Zone

The following scenario shows how to configure different traffic zones. A traffic zone is an abstract concept that allows a set of network interfaces to be isolated using traffic policies. By default, inter-zone traffic is not allowed. The latter has to be explicitly defined with from-zone policies. One traffic zone can be set as local to define the fate of local packets.

../../../_images/topology17.svg

Test Traffic Zone

Description

In this scenario, three traffic zones are configured in DUT0.

The WAN zone represents traffic coming from the Internet. The LAN zone represents traffic coming from the local area network. ROUTER is a special zone for local incoming / outgoing traffic.

DUT2 is supposed to be a device connected to the LAN acting as a Web and TFTP server. In DUT0, HTTP traffic is allowed from the WAN. All traffic is allowed to go from the LAN side to the WAN side. However, only TFTP traffic can cross the ROUTER zone.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 vif 101 address 10.0.0.2/24
set interfaces ethernet eth0 vif 102 address 192.168.0.2/24
set interfaces ethernet eth1 vif 201 address 20.0.0.2/24
set interfaces ethernet eth1 vif 202 address 192.168.1.2/24
set traffic policy ALLOW_ALL rule 1 action accept
set traffic selector SEL_ICMP rule 1 protocol icmp
set traffic selector SEL_HTTP rule 1 protocol tcp
set traffic selector SEL_HTTP rule 1 destination port 8080
set traffic policy ALLOW_HTTP rule 1 selector SEL_ICMP
set traffic policy ALLOW_HTTP rule 1 action drop
set traffic policy ALLOW_HTTP rule 2 selector SEL_HTTP
set traffic selector SEL_TFTP rule 1 protocol udp
set traffic selector SEL_TFTP rule 1 destination port 6969
set traffic policy ALLOW_TFTP rule 1 selector SEL_ICMP
set traffic policy ALLOW_TFTP rule 1 action drop
set traffic policy ALLOW_TFTP rule 2 selector SEL_TFTP
set traffic zone ROUTER
set traffic zone WAN
set traffic zone LAN
set traffic zone ROUTER local
set interfaces ethernet eth0 vif 101 traffic zone WAN
set interfaces ethernet eth0 vif 102 traffic zone LAN
set interfaces ethernet eth1 vif 201 traffic zone ROUTER
set interfaces ethernet eth1 vif 202 traffic zone ROUTER
set traffic zone LAN from-zone WAN policy ALLOW_HTTP
set traffic zone WAN from-zone LAN policy ALLOW_ALL
set traffic zone ROUTER from-zone ROUTER policy ALLOW_TFTP

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 vif 101 address 10.0.0.1/24
set interfaces ethernet eth1 vif 201 address 20.0.0.1/24
set protocols static route 192.168.0.0/24 next-hop 10.0.0.2
set protocols static route 192.168.1.0/24 next-hop 20.0.0.2

Step 3: Set the following configuration in DUT2:

set interfaces ethernet eth0 vif 102 address 192.168.0.1/24
set interfaces ethernet eth1 vif 202 address 192.168.1.1/24
set protocols static route 10.0.0.0/24 next-hop 192.168.0.2
set protocols static route 20.0.0.0/24 next-hop 192.168.1.2

Step 4: Ping IP address 10.0.0.1 from DUT2:

admin@DUT2$ ping 10.0.0.1 count 1 size 56 timeout 1
Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=0.975 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.975/0.975/0.975/0.000 ms

Step 5: Expect a failure in the following command: Ping IP address 192.168.0.1 from DUT1:

admin@DUT1$ ping 192.168.0.1 count 1 size 56 timeout 1
Show output
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.

--- 192.168.0.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Step 6: Initiate a tcp connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 8080 tcp
admin@DUT1$ monitor test connection client 192.168.0.1 8080 tcp

Note

ICMP packets from DUT2 should reach DUT1. However, ICMP packets from DUT2 should not reach DUT1, since only HTTP traffic is allowed.

Step 7: Expect a failure in the following command: Ping IP address 192.168.1.2 from DUT1:

admin@DUT1$ ping 192.168.1.2 count 1 size 56 timeout 1
Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Step 8: Expect a failure in the following command: Ping IP address 20.0.0.2 from DUT2:

admin@DUT2$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Note

ICMP traffic is not allowed from DUT1/DUT2 towards DUT0.

Step 9: Initiate a udp connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 6969 udp
admin@DUT1$ monitor test connection client 192.168.1.1 6969 udp

Attention

The traffic policy show and traffic selector show commands can be very useful for debugging purposes (in case something does not work the way it should).