Port Group

The following scenario shows how to configure a traffic group with different ports. traffic selectors can be configured to filter network packets based on source / destination ports.

../../../../_images/topology7.svg

Test Traffic Group With Ports

Description

In this scenario, an ingress traffic policy is configured to deny non-matching packets in DUT0 (‘eth0’ interface). Packets are filtered using a traffic selector with a traffic group.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.0.0.1/24
set interfaces ethernet eth0 traffic policy in ACCEPT_HTTP
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic group port HTTP element 443
set traffic group port HTTP element 80
set traffic group port HTTP element 8080
set traffic policy ACCEPT_HTTP rule 1 action accept
set traffic policy ACCEPT_HTTP rule 1 selector SEL_HTTP
set traffic policy ACCEPT_HTTP rule 2 action drop
set traffic selector SEL_HTTP rule 1 destination port-group HTTP
set traffic selector SEL_HTTP rule 1 protocol tcp

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 10.0.0.2/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints

admin@DUT0$ monitor test connection server 8080 tcp
admin@DUT1$ monitor test connection client 10.0.0.1 8080 tcp

Step 4: Expect a failure in the following command: Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints

admin@DUT0$ monitor test connection server 8080 udp
admin@DUT1$ monitor test connection client 10.0.0.1 8080 udp

Step 5: Expect a failure in the following command: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints

admin@DUT0$ monitor test connection server 1234 tcp
admin@DUT1$ monitor test connection client 10.0.0.1 1234 tcp