Address Group
The following scenario shows how to configure a traffic group
with different IPv4 addresses. traffic selectors can be
configured to filter network packets based on their source / destination
address.
Test Traffic Group With IPv4 Addresses
Description
In this scenario, an ingress traffic policy is configured
to deny non-matching packets in DUT0 (‘eth0’ interface). Packets
are filtered using a traffic selector and a
traffic group.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy in ACCEPT_ALLOWED set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group address ALLOWED element 10.0.0.2-10.0.0.9 set traffic group address ALLOWED element 10.0.0.254 set traffic policy ACCEPT_ALLOWED rule 1 action accept set traffic policy ACCEPT_ALLOWED rule 1 selector SEL_ALLOWED set traffic policy ACCEPT_ALLOWED rule 2 action drop set traffic selector SEL_ALLOWED rule 1 source address-group ALLOWED
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 vrf A set interfaces ethernet eth1 address 10.0.0.20/24 set interfaces ethernet eth1 vrf B set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf A set system vrf B
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 vrf A count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: A PING 10.0.0.1 (10.0.0.1) from 10.0.0.2 A: 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.283 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.283/0.283/0.283/0.000 ms
Step 4: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.0.0.1 8080 tcp local-interface eth0
Step 5: Expect a failure in the following command:
Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.0.0.1 8080 tcp local-interface eth1