Vrf-Mark
The following scenario shows how to filter packets based on the VRF attribute using traffic selectors.
Test Drop Outgoing ICMP Traffic
Description
This scenario demonstrates how to use the special filter vrf-mark to drop outgoing ICMP packets that were not generated from the local VRF.
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy local-out ISOLATE set traffic policy ISOLATE rule 1 set vrf LOCALVRF set interfaces ethernet eth0 traffic policy out DROP_MAINVRF set traffic policy DROP_MAINVRF rule 1 action drop set traffic policy DROP_MAINVRF rule 1 log prefix DROP set traffic policy DROP_MAINVRF rule 1 selector SEL_MAINVRF set traffic policy DROP_MAINVRF rule 2 action accept set traffic policy DROP_MAINVRF rule 2 log prefix BYPASS set traffic selector SEL_MAINVRF rule 1 not vrf-mark LOCALVRF set traffic selector SEL_MAINVRF rule 1 protocol icmp set system vrf LOCALVRF set protocols vrf LOCALVRF static route 0.0.0.0/0 interface eth0
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.547 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.547/0.547/0.547/0.000 ms