Out Policy With Snat
This scenario shows how important it is to choose the right priority when combining traffic policies and NAT configuration.
Test Interface Traffic Out Before SNAT
Description
This scenario shows the importance of configuring the
different priorities of a traffic policy at the
out hook when there’s also SNAT configuration.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth1 address 20.0.0.1/24 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 traffic policy out POL priority high set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 source address 10.0.0.2
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=1.12 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.115/1.115/1.115/0.000 ms
Step 3: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+SEL\s+[1-9]\d*\s+[1-9]\d*Show output
Policy POL -- ifc eth1 -- hook out prio high --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 SEL 1 1 84 84 --------------------------------------------------------------- Total 1 1 84 84
Example 2
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth1 address 20.0.0.1/24 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 traffic policy out POL priority high set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 source address 20.0.0.1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.899 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.899/0.899/0.899/0.000 ms
Step 3: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+SEL\s+0\s+[1-9]\d*Show output
Policy POL -- ifc eth1 -- hook out prio high --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 SEL 0 1 0 84 --------------------------------------------------------------- Total 0 1 0 84
Example 3
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth1 address 20.0.0.1/24 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 traffic policy out POL priority low set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 source address 10.0.0.2
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.515 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.515/0.515/0.515/0.000 ms
Step 3: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+SEL\s+0\s+[1-9]\d*Show output
Policy POL -- ifc eth1 -- hook out prio low --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 SEL 0 1 0 84 --------------------------------------------------------------- Total 0 1 0 84
Example 4
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth1 address 20.0.0.1/24 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 traffic policy out POL priority low set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 source address 20.0.0.1
Step 2: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.396 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.396/0.396/0.396/0.000 ms
Step 3: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+SEL\s+[1-9]\d*\s+[1-9]\d*Show output
Policy POL -- ifc eth1 -- hook out prio low --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 SEL 1 1 84 84 --------------------------------------------------------------- Total 1 1 84 84