Ipv6 Address Group

The following scenario shows how to configure a traffic group with different IPv6 addresses. traffic selectors can be configured to filter network packets based on source / destination address.

../../../../_images/topology5.svg

Test Traffic Group With IPv6 Addresses

Description

In this scenario, an ingress traffic policy is configured to deny non-matching packets in DUT0 (‘eth0’ interface). Packets are filtered using a traffic selector with a traffic group.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address '10::1/64'
set interfaces ethernet eth0 traffic policy in ACCEPT_ALLOWED
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic group ipv6-address ALLOWED element '10::2'
set traffic group ipv6-address ALLOWED element '10::254'
set traffic policy ACCEPT_ALLOWED rule 1 action accept
set traffic policy ACCEPT_ALLOWED rule 1 selector SEL_ALLOWED
set traffic policy ACCEPT_ALLOWED rule 2 action drop
set traffic selector SEL_ALLOWED rule 1 source ipv6-address-group ALLOWED

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address '10::2/64'
set interfaces ethernet eth0 vrf A
set interfaces ethernet eth1 address '10::20/64'
set interfaces ethernet eth1 vrf B
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf A
set system vrf B

Step 3: Ping IP address 10::1 from DUT1:

admin@DUT1$ ping 10::1 vrf A count 1 size 56 timeout 1
Show output
ping: Warning: source address might be selected on device other than: A
PING 10::1(10::1) from 10::2 A: 56 data bytes
64 bytes from 10::1: icmp_seq=1 ttl=64 time=0.643 ms

--- 10::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.643/0.643/0.643/0.000 ms

Step 4: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints

admin@DUT0$ monitor test connection server 8080 tcp ipv6
admin@DUT1$ monitor test connection client 10::1 8080 tcp local-interface eth0

Step 5: Expect a failure in the following command: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints

admin@DUT0$ monitor test connection server 8080 tcp ipv6
admin@DUT1$ monitor test connection client 10::1 8080 tcp local-interface eth1