Chained Policies
The following scenario shows how to configure different traffic policies: some of them are globally attached and others are linked to a specific interface.
Test Traffic Policy Chain
Description
A chain of traffic policies is configured in DUT0 to mark the incoming traffic with packet length larger than 128 bytes. Every traffic policy matches a specific packet mark set by the previous traffic policy. The last traffic policy drops the packet.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in P1 priority very-high set interfaces ethernet eth0 traffic policy in P3 priority high set interfaces ethernet eth0 traffic policy in P5 priority low set interfaces ethernet eth0 traffic policy in P7 priority very-low set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in P2 priority very-high set system traffic policy in P4 priority high set system traffic policy in P6 priority low set system traffic policy in P8 priority very-low set traffic policy P1 rule 1 selector S1 set traffic policy P1 rule 1 set mark 1 set traffic policy P2 rule 1 selector S2 set traffic policy P2 rule 1 set mark 2 set traffic policy P3 rule 1 selector S3 set traffic policy P3 rule 1 set mark 3 set traffic policy P4 rule 1 selector S4 set traffic policy P4 rule 1 set mark 4 set traffic policy P5 rule 1 selector S5 set traffic policy P5 rule 1 set mark 5 set traffic policy P6 rule 1 selector S6 set traffic policy P6 rule 1 set mark 6 set traffic policy P7 rule 1 selector S7 set traffic policy P7 rule 1 set mark 7 set traffic policy P8 rule 1 action drop set traffic policy P8 rule 1 selector S8 set traffic policy P8 rule 1 set mark 8 set traffic selector S1 rule 1 length min 128 set traffic selector S2 rule 1 mark 1 set traffic selector S3 rule 1 mark 2 set traffic selector S4 rule 1 mark 3 set traffic selector S5 rule 1 mark 4 set traffic selector S6 rule 1 mark 5 set traffic selector S7 rule 1 mark 6 set traffic selector S8 rule 1 mark 7
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.331 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.331/0.331/0.331/0.000 ms
Step 4: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 256 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 256(284) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 5: Run command traffic policy P8 show at DUT0 and expect this output:
Show output
Policy P8 -- system -- hook in prio very-low --------------------------------------------------------------- rule selector pkts match pkts eval bytes match bytes eval --------------------------------------------------------------- 1 S8 1 2 284 368 --------------------------------------------------------------- Total 1 2 284 368