Policy
The following scenarios show how to configure different
traffic policies. Policies can be used to manage and
classify network packets. traffic selectors can be
configured to filter packets based on certain fields.
Test Policy Actions
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different traffic actions are
configured to accept, drop or limit incoming traffic.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in POLICY set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY rule 1 action accept
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.543 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.543/0.543/0.543/0.000 ms
Step 4: Modify the following configuration lines in DUT0:
delete traffic policy POLICY rule 1 action accept set traffic policy POLICY rule 1 action drop
Step 5: Expect a failure in the following command:
Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 udp admin@DUT1$ monitor test connection client 10.0.0.1 8080 udp
Step 6: Modify the following configuration lines in DUT0:
delete traffic policy POLICY rule 1 action drop set traffic policy POLICY rule 1 action rate-limit 10
Step 7: Initiate a bandwidth test from DUT1 to DUT0
admin@DUT0$ monitor test performance server port 5001 admin@DUT1$ monitor test performance client 10.0.0.1 duration 5 port 5001 parallel 1Expect this output in
DUT1:Connecting to host 10.0.0.1, port 5001 [ 5] local 10.0.0.2 port 40554 connected to 10.0.0.1 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 3.69 MBytes 31.0 Mbits/sec 435 9.90 KBytes [ 5] 1.00-2.00 sec 1018 KBytes 8.34 Mbits/sec 138 5.66 KBytes [ 5] 2.00-3.00 sec 1018 KBytes 8.34 Mbits/sec 105 14.1 KBytes [ 5] 3.00-4.00 sec 1018 KBytes 8.34 Mbits/sec 139 5.66 KBytes [ 5] 4.00-5.00 sec 1.49 MBytes 12.5 Mbits/sec 137 5.66 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-5.00 sec 8.17 MBytes 13.7 Mbits/sec 954 sender [ 5] 0.00-5.00 sec 7.01 MBytes 11.8 Mbits/sec receiver iperf Done.
Note
Previous test should show a very low bandwidth rate.
Test Policy Copy
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different copy actions are
configured to store the ToS value in the conntrack mark
and extra conntrack mark fields.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in POLICY set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY rule 1 copy tos connmark
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 tos 12 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.825 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.825/0.825/0.825/0.000 ms
Step 4: Run command system conntrack show at DUT0 and check if output contains the following tokens:
mark=12Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=111 packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=111 packets=1 bytes=84 mark=12 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 5: Modify the following configuration lines in DUT0:
delete traffic policy POLICY rule 1 copy tos connmark set traffic policy POLICY rule 1 copy tos extra-connmark 1
Step 6: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 tos 12 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.383 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.383/0.383/0.383/0.000 ms
Step 7: Run command system conntrack show at DUT0 and check if output contains the following tokens:
emark1=12Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=112 packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=112 packets=1 bytes=84 mark=0 emark1=12 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Test Policy Set
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different set actions are
configured to change the conntrack mark, the app-id and the
VRF.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in POLICY set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY rule 1 set connmark 15
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.636 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.636/0.636/0.636/0.000 ms
Step 4: Run command system conntrack show at DUT0 and check if output contains the following tokens:
mark=15Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=113 packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=113 packets=1 bytes=84 mark=15 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 5: Modify the following configuration lines in DUT0:
delete traffic policy POLICY rule 1 set connmark set traffic policy POLICY rule 1 set app-id custom 80
Step 6: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.321 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.321/0.321/0.321/0.000 ms
Step 7: Run command system conntrack show at DUT0 and check if output contains the following tokens:
appdetect[U:80]Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=114 packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=114 packets=1 bytes=84 mark=0 use=1 appdetect[U:80] conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 8: Modify the following configuration lines in DUT0:
delete traffic policy POLICY rule 1 set app-id set interfaces ethernet eth0 vrf RED set system vrf RED set traffic policy POLICY rule 1 set vrf RED
Step 9: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.283 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.283/0.283/0.283/0.000 ms
Step 10: Run command system conntrack show at DUT0 and check if output contains the following tokens:
vrf=REDShow output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=115 vrf=RED packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=115 vrf=RED packets=1 bytes=84 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Test Policy Log
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). The log option is configured to
show system messages that help debug and analyze the
network status.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in POLICY set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY rule 1 log level err set traffic policy POLICY rule 1 log prefix DEBUG-
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.590 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.590/0.590/0.590/0.000 ms
Step 4: Run command system journal show | tail at DUT0 and check if output contains the following tokens:
[DEBUG--1] ACCEPT IN=eth0Show output
Jul 17 15:13:43.241793 osdx OSDxCLI[1784]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.0.0.1/24'. Jul 17 15:13:43.314062 osdx OSDxCLI[1784]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 traffic policy in POLICY'. Jul 17 15:13:43.422268 osdx OSDxCLI[1784]: User 'admin' added a new cfg line: 'set traffic policy POLICY rule 1 log prefix "DEBUG-"'. Jul 17 15:13:43.505336 osdx OSDxCLI[1784]: User 'admin' added a new cfg line: 'set traffic policy POLICY rule 1 log level err'. Jul 17 15:13:43.572309 osdx OSDxCLI[1784]: User 'admin' added a new cfg line: 'show working'. Jul 17 15:13:43.693581 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 15:13:43.830648 osdx cfgd[1240]: [1784]Completed change to active configuration Jul 17 15:13:43.832989 osdx OSDxCLI[1784]: User 'admin' committed the configuration. Jul 17 15:13:43.848208 osdx OSDxCLI[1784]: User 'admin' left the configuration menu. Jul 17 15:13:44.497053 osdx kernel: [DEBUG--1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:10:de:ad:be:ef:6c:20:08:00 SRC=10.0.0.2 DST=10.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=ICMP TYPE=8 CODE=0 ID=116 SEQ=1
Test Policy Advisor
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). The advisor option is
configured to enable/disable the rule depending on
the advisor status. If the rule is enabled, incoming traffic
will be dropped.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in POLICY set system advisor ADV test false set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY rule 1 action drop set traffic policy POLICY rule 1 advisor ADV
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.971 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.971/0.971/0.971/0.000 ms
Step 4: Modify the following configuration lines in DUT0:
set system advisor ADV test true
Step 5: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Modify the following configuration lines in DUT0:
set system advisor ADV test false
Step 7: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.422 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.422/0.422/0.422/0.000 ms