Chained Policies
The following scenario shows how to configure different traffic policies: some of them are globally attached and others are linked to a specific interface.
Test Traffic Policy Chain
Description
A chain of traffic policies is configured in DUT0 to mark the incoming traffic with packet length larger than 128 bytes. Every traffic policy matches a specific packet mark set by the previous traffic policy. The last traffic policy drops the packet.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set traffic selector S1 rule 1 length min 128 set interfaces ethernet eth0 traffic policy in P1 priority very-high set traffic policy P1 rule 1 selector S1 set traffic policy P1 rule 1 set mark 1 set system traffic policy in P2 priority very-high set traffic policy P2 rule 1 selector S2 set traffic policy P2 rule 1 set mark 2 set traffic selector S2 rule 1 mark 1 set interfaces ethernet eth0 traffic policy in P3 priority high set traffic policy P3 rule 1 selector S3 set traffic policy P3 rule 1 set mark 3 set traffic selector S3 rule 1 mark 2 set system traffic policy in P4 priority high set traffic policy P4 rule 1 selector S4 set traffic policy P4 rule 1 set mark 4 set traffic selector S4 rule 1 mark 3 set interfaces ethernet eth0 traffic policy in P5 priority low set traffic policy P5 rule 1 selector S5 set traffic policy P5 rule 1 set mark 5 set traffic selector S5 rule 1 mark 4 set system traffic policy in P6 priority low set traffic policy P6 rule 1 selector S6 set traffic policy P6 rule 1 set mark 6 set traffic selector S6 rule 1 mark 5 set interfaces ethernet eth0 traffic policy in P7 priority very-low set traffic policy P7 rule 1 selector S7 set traffic policy P7 rule 1 set mark 7 set traffic selector S7 rule 1 mark 6 set system traffic policy in P8 priority very-low set traffic policy P8 rule 1 selector S8 set traffic policy P8 rule 1 set mark 8 set traffic selector S8 rule 1 mark 7 set traffic policy P8 rule 1 action drop
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.556 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.556/0.556/0.556/0.000 ms
Step 4: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 256 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 256(284) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 5: Run command traffic policy P8 show at DUT0 and expect this output:
Show output
Policy P8 -- system -- hook in prio very-low --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 S8 1 2 284 368 --------------------------------------------------------------- Total 1 2 284 368