Vrf-Mark
The following scenario shows how to filter packets based on the VRF attribute using traffic selectors.
Test Drop Outgoing ICMP Traffic
Description
This scenario demonstrates how to use the special filter vrf-mark to drop outgoing ICMP packets that were not generated from the local VRF.
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth0 traffic policy local-out ISOLATE set interfaces ethernet eth0 traffic policy out DROP_MAINVRF set protocols vrf LOCALVRF static route 0.0.0.0/0 interface eth0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf LOCALVRF set traffic policy DROP_MAINVRF rule 1 action drop set traffic policy DROP_MAINVRF rule 1 log prefix DROP set traffic policy DROP_MAINVRF rule 1 selector SEL_MAINVRF set traffic policy DROP_MAINVRF rule 2 action accept set traffic policy DROP_MAINVRF rule 2 log prefix BYPASS set traffic policy ISOLATE rule 1 set vrf LOCALVRF set traffic selector SEL_MAINVRF rule 1 not vrf-mark LOCALVRF set traffic selector SEL_MAINVRF rule 1 protocol icmp
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.505 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.505/0.505/0.505/0.000 ms