In Policy
This scenario shows how to attach a traffic policy to the in
hook in an Ethernet interface. This hook is triggered when a
packet is received through the interface.
Test Interface Traffic In
Description
A traffic policy is configured in DUT0 to drop all incoming traffic with packet length larger than 128 bytes.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in P1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy P1 rule 1 action drop set traffic policy P1 rule 1 selector BIG_PKT set traffic selector BIG_PKT rule 1 length min 128
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.320 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.320/0.320/0.320/0.000 ms
Step 4: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 256 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 256(284) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 5: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+BIG_PKT\s+[1-9]\d*\s+[1-9]\d*Show output
Policy P1 -- ifc eth0 -- hook in prio very-high --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 BIG_PKT 1 2 284 368 --------------------------------------------------------------- Total 1 2 284 368
Test Interface Traffic In With Priorities
Description
Two traffic policies are configured in DUT0 with different priorities. The first one marks incoming traffic with packet length larger than 128 bytes, while the second one drops the marked packets.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in P1 set interfaces ethernet eth0 traffic policy in P2 priority low set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy P1 rule 1 selector BIG_PKT set traffic policy P1 rule 1 set mark 1 set traffic policy P2 rule 1 action drop set traffic policy P2 rule 1 selector MARKED set traffic selector BIG_PKT rule 1 length min 128 set traffic selector MARKED rule 1 mark 1
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.365 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.365/0.365/0.365/0.000 ms
Step 4: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 256 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 256(284) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 5: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+BIG_PKT\s+[1-9]\d*\s+[1-9]\d*Show output
Policy P1 -- ifc eth0 -- hook in prio very-high --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 BIG_PKT 1 2 284 368 --------------------------------------------------------------- Total 1 2 284 368 Policy P2 -- ifc eth0 -- hook in prio low --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 MARKED 1 2 284 368 --------------------------------------------------------------- Total 1 2 284 368
Step 6: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:
1\s+MARKED\s+[1-9]\d*\s+[1-9]\d*Show output
Policy P1 -- ifc eth0 -- hook in prio very-high --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 BIG_PKT 1 2 284 368 --------------------------------------------------------------- Total 1 2 284 368 Policy P2 -- ifc eth0 -- hook in prio low --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 MARKED 1 2 284 368 --------------------------------------------------------------- Total 1 2 284 368