=84 mark=0 use=1 appdetect[U:80]
conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.

Step 8: Set the following configuration in DUT0:

del traffic policy POLICY
set traffic policy POLICY rule 1 set vrf RED
set system vrf RED
set interfaces ethernet eth0 vrf RED

Step 9: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1
Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.687 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.687/0.687/0.687/0.000 ms

Step 10: Run command system conntrack show at DUT0 and check if output contains the following tokens:

vrf=RED
Show output
icmp     1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=238 vrf=RED packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=238 vrf=RED packets=1 bytes=84 mark=0 use=1
conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.

Test Policy Log

Description

In this scenario, an ingress traffic policy is configured in DUT0 (‘eth0’ interface). The log option is configured to show system messages that help debug and analyze the network status.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.0.0.1/24
set interfaces ethernet eth0 traffic policy in POLICY
set traffic policy POLICY rule 1 log prefix "DEBUG-"
set traffic policy POLICY rule 1 log level err

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 10.0.0.2/24

Step 3: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1
Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.563 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.563/0.563/0.563/0.000 ms

Step 4: Run command system journal show | tail at DUT0 and check if output contains the following tokens:

[DEBUG--1]IN=eth0
Show output
Apr 03 22:18:49.088270 osdx OSDxCLI[4187]: User 'admin' entered the configuration menu.
Apr 03 22:18:49.232839 osdx OSDxCLI[4187]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.0.0.1/24'.
Apr 03 22:18:49.359187 osdx OSDxCLI[4187]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 traffic policy in POLICY'.
Apr 03 22:18:49.498630 osdx OSDxCLI[4187]: User 'admin' added a new cfg line: 'set traffic policy POLICY rule 1 log prefix "DEBUG-"'.
Apr 03 22:18:49.614006 osdx OSDxCLI[4187]: User 'admin' added a new cfg line: 'set traffic policy POLICY rule 1 log level err'.
Apr 03 22:18:49.775647 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Apr 03 22:18:49.860412 osdx cfgd[1091]: [4187]Completed change to active configuration
Apr 03 22:18:49.872109 osdx OSDxCLI[4187]: User 'admin' committed the configuration.
Apr 03 22:18:49.902143 osdx OSDxCLI[4187]: User 'admin' left the configuration menu.
Apr 03 22:18:50.683844 osdx kernel: [DEBUG--1]IN=eth0 OUT= MAC=de:ad:be:ef:6c:10:de:ad:be:ef:6c:20:08:00 SRC=10.0.0.2 DST=10.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35867 DF PROTO=ICMP TYPE=8 CODE=0 ID=239 SEQ=1