Local Out Policy
This scenario shows how to attach a traffic policy to the
local-out hook in an Ethernet interface. This hook is
triggered when a locally generated packet needs to be routed
through the interface.
Test Interface Traffic Local-Out
Description
A traffic policy is configured in DUT0 to drop all outgoing locally-generated traffic with packet length larger than 128 bytes.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy local-out P1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy P1 rule 1 action drop set traffic policy P1 rule 1 selector BIG_PKT set traffic selector BIG_PKT rule 1 length min 128
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.436 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.436/0.436/0.436/0.000 ms
Step 4: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 256 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 256(284) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 5: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+BIG_PKT\s+[1-9]\d*\s+[1-9]\d*Show output
Policy P1 -- ifc eth0 -- hook local-out prio very-high --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 BIG_PKT 4 6 692 852 --------------------------------------------------------------- Total 4 6 692 852
Test Interface Traffic Local-Out With Priorities
Description
Two traffic policies are configured in DUT0 with different priorities. The first one marks locally-generated traffic with packet length larger than 128 bytes, while the second one drops the marked packets.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy local-out P1 set interfaces ethernet eth0 traffic policy local-out P2 priority low set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy P1 rule 1 selector BIG_PKT set traffic policy P1 rule 1 set mark 1 set traffic policy P2 rule 1 action drop set traffic policy P2 rule 1 selector MARKED set traffic selector BIG_PKT rule 1 length min 128 set traffic selector MARKED rule 1 mark 1
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.549 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.549/0.549/0.549/0.000 ms
Step 4: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 256 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 256(284) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 5: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+BIG_PKT\s+[1-9]\d*\s+[1-9]\d*Show output
Policy P1 -- ifc eth0 -- hook local-out prio very-high --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 BIG_PKT 4 8 692 1000 --------------------------------------------------------------- Total 4 8 692 1000 Policy P2 -- ifc eth0 -- hook local-out prio low --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 MARKED 4 8 692 1000 --------------------------------------------------------------- Total 4 8 692 1000
Step 6: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+MARKED\s+[1-9]\d*\s+[1-9]\d*Show output
Policy P1 -- ifc eth0 -- hook local-out prio very-high --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 BIG_PKT 4 8 692 1000 --------------------------------------------------------------- Total 4 8 692 1000 Policy P2 -- ifc eth0 -- hook local-out prio low --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 MARKED 4 8 692 1000 --------------------------------------------------------------- Total 4 8 692 1000