Check Link Hook
This scenario shows how to attach a traffic policy to the link hook in a Cellular interface. This hook is triggered at a very early stage of the network packet stack (level 2 layer).
Test Early Packet Drop
Description
In DUT0, the cellular interface is configured with a traffic policy to drop all incoming traffic at the link stage and only allow ARP and UDP packets.
Scenario
Step 1: Set the following configuration in DUT0:
set cellular profile CELPROFILE apn movistar.es set interfaces cellular cell0 address dhcp set interfaces cellular cell0 encrypted-pin U2FsdGVkX184+xuYmpT0M8u5XPJNVOY7+0gjT9OocLA= set interfaces cellular cell0 profile CELPROFILE set service dns forwarding dhcp interface cell0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 8.8.8.8 from DUT0:
admin@DUT0$ ping 8.8.8.8 count 1 size 56 timeout 1Show output
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=29.5 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 29.489/29.489/29.489/0.000 ms
Note
In the previous command it is observed that the ICMP packets corresponding to the ‘Ping’ command are received without problems. This is because the traffic policy responsible for dropping these packets has not yet been applied to the cellular interface.
Note
However, when the traffic policy is applied, it can be verified that the ‘ping’ command fails since ICMP packets are now being dropped.
Step 3: Modify the following configuration lines in DUT0:
set interfaces cellular cell0 traffic policy link EDROP_POLICY set traffic policy EDROP_POLICY rule 1 action accept set traffic policy EDROP_POLICY rule 1 selector ACCEPT_SEL set traffic policy EDROP_POLICY rule 2 action drop set traffic selector ACCEPT_SEL rule 1 protocol udp set traffic selector ACCEPT_SEL rule 2 ether-type arp
Step 4: Expect a failure in the following command:
Ping IP address 8.8.8.8 from DUT0:
admin@DUT0$ ping 8.8.8.8 count 1 size 56 timeout 1Show output
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. --- 8.8.8.8 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Note
On the other hand, the applied traffic policy allows receiving UDP packets, so the ‘nslookup’ command works without problems.
Step 5: Run command nslookup www.google.es at DUT0 and check if output matches the following regular expressions:
Server:\s+(\d+\.){3}\d+Show output
Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: www.google.es Address: 142.250.200.99 Name: www.google.es Address: 2a00:1450:4003:80d::2003
Note
Finally, with the following operational command the statistics of the traffic policy are displayed.
Step 6: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+ACCEPT_SEL\s+\b[^0]\d*Show output
Policy EDROP_POLICY -- ifc cell0 -- hook link prio very-high ----------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval ----------------------------------------------------------------- 1 ACCEPT_SEL 3 4 237 321 2 - 1 1 84 84 ----------------------------------------------------------------- Total 4 4 321 321