Policy
The following scenarios show how to configure different
traffic policies. Policies can be used to manage and
classify network packets. traffic selectors can be
configured to filter packets based on certain fields.
Test Policy Actions
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different traffic actions are
configured to accept, drop or limit incoming traffic.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 action accept set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.545 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.545/0.545/0.545/0.000 ms
Step 4: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_IN rule 1 action accept set traffic policy POLICY_IN rule 1 action drop
Step 5: Expect a failure in the following command:
Initiate a udp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 8080 udp admin@DUT1$ monitor test connection client 10.0.0.1 8080 udp
Step 6: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_IN rule 1 action drop set traffic policy POLICY_IN rule 1 action rate-limit 10
Step 7: Initiate a bandwidth test from DUT1 to DUT0
admin@DUT0$ monitor test performance server port 5001 admin@DUT1$ monitor test performance client 10.0.0.1 duration 5 port 5001 parallel 1Expect the following output on
DUT1:Connecting to host 10.0.0.1, port 5001 [ 5] local 10.0.0.2 port 42484 connected to 10.0.0.1 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 3.02 MBytes 25.3 Mbits/sec 325 7.07 KBytes [ 5] 1.00-2.00 sec 1.55 MBytes 13.0 Mbits/sec 165 8.48 KBytes [ 5] 2.00-3.00 sec 764 KBytes 6.25 Mbits/sec 113 8.48 KBytes [ 5] 3.00-4.00 sec 1.49 MBytes 12.5 Mbits/sec 134 7.07 KBytes [ 5] 4.00-5.00 sec 1.18 MBytes 9.90 Mbits/sec 144 7.07 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-5.00 sec 7.99 MBytes 13.4 Mbits/sec 881 sender [ 5] 0.00-5.00 sec 7.02 MBytes 11.8 Mbits/sec receiver iperf Done.
Note
Previous test should show a very low bandwidth rate.
Test Policy Copy
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different copy actions are
configured to store the ToS value in the conntrack mark
and extra conntrack mark fields.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 copy tos connmark set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 tos 12 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.606 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.259 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.339 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.308 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.280 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4081ms rtt min/avg/max/mdev = 0.259/0.358/0.606/0.126 ms
Step 4: Run the command system conntrack show on DUT0 and check whether the output contains the following tokens:
mark=12Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=384 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=384 packets=5 bytes=420 mark=12 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 5: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_IN rule 1 copy tos connmark set traffic policy POLICY_IN rule 1 copy tos extra-connmark 1
Step 6: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 tos 12 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.461 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.264 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.263 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.271 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.341 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4103ms rtt min/avg/max/mdev = 0.263/0.320/0.461/0.076 ms
Step 7: Run the command system conntrack show on DUT0 and check whether the output contains the following tokens:
emark1=12Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=385 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=385 packets=5 bytes=420 mark=0 emark1=12 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Test Policy Set
Description
In this scenario, an egress traffic policy is configured
in DUT0 (‘eth0’ interface) to mark outgoing packets
using ToS and CoS fields.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN set traffic policy POLICY_OUT rule 1 set tos 12
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run the command traffic dump monitor detail interface eth0 filter "host 10.0.0.2" on DUT1.
Step 4: Ping the IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.333 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.333/0.333/0.333/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_OUT rule 1 set tos set traffic policy POLICY_OUT rule 1 set cos-mark 5
Step 6: Run the command traffic dump monitor detail interface eth0 filter "host 10.0.0.2" on DUT1.
Step 7: Ping the IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.365 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.365/0.365/0.365/0.000 ms
Test Policy Set Conntrack Values
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different set actions are
configured to change the conntrack mark, the app-id and the
VRF.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 set connmark 15 set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.649 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.267 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.265 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.269 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.327 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4097ms rtt min/avg/max/mdev = 0.265/0.355/0.649/0.148 ms
Step 4: Run the command system conntrack show on DUT0 and check whether the output contains the following tokens:
mark=15Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=386 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=386 packets=5 bytes=420 mark=15 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 5: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_IN rule 1 set connmark set traffic policy POLICY_IN rule 1 set app-id custom 80
Step 6: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.473 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.255 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.300 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.305 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.253 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4074ms rtt min/avg/max/mdev = 0.253/0.317/0.473/0.080 ms
Step 7: Run the command system conntrack show on DUT0 and check whether the output contains the following tokens:
appdetect[U6:80]Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=387 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=387 packets=5 bytes=420 mark=0 use=1 appdetect[U6:80] conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 8: Modify the following configuration lines in DUT0 :
set system conntrack app-detect app-id-storage chained
Step 9: Run the command system conntrack clear on DUT0.
Step 10: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.513 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.274 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.249 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.253 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.299 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4092ms rtt min/avg/max/mdev = 0.249/0.317/0.513/0.099 ms
Step 11: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
appdetect\[L3:1;U6:80\]Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=388 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=388 packets=5 bytes=420 mark=0 use=1 appdetect[L3:1;U6:80] conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 12: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_IN rule 1 set app-id set interfaces ethernet eth0 vif 100 vrf RED set system vrf RED set traffic policy POLICY_IN rule 1 set vrf RED
Step 13: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.611 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.183 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.357 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.235 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.254 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4088ms rtt min/avg/max/mdev = 0.183/0.328/0.611/0.152 ms
Step 14: Run the command system conntrack show on DUT0 and check whether the output contains the following tokens:
vrf=REDShow output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=389 vrf=RED packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=389 vrf=RED packets=5 bytes=420 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Test Policy Log
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). The log option is configured to
show system messages that help debug and analyze the
network status. Additionally, an invalid log prefix is included
to illustrate the maximum length allowed.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 log level err set traffic policy POLICY_IN rule 1 log prefix Lorem-ipsum-dolor-sit-amet-consectetur-adipiscing-elit-quisque-lorem-ipsum-dolor-sit-ame-vit set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=2.67 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.672/2.672/2.672/0.000 ms
Step 4: Run the command system journal show | tail on DUT0 and check whether the output contains the following tokens:
[Lorem-ipsum-dolor-sit-amet-consectetur-adipiscing-elit-quisque-lorem-ipsum-dolor-sit-ame-vit-1] ACCEPT IN=eth0Show output
Jun 03 10:14:59.937855 osdx WARNING[36758]: No supported link modes on interface eth0 Jun 03 10:14:59.939283 osdx modulelauncher[36758]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Jun 03 10:14:59.939295 osdx modulelauncher[36758]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Jun 03 10:14:59.940454 osdx modulelauncher[36758]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off -- Jun 03 10:14:59.940462 osdx modulelauncher[36758]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75. Jun 03 10:14:59.952486 osdx (udev-worker)[36774]: Network interface NamePolicy= disabled on kernel command line. Jun 03 10:15:00.390753 osdx cfgd[1899]: [3201]Completed change to active configuration Jun 03 10:15:00.391328 osdx OSDxCLI[3201]: User 'admin' committed the configuration. Jun 03 10:15:00.427234 osdx OSDxCLI[3201]: User 'admin' left the configuration menu. Jun 03 10:15:01.423792 osdx kernel: [Lorem-ipsum-dolor-sit-amet-consectetur-adipiscing-elit-quisque-lorem-ipsum-dolor-sit-ame-vit-1] ACCEPT IN=eth0.100 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00:45:00:00:54 SRC=10.0.0.2 DST=10.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47646 DF PROTO=ICMP TYPE=8 CODE=0 ID=390 SEQ=1
Step 5: Run the command configure on DUT0 and expect the following output:
Show output
admin@osdx#
Step 6: Run the command set traffic policy INVALID_LOG_PREFIX rule 1 log prefix Lorem-ipsum-dolor-sit-amet-consectetur-adipiscing-elit-quisque-lorem-ipsum-dolor-sit-amet-vita on DUT0 and check whether the output contains the following tokens:
Log prefix must be 92 characters or less and must contain printable characters except those defined as part of the space character classShow output
Log prefix must be 92 characters or less and must contain printable characters except those defined as part of the space character class Value validation failed CLI Error: Command error
Test Policy Advisor
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). The advisor option is
configured to enable/disable the rule depending on
the advisor status. If the rule is enabled, incoming traffic
will be dropped.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system advisor ADV test false set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 action drop set traffic policy POLICY_IN rule 1 advisor ADV set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.694 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.694/0.694/0.694/0.000 ms
Step 4: Modify the following configuration lines in DUT0 :
set system advisor ADV test true
Step 5: Expect a failure in the following command:
Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Modify the following configuration lines in DUT0 :
set system advisor ADV test false
Step 7: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.471 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.471/0.471/0.471/0.000 ms
Test Policy Set Label
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). The set label action is
configured to assign a label to conntrack entries. Labels are
used to classify and identify connections in the conntrack table,
which can be useful for traffic analysis and policy enforcement.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic label TESTLABEL set traffic policy POLICY_IN rule 1 set label TESTLABEL set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.825 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.250 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.292 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.245 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.261 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4088ms rtt min/avg/max/mdev = 0.245/0.374/0.825/0.225 ms
Step 4: Run the command system conntrack show on DUT0 and check whether the output contains the following tokens:
labels=TESTLABELShow output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=394 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=394 packets=5 bytes=420 mark=0 use=1 labels=TESTLABEL conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.