Address Group
The following scenario shows how to configure a traffic group
with different MAC addresses. traffic selectors can be
configured to filter network packets based on their source / destination
MAC address.
Test Traffic Group With MAC Addresses
Description
In this scenario, a link traffic policy is configured
to deny non-matching packets in DUT0 (‘eth0’ interface).
Packets are filtered using a traffic selector and a
traffic group.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy link ACCEPT_ALLOWED set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group mac-address ALLOWED_MACS element 'DE:AD:BE:EF:6C:10' set traffic group mac-address ALLOWED_MACS element 'de:ad:be:ef:6c:30-de:ad:be:ef:6c:40' set traffic policy ACCEPT_ALLOWED rule 1 action accept set traffic policy ACCEPT_ALLOWED rule 1 selector SEL_ALLOWED set traffic policy ACCEPT_ALLOWED rule 2 action drop set traffic selector SEL_ALLOWED rule 1 source mac-address-group ALLOWED_MACS
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth1 address 10.0.0.20/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run command interfaces ethernet show detail at DUT1 and check if output contains the following tokens:
DE:AD:BE:EF:6C:10 DE:AD:BE:EF:6C:11Show output
---------------------------------------------------------------------------------------------------------------- Name Idx IP Address Admin Oper Link MTU Vrf Upper Lower Type Phys addr ---------------------------------------------------------------------------------------------------------------- eth0 2 down down down 1500 ethernet de:ad:be:ef:6c:10 eth1 3 10.0.0.20/24 up up up 1500 ethernet de:ad:be:ef:6c:11 fe80::dcad:beff:feef:6c11/64
Step 4: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.0.0.1 8080 tcp local-interface eth0
Step 5: Expect a failure in the following command:
Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.0.0.1 8080 tcp local-interface eth1