Fragmentation
The following scenario shows how to configure a link traffic policy to drop packets based on some fragmentation parameters.
Test Drop IPv4 Fragmented Packets
Description
This scenario demonstrates how to use the special fragmentation filter to drop incoming fragmented IPv4 packets in DUT0.
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 address 2001:d00::2/24
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 traffic policy link DROP_FRAG set traffic policy DROP_FRAG rule 1 action drop set traffic policy DROP_FRAG rule 1 log prefix DROP set traffic policy DROP_FRAG rule 1 selector SEL_FRAG set traffic policy DROP_FRAG rule 2 action accept set traffic policy DROP_FRAG rule 2 log prefix BYPASS set interfaces ethernet eth0 address 10.0.0.1/24 set traffic selector SEL_FRAG rule 1 not fragmentation df-flag
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.511 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.511/0.511/0.511/0.000 ms
Step 4: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 2048 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 2048(2076) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test Drop IPv6 Fragmented Packets
Description
This scenario demonstrates how to use the special ipv6-fragmentation filter to drop incoming fragmented IPv6 packets in DUT0.
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 address 2001:d00::2/24
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 traffic policy link DROP_FRAG set traffic policy DROP_FRAG rule 1 action drop set traffic policy DROP_FRAG rule 1 log prefix DROP set traffic policy DROP_FRAG rule 1 selector SEL_FRAG set traffic policy DROP_FRAG rule 2 action accept set traffic policy DROP_FRAG rule 2 log prefix BYPASS set interfaces ethernet eth0 address 2001:d00::1/24 set traffic selector SEL_FRAG rule 2 ipv6-next-header ipv6-frag
Step 3: Ping IP address 2001:d00::1 from DUT1:
admin@DUT1$ ping 2001:d00::1 count 1 size 56 timeout 1Show output
PING 2001:d00::1(2001:d00::1) 56 data bytes 64 bytes from 2001:d00::1: icmp_seq=1 ttl=64 time=278 ms --- 2001:d00::1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 278.485/278.485/278.485/0.000 ms
Step 4: Expect a failure in the following command:
Ping IP address 2001:d00::1 from DUT1:
admin@DUT1$ ping 2001:d00::1 count 1 size 2048 timeout 1Show output
PING 2001:d00::1(2001:d00::1) 2048 data bytes --- 2001:d00::1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test Drop Inet Fragmented Packets
Description
This scenario demonstrates how to drop fragmented packets regardless of the IP version being used.
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 address 2001:d00::2/24
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 traffic policy link DROP_FRAG set traffic policy DROP_FRAG rule 1 action drop set traffic policy DROP_FRAG rule 1 log prefix DROP set traffic policy DROP_FRAG rule 1 selector SEL_FRAG set traffic policy DROP_FRAG rule 2 action accept set traffic policy DROP_FRAG rule 2 log prefix BYPASS set interfaces ethernet eth0 address 10.0.0.1/24 set traffic selector SEL_FRAG rule 1 not fragmentation df-flag set interfaces ethernet eth0 address 2001:d00::1/24 set traffic selector SEL_FRAG rule 2 ipv6-next-header ipv6-frag
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.676 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.676/0.676/0.676/0.000 ms
Step 4: Ping IP address 2001:d00::1 from DUT1:
admin@DUT1$ ping 2001:d00::1 count 1 size 56 timeout 1Show output
PING 2001:d00::1(2001:d00::1) 56 data bytes 64 bytes from 2001:d00::1: icmp_seq=1 ttl=64 time=0.545 ms --- 2001:d00::1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.545/0.545/0.545/0.000 ms
Step 5: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 2048 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 2048(2076) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Expect a failure in the following command:
Ping IP address 2001:d00::1 from DUT1:
admin@DUT1$ ping 2001:d00::1 count 1 size 2048 timeout 1Show output
PING 2001:d00::1(2001:d00::1) 2048 data bytes --- 2001:d00::1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms