Policy
The following scenarios show how to configure different
traffic policies. Policies can be used to manage and
classify network packets. traffic selectors can be
configured to filter packets based on certain fields.
Test Policy Actions
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different traffic actions are
configured to accept, drop or limit incoming traffic.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 action accept set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.254 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.254/0.254/0.254/0.000 ms
Step 4: Modify the following configuration lines in DUT0:
delete traffic policy POLICY_IN rule 1 action accept set traffic policy POLICY_IN rule 1 action drop
Step 5: Expect a failure in the following command:
Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 udp admin@DUT1$ monitor test connection client 10.0.0.1 8080 udp
Step 6: Modify the following configuration lines in DUT0:
delete traffic policy POLICY_IN rule 1 action drop set traffic policy POLICY_IN rule 1 action rate-limit 10
Step 7: Initiate a bandwidth test from DUT1 to DUT0
admin@DUT0$ monitor test performance server port 5001 admin@DUT1$ monitor test performance client 10.0.0.1 duration 5 port 5001 parallel 1Expect this output in
DUT1:Connecting to host 10.0.0.1, port 5001 [ 5] local 10.0.0.2 port 35118 connected to 10.0.0.1 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 3.12 MBytes 26.2 Mbits/sec 256 8.48 KBytes [ 5] 1.00-2.00 sec 1.24 MBytes 10.4 Mbits/sec 115 2.83 KBytes [ 5] 2.00-3.00 sec 954 KBytes 7.82 Mbits/sec 125 17.0 KBytes [ 5] 3.00-4.00 sec 1.24 MBytes 10.4 Mbits/sec 150 14.1 KBytes [ 5] 4.00-5.00 sec 954 KBytes 7.82 Mbits/sec 91 8.48 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-5.00 sec 7.47 MBytes 12.5 Mbits/sec 737 sender [ 5] 0.00-5.00 sec 6.84 MBytes 11.5 Mbits/sec receiver iperf Done.
Note
Previous test should show a very low bandwidth rate.
Test Policy Copy
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different copy actions are
configured to store the ToS value in the conntrack mark
and extra conntrack mark fields.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 copy tos connmark set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 tos 12 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.315 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.257 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.215 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.276 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.486 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4077ms rtt min/avg/max/mdev = 0.215/0.309/0.486/0.093 ms
Step 4: Run command system conntrack show at DUT0 and check if output contains the following tokens:
mark=12Show output
udp 17 26 src=127.0.0.1 dst=127.0.0.1 sport=38772 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=38772 packets=0 bytes=0 mark=0 use=1 udp 17 26 src=127.0.0.1 dst=127.0.0.1 sport=50467 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=50467 packets=0 bytes=0 mark=0 use=1 udp 17 26 src=127.0.0.1 dst=127.0.0.1 sport=44594 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=44594 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=127.0.0.1 dst=127.0.0.1 sport=52622 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=52622 packets=0 bytes=0 mark=0 use=1 udp 17 26 src=127.0.0.1 dst=127.0.0.1 sport=50593 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=50593 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=127.0.0.1 dst=127.0.0.1 sport=44971 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=44971 packets=0 bytes=0 mark=0 use=1 icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=361 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=361 packets=5 bytes=420 mark=12 use=1 conntrack v1.4.7 (conntrack-tools): 7 flow entries have been shown.
Step 5: Modify the following configuration lines in DUT0:
delete traffic policy POLICY_IN rule 1 copy tos connmark set traffic policy POLICY_IN rule 1 copy tos extra-connmark 1
Step 6: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 tos 12 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.201 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.253 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.236 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.317 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.205 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4100ms rtt min/avg/max/mdev = 0.201/0.242/0.317/0.042 ms
Step 7: Run command system conntrack show at DUT0 and check if output contains the following tokens:
emark1=12Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=362 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=362 packets=5 bytes=420 mark=0 emark1=12 use=1 udp 17 28 src=127.0.0.1 dst=127.0.0.1 sport=36054 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=36054 packets=0 bytes=0 mark=0 use=1 udp 17 28 src=127.0.0.1 dst=127.0.0.1 sport=44999 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=44999 packets=0 bytes=0 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Test Policy Set
Description
In this scenario, an egress traffic policy is configured
in DUT0 (‘eth0’ interface) to mark outgoing packets
using ToS and CoS fields.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN set traffic policy POLICY_OUT rule 1 set tos 12
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run command traffic dump monitor detail interface eth0 filter "host 10.0.0.2" at DUT1.
Step 4: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.308 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.308/0.308/0.308/0.000 ms
Step 5: Modify the following configuration lines in DUT0:
delete traffic policy POLICY_OUT rule 1 set tos set traffic policy POLICY_OUT rule 1 set cos 5
Step 6: Run command traffic dump monitor detail interface eth0 filter "host 10.0.0.2" at DUT1.
Step 7: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.238 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.238/0.238/0.238/0.000 ms
Test Policy Set Conntrack Values
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different set actions are
configured to change the conntrack mark, the app-id and the
VRF.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 set connmark 15 set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.527 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.319 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.262 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.258 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.214 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4078ms rtt min/avg/max/mdev = 0.214/0.316/0.527/0.110 ms
Step 4: Run command system conntrack show at DUT0 and check if output contains the following tokens:
mark=15Show output
udp 17 28 src=127.0.0.1 dst=127.0.0.1 sport=38957 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=38957 packets=0 bytes=0 mark=0 use=1 icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=363 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=363 packets=5 bytes=420 mark=15 use=1 udp 17 28 src=127.0.0.1 dst=127.0.0.1 sport=39776 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=39776 packets=0 bytes=0 mark=0 use=1 udp 17 28 src=127.0.0.1 dst=127.0.0.1 sport=58050 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=58050 packets=0 bytes=0 mark=0 use=1 udp 17 28 src=127.0.0.1 dst=127.0.0.1 sport=42695 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=42695 packets=0 bytes=0 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 5 flow entries have been shown.
Step 5: Modify the following configuration lines in DUT0:
delete traffic policy POLICY_IN rule 1 set connmark set traffic policy POLICY_IN rule 1 set app-id custom 80
Step 6: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.225 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.243 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.238 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.249 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.246 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4080ms rtt min/avg/max/mdev = 0.225/0.240/0.249/0.008 ms
Step 7: Run command system conntrack show at DUT0 and check if output contains the following tokens:
appdetect[U:80]Show output
udp 17 26 src=127.0.0.1 dst=127.0.0.1 sport=50672 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=50672 packets=0 bytes=0 mark=0 use=1 udp 17 26 src=127.0.0.1 dst=127.0.0.1 sport=34110 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=34110 packets=0 bytes=0 mark=0 use=1 icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=364 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=364 packets=5 bytes=420 mark=0 use=1 appdetect[U:80] conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Step 8: Modify the following configuration lines in DUT0:
delete traffic policy POLICY_IN rule 1 set app-id set interfaces ethernet eth0 vif 100 vrf RED set system vrf RED set traffic policy POLICY_IN rule 1 set vrf RED
Step 9: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.362 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.231 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.234 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.212 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.250 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4077ms rtt min/avg/max/mdev = 0.212/0.257/0.362/0.053 ms
Step 10: Run command system conntrack show at DUT0 and check if output contains the following tokens:
vrf=REDShow output
udp 17 27 src=127.0.0.1 dst=127.0.0.1 sport=39129 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=39129 packets=0 bytes=0 mark=0 use=1 udp 17 27 src=127.0.0.1 dst=127.0.0.1 sport=42879 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=42879 packets=0 bytes=0 mark=0 use=1 icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=365 vrf=RED packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=365 vrf=RED packets=5 bytes=420 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Test Policy Log
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). The log option is configured to
show system messages that help debug and analyze the
network status.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 log level err set traffic policy POLICY_IN rule 1 log prefix DEBUG- set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.380 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.380/0.380/0.380/0.000 ms
Step 4: Run command system journal show | tail at DUT0 and check if output contains the following tokens:
[DEBUG--1] ACCEPT IN=eth0Show output
File "osdx/bin/op/fan_control.py", line 23, in _send_fan_control_cmd FileNotFoundError: [Errno 2] No such file or directory Oct 30 14:21:42.873014 osdx OSDxCLI[441150]: User 'admin' added a new cfg line: 'show working'. Oct 30 14:21:42.903284 osdx zebra[1601]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Oct 30 14:21:43.007937 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 30 14:21:43.033370 osdx (udev-worker)[447675]: Network interface NamePolicy= disabled on kernel command line. Oct 30 14:21:43.202241 osdx cfgd[1636]: [441150]Completed change to active configuration Oct 30 14:21:43.228869 osdx OSDxCLI[441150]: User 'admin' committed the configuration. Oct 30 14:21:43.246262 osdx OSDxCLI[441150]: User 'admin' left the configuration menu. Oct 30 14:21:43.941358 osdx kernel: [DEBUG--1] ACCEPT IN=eth0.100 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00:45:00:00:54 SRC=10.0.0.2 DST=10.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=63257 DF PROTO=ICMP TYPE=8 CODE=0 ID=366 SEQ=1
Test Policy Advisor
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). The advisor option is
configured to enable/disable the rule depending on
the advisor status. If the rule is enabled, incoming traffic
will be dropped.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system advisor ADV test false set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 action drop set traffic policy POLICY_IN rule 1 advisor ADV set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.320 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.320/0.320/0.320/0.000 ms
Step 4: Modify the following configuration lines in DUT0:
set system advisor ADV test true
Step 5: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Modify the following configuration lines in DUT0:
set system advisor ADV test false
Step 7: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.210 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.210/0.210/0.210/0.000 ms