Policy
The following scenarios show how to configure different
traffic policies. Policies can be used to manage and
classify network packets. traffic selectors can be
configured to filter packets based on certain fields.
Test Policy Actions
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different traffic actions are
configured to accept, drop or limit incoming traffic.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 action accept set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.708 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.708/0.708/0.708/0.000 ms
Step 4: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_IN rule 1 action accept set traffic policy POLICY_IN rule 1 action drop
Step 5: Expect a failure in the following command:
Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 8080 udp admin@DUT1$ monitor test connection client 10.0.0.1 8080 udp
Step 6: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_IN rule 1 action drop set traffic policy POLICY_IN rule 1 action rate-limit 10
Step 7: Initiate a bandwidth test from DUT1 to DUT0
admin@DUT0$ monitor test performance server port 5001 admin@DUT1$ monitor test performance client 10.0.0.1 duration 5 port 5001 parallel 1Expect this output in
DUT1:Connecting to host 10.0.0.1, port 5001 [ 5] local 10.0.0.2 port 42054 connected to 10.0.0.1 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 3.30 MBytes 27.7 Mbits/sec 223 24.0 KBytes [ 5] 1.00-2.00 sec 1.18 MBytes 9.90 Mbits/sec 98 18.4 KBytes [ 5] 2.00-3.00 sec 1.18 MBytes 9.90 Mbits/sec 132 2.83 KBytes [ 5] 3.00-4.00 sec 764 KBytes 6.25 Mbits/sec 90 2.83 KBytes [ 5] 4.00-5.00 sec 1.49 MBytes 12.5 Mbits/sec 121 29.7 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-5.00 sec 7.90 MBytes 13.2 Mbits/sec 664 sender [ 5] 0.00-5.00 sec 7.04 MBytes 11.8 Mbits/sec receiver iperf Done.
Note
Previous test should show a very low bandwidth rate.
Test Policy Copy
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different copy actions are
configured to store the ToS value in the conntrack mark
and extra conntrack mark fields.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 copy tos connmark set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 tos 12 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.784 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.341 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.367 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.254 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.375 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4093ms rtt min/avg/max/mdev = 0.254/0.424/0.784/0.184 ms
Step 4: Run command system conntrack show at DUT0 and check if output contains the following tokens:
mark=12Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=316 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=316 packets=5 bytes=420 mark=12 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 5: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_IN rule 1 copy tos connmark set traffic policy POLICY_IN rule 1 copy tos extra-connmark 1
Step 6: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 tos 12 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.548 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.322 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.368 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=1.35 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.637 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4011ms rtt min/avg/max/mdev = 0.322/0.644/1.346/0.369 ms
Step 7: Run command system conntrack show at DUT0 and check if output contains the following tokens:
emark1=12Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=317 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=317 packets=5 bytes=420 mark=0 emark1=12 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Test Policy Set
Description
In this scenario, an egress traffic policy is configured
in DUT0 (‘eth0’ interface) to mark outgoing packets
using ToS and CoS fields.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN set traffic policy POLICY_OUT rule 1 set tos 12
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run command traffic dump monitor detail interface eth0 filter "host 10.0.0.2" at DUT1.
Step 4: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.748 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.748/0.748/0.748/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_OUT rule 1 set tos set traffic policy POLICY_OUT rule 1 set cos 5
Step 6: Run command traffic dump monitor detail interface eth0 filter "host 10.0.0.2" at DUT1.
Step 7: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=11.3 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.266/11.266/11.266/0.000 ms
Test Policy Set Conntrack Values
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). Different set actions are
configured to change the conntrack mark, the app-id and the
VRF.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 set connmark 15 set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.92 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.347 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.466 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.298 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.392 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4036ms rtt min/avg/max/mdev = 0.298/0.684/1.917/0.618 ms
Step 4: Run command system conntrack show at DUT0 and check if output contains the following tokens:
mark=15Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=318 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=318 packets=5 bytes=420 mark=15 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 5: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_IN rule 1 set connmark set traffic policy POLICY_IN rule 1 set app-id custom 80
Step 6: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.371 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.312 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.268 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=1.07 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.576 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4049ms rtt min/avg/max/mdev = 0.268/0.518/1.067/0.293 ms
Step 7: Run command system conntrack show at DUT0 and check if output contains the following tokens:
appdetect[U:80]Show output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=319 packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=319 packets=5 bytes=420 mark=0 use=1 appdetect[U:80] conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 8: Modify the following configuration lines in DUT0 :
delete traffic policy POLICY_IN rule 1 set app-id set interfaces ethernet eth0 vif 100 vrf RED set system vrf RED set traffic policy POLICY_IN rule 1 set vrf RED
Step 9: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.716 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.357 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.365 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.434 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.265 ms --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4041ms rtt min/avg/max/mdev = 0.265/0.427/0.716/0.153 ms
Step 10: Run command system conntrack show at DUT0 and check if output contains the following tokens:
vrf=REDShow output
icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=320 vrf=RED packets=5 bytes=420 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=320 vrf=RED packets=5 bytes=420 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Test Policy Log
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). The log option is configured to
show system messages that help debug and analyze the
network status. Additionally, an invalid log prefix is included
to illustrate the maximum length allowed.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 log level err set traffic policy POLICY_IN rule 1 log prefix Lorem-ipsum-dolor-sit-amet-consectetur-adipiscing-elit-quisque-lorem-ipsum-dolor-sit-ame-vit set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.635 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.635/0.635/0.635/0.000 ms
Step 4: Run command system journal show | tail at DUT0 and check if output contains the following tokens:
[Lorem-ipsum-dolor-sit-amet-consectetur-adipiscing-elit-quisque-lorem-ipsum-dolor-sit-ame-vit-1] ACCEPT IN=eth0Show output
Jul 28 12:06:53.616512 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'set traffic policy POLICY_IN rule 1 log level err'. Jul 28 12:06:53.775162 osdx OSDxCLI[2568]: User 'admin' added a new cfg line: 'show working'. Jul 28 12:06:53.932022 osdx ubnt-cfgd[7499]: inactive Jul 28 12:06:54.035006 osdx INFO[7517]: FRR daemons did not change Jul 28 12:06:54.071474 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 28 12:06:54.114416 osdx (udev-worker)[7564]: Network interface NamePolicy= disabled on kernel command line. Jul 28 12:06:54.366389 osdx cfgd[1474]: [2568]Completed change to active configuration Jul 28 12:06:54.387138 osdx OSDxCLI[2568]: User 'admin' committed the configuration. Jul 28 12:06:54.441940 osdx OSDxCLI[2568]: User 'admin' left the configuration menu. Jul 28 12:06:55.948024 osdx kernel: [Lorem-ipsum-dolor-sit-amet-consectetur-adipiscing-elit-quisque-lorem-ipsum-dolor-sit-ame-vit-1] ACCEPT IN=eth0.100 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00:45:00:00:54 SRC=10.0.0.2 DST=10.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56580 DF PROTO=ICMP TYPE=8 CODE=0 ID=321 SEQ=1
Step 5: Run command configure at DUT0 and expect this output:
Step 6: Run command set traffic policy INVALID_LOG_PREFIX rule 1 log prefix Lorem-ipsum-dolor-sit-amet-consectetur-adipiscing-elit-quisque-lorem-ipsum-dolor-sit-amet-vita at DUT0 and check if output contains the following tokens:
Log prefix must be 92 characters or less and must contain printable characters except those defined as part of the space character classShow output
Log prefix must be 92 characters or less and must contain printable characters except those defined as part of the space character class Value validation failed CLI Error: Command error
Test Policy Advisor
Description
In this scenario, an ingress traffic policy is configured
in DUT0 (‘eth0’ interface). The advisor option is
configured to enable/disable the rule depending on
the advisor status. If the rule is enabled, incoming traffic
will be dropped.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 10.0.0.1/24 set interfaces ethernet eth0 vif 100 traffic policy in POLICY_IN set interfaces ethernet eth0 vif 100 traffic policy out POLICY_OUT set system advisor ADV test false set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_IN rule 1 action drop set traffic policy POLICY_IN rule 1 advisor ADV set traffic policy POLICY_OUT
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.864 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.864/0.864/0.864/0.000 ms
Step 4: Modify the following configuration lines in DUT0 :
set system advisor ADV test true
Step 5: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Modify the following configuration lines in DUT0 :
set system advisor ADV test false
Step 7: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.356 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.356/0.356/0.356/0.000 ms