Denied Macs
The following scenario shows how to configure the hardware switch so that it drops all packets from a given MAC address or only accepts packets from the configured ones at port level.
Test Switch Denied List
Description
In this scenario, the hardware switch is configured to
deny all traffic from DUT2’s eth2 MAC
address (DE:AD:BE:EF:6C:22), but not from DUT2.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces bridge br0 hardware-offload eth0 set interfaces ethernet eth0p0 bridge-group bridge br0 set interfaces ethernet eth0p1 bridge-group bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth2 address 192.168.1.3/24 set interfaces ethernet eth2 vrf LAN_PORT0 set interfaces ethernet eth3 address 192.168.1.4/24 set interfaces ethernet eth3 vrf LAN_PORT1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf LAN_PORT0 set system vrf LAN_PORT1
Step 4: Ping IP address 192.168.1.4 from DUT2:
admin@DUT2$ ping 192.168.1.4 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN_PORT0 PING 192.168.1.4 (192.168.1.4) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=0.466 ms --- 192.168.1.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.466/0.466/0.466/0.000 ms
Step 5: Ping IP address 192.168.1.3 from DUT1:
admin@DUT1$ ping 192.168.1.3 count 1 size 56 timeout 1Show output
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data. 64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.562 ms --- 192.168.1.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.562/0.562/0.562/0.000 ms
Step 6: Ping IP address 192.168.1.4 from DUT1:
admin@DUT1$ ping 192.168.1.4 count 1 size 56 timeout 1Show output
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=0.548 ms --- 192.168.1.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.548/0.548/0.548/0.000 ms
Step 7: Modify the following configuration lines in DUT0 :
set interfaces bridge br0 hardware-offload eth0 denied-macs 'DE:AD:BE:EF:6C:22'
Step 8: Expect a failure in the following command:
Ping IP address 192.168.1.4 from DUT2:
admin@DUT2$ ping 192.168.1.4 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN_PORT0 PING 192.168.1.4 (192.168.1.4) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. --- 192.168.1.4 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 9: Expect a failure in the following command:
Ping IP address 192.168.1.2 from DUT2:
admin@DUT2$ ping 192.168.1.2 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN_PORT0 PING 192.168.1.2 (192.168.1.2) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. --- 192.168.1.2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test Switch Allowed List
Description
In this scenario, the bridge port eth0p0,
which is connected to DUT2 is configured to allow traffic
only from DUT2’s eth2 MAC address
(DE:AD:BE:EF:6C:22). Then, the allowed MAC address
is changed to another one to deny traffic from that port.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces bridge br0 hardware-offload eth0 set interfaces ethernet eth0p0 bridge-group bridge br0 set interfaces ethernet eth0p1 bridge-group bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth2 address 192.168.1.3/24 set interfaces ethernet eth2 vrf LAN_PORT0 set interfaces ethernet eth3 address 192.168.1.4/24 set interfaces ethernet eth3 vrf LAN_PORT1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf LAN_PORT0 set system vrf LAN_PORT1
Step 4: Ping IP address 192.168.1.4 from DUT2:
admin@DUT2$ ping 192.168.1.4 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN_PORT0 PING 192.168.1.4 (192.168.1.4) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=0.430 ms --- 192.168.1.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.430/0.430/0.430/0.000 ms
Step 5: Ping IP address 192.168.1.3 from DUT1:
admin@DUT1$ ping 192.168.1.3 count 1 size 56 timeout 1Show output
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data. 64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.507 ms --- 192.168.1.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.507/0.507/0.507/0.000 ms
Step 6: Ping IP address 192.168.1.4 from DUT1:
admin@DUT1$ ping 192.168.1.4 count 1 size 56 timeout 1Show output
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=0.579 ms --- 192.168.1.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.579/0.579/0.579/0.000 ms
Step 7: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth0p0 bridge-group allowed-macs 'DE:AD:BE:EF:6C:22'
Step 8: Ping IP address 192.168.1.4 from DUT2:
admin@DUT2$ ping 192.168.1.4 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN_PORT0 PING 192.168.1.4 (192.168.1.4) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=0.268 ms --- 192.168.1.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.268/0.268/0.268/0.000 ms
Step 9: Ping IP address 192.168.1.2 from DUT2:
admin@DUT2$ ping 192.168.1.2 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN_PORT0 PING 192.168.1.2 (192.168.1.2) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.322 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.322/0.322/0.322/0.000 ms
Step 10: Modify the following configuration lines in DUT0 :
delete interfaces ethernet eth0p0 bridge-group allowed-macs 'DE:AD:BE:EF:6C:22' set interfaces ethernet eth0p0 bridge-group allowed-macs 'DE:AD:BE:EF:6C:23'
Step 11: Expect a failure in the following command:
Ping IP address 192.168.1.4 from DUT2:
admin@DUT2$ ping 192.168.1.4 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN_PORT0 PING 192.168.1.4 (192.168.1.4) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. --- 192.168.1.4 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 12: Expect a failure in the following command:
Ping IP address 192.168.1.2 from DUT2:
admin@DUT2$ ping 192.168.1.2 vrf LAN_PORT0 count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN_PORT0 PING 192.168.1.2 (192.168.1.2) from 192.168.1.3 LAN_PORT0: 56(84) bytes of data. --- 192.168.1.2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms