Traffic Group Sync
This scenario shows how to configure
service traffic-group-sync to periodically download a JSON
dataset file containing information about traffic groups.
This file is used to dynamically update configured traffic
groups.
Test Traffic-Group-Sync
Description
This example shows how to configure some
traffic policies, traffic selectors and
traffic groups to control incoming/outgoing
network packets. traffic groups are dynamically
updated using an external JSON file that is
periodically downloaded from a remote end-point.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf MNGMT set interfaces ethernet eth1 vif 100 address 192.168.1.1/24 set interfaces ethernet eth1 vif 100 traffic policy in LAN_IN set interfaces ethernet eth1 vif 100 vrf LAN set interfaces ethernet eth1 vif 200 address 10.0.0.1/24 set interfaces ethernet eth1 vif 200 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 200 traffic policy in WAN_IN set interfaces ethernet eth1 vif 200 vrf WAN set protocols vrf LAN static route 10.0.0.0/24 next-hop-vrf WAN set protocols vrf WAN static route 192.168.1.0/24 next-hop-vrf LAN set service traffic-group-sync ACL_FETCHER local-vrf MNGMT set service traffic-group-sync ACL_FETCHER poll-interval 1 set service traffic-group-sync ACL_FETCHER url 'http://10.215.168.1/~robot/dataset.json' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in SYS_IN set system vrf LAN set system vrf MNGMT set system vrf WAN set traffic group address LAN_ADDR element 192.168.1.2 set traffic group address WAN_ADDR element 10.0.0.2 set traffic group port SYS_PORT set traffic policy LAN_IN rule 1 action accept set traffic policy LAN_IN rule 1 selector LAN_SEL set traffic policy LAN_IN rule 2 action drop set traffic policy SYS_IN rule 1 action accept set traffic policy SYS_IN rule 1 selector SYS_SEL set traffic policy SYS_IN rule 2 action drop set traffic policy WAN_IN rule 1 action accept set traffic policy WAN_IN rule 1 selector WAN_SEL set traffic policy WAN_IN rule 2 action drop set traffic selector LAN_SEL rule 1 source address-group LAN_ADDR set traffic selector SYS_SEL rule 1 protocol icmp set traffic selector SYS_SEL rule 2 protocol tcp set traffic selector SYS_SEL rule 2 source port 80 set traffic selector SYS_SEL rule 3 destination port-group SYS_PORT set traffic selector SYS_SEL rule 3 protocol tcp set traffic selector SYS_SEL rule 4 protocol tcp set traffic selector SYS_SEL rule 4 source port-group SYS_PORT set traffic selector WAN_SEL rule 1 source address-group WAN_ADDR
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 vif 100 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth1 vif 200 address 10.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command traffic group show at DUT0 and check if output matches the following regular expressions:
LAN_ADDR\s+192\.168\.1\.2\s+configuration WAN_ADDR\s+10\.0\.0\.2\s+configuration SYS_PORT\s+-\s+configurationShow output
Elements for address traffic groups ------------------------------------ name elements source ------------------------------------ LAN_ADDR 192.168.1.2 configuration WAN_ADDR 10.0.0.2 configuration Elements for port traffic groups --------------------------------- name elements source --------------------------------- SYS_PORT - configuration
Step 5: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.353 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.353/0.353/0.353/0.000 ms
Step 6: Ping IP address 10.0.0.1 from DUT2:
admin@DUT2$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.330 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.330/0.330/0.330/0.000 ms
Step 7: Ping IP address 10.0.0.2 from DUT1:
admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.346 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.346/0.346/0.346/0.000 ms
Note
Put the following JSON dataset in the remote end-point:
Show output
{ "address": { "LAN_ADDR": ["192.168.1.0/24"], "WAN_ADDR": [] }, "port": { "SYS_PORT": ["1234"] } }
Step 8: Run command service traffic-group-sync ACL_FETCHER show data at DUT0 and check if output matches the following regular expressions:
LAN_ADDR\s+address\s+192\.168\.1\.0/24 WAN_ADDR\s+address\s+ SYS_PORT\s+port\s+1234Show output
--------------------------------- Name Kind Elements --------------------------------- LAN_ADDR address 192.168.1.0/24 WAN_ADDR address SYS_PORT port 1234
Step 9: Run command service traffic-group-sync ACL_FETCHER show stats at DUT0 and check if output matches the following regular expressions:
[1-9]\d*\s+[1-9]\d*\s+\d+Show output
----------------------------------------------- Requests Updates Download Errors Last Update ----------------------------------------------- 3 1 2 1s ago
Step 10: Run command traffic group show at DUT0 and check if output matches the following regular expressions:
LAN_ADDR\s+192\.168\.1\.0/24\s+traffic-group-sync ACL_FETCHER WAN_ADDR\s+-\s+traffic-group-sync ACL_FETCHER SYS_PORT\s+1234\s+traffic-group-sync ACL_FETCHERShow output
Elements for address traffic groups -------------------------------------------------------- name elements source -------------------------------------------------------- LAN_ADDR 192.168.1.0/24 traffic-group-sync ACL_FETCHER WAN_ADDR - traffic-group-sync ACL_FETCHER Elements for port traffic groups -------------------------------------------------- name elements source -------------------------------------------------- SYS_PORT 1234 traffic-group-sync ACL_FETCHER
Step 11: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 1234 tcp admin@DUT1$ monitor test connection client 192.168.1.1 1234 tcp
Step 12: Expect a failure in the following command:
Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 4321 tcp admin@DUT1$ monitor test connection client 192.168.1.1 4321 tcp
Step 13: Expect a failure in the following command:
Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 1234 tcp admin@DUT1$ monitor test connection client 10.0.0.2 1234 tcp
Note
Put the following JSON dataset in the remote end-point:
Show output
{ "address": { "LAN_ADDR": ["192.168.1.0/24"], "WAN_ADDR": ["10.0.0.2"] }, "port": { "SYS_PORT": ["1234", "4321"] } }
Step 14: Run command service traffic-group-sync ACL_FETCHER show data at DUT0 and check if output matches the following regular expressions:
LAN_ADDR\s+address\s+192\.168\.1\.0/24 WAN_ADDR\s+address\s+10\.0\.0\.2 SYS_PORT\s+port\s+((1234,\s+4321)|(4321,\s+1234))Show output
--------------------------------- Name Kind Elements --------------------------------- LAN_ADDR address 192.168.1.0/24 WAN_ADDR address 10.0.0.2 SYS_PORT port 1234, 4321
Step 15: Run command traffic group show at DUT0 and check if output matches the following regular expressions:
LAN_ADDR\s+192\.168\.1\.0/24\s+traffic-group-sync ACL_FETCHER WAN_ADDR\s+10\.0\.0\.2\s+traffic-group-sync ACL_FETCHER SYS_PORT\s+((1234,\s+4321)|(4321,\s+1234))\s+traffic-group-sync ACL_FETCHERShow output
Elements for address traffic groups -------------------------------------------------------- name elements source -------------------------------------------------------- LAN_ADDR 192.168.1.0/24 traffic-group-sync ACL_FETCHER WAN_ADDR 10.0.0.2 traffic-group-sync ACL_FETCHER Elements for port traffic groups ---------------------------------------------------- name elements source ---------------------------------------------------- SYS_PORT 1234, 4321 traffic-group-sync ACL_FETCHER
Step 16: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 1234 tcp admin@DUT1$ monitor test connection client 192.168.1.1 1234 tcp
Step 17: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints
admin@DUT0$ monitor test connection server 4321 tcp admin@DUT1$ monitor test connection client 192.168.1.1 4321 tcp
Step 18: Initiate a tcp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 1234 tcp admin@DUT1$ monitor test connection client 10.0.0.2 1234 tcp
Step 19: Initiate a tcp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 4321 tcp admin@DUT1$ monitor test connection client 10.0.0.2 4321 tcp
Step 20: Modify the following configuration lines in DUT0 :
set service traffic-group-sync EMPTY_FETCHER local-vrf MNGMT set service traffic-group-sync EMPTY_FETCHER poll-interval 1 set service traffic-group-sync EMPTY_FETCHER url 'http://10.215.168.1/~robot/empty.json'
Note
Put an empty JSON dataset in the remote end-point:
Show output
{ "address": { "LAN_ADDR": [], "WAN_ADDR": [] }, "port": { "SYS_PORT": [] } }
Step 21: Run command traffic group show at DUT0 and check if output matches the following regular expressions:
LAN_ADDR\s+-\s+traffic-group-sync EMPTY_FETCHER WAN_ADDR\s+-\s+traffic-group-sync EMPTY_FETCHER SYS_PORT\s+-\s+traffic-group-sync EMPTY_FETCHERShow output
Elements for address traffic groups ---------------------------------------------------- name elements source ---------------------------------------------------- LAN_ADDR - traffic-group-sync EMPTY_FETCHER WAN_ADDR - traffic-group-sync EMPTY_FETCHER Elements for port traffic groups ---------------------------------------------------- name elements source ---------------------------------------------------- SYS_PORT - traffic-group-sync EMPTY_FETCHER
Note
Reload instance ACL_FETCHER to restore traffic
elements.
Step 22: Run command service traffic-group-sync ACL_FETCHER reload at DUT0 and check if output contains the following tokens:
3 groups were updatedShow output
3 groups were updated!
Step 23: Run command traffic group show at DUT0 and check if output matches the following regular expressions:
LAN_ADDR\s+192\.168\.1\.0/24\s+traffic-group-sync ACL_FETCHER WAN_ADDR\s+10\.0\.0\.2\s+traffic-group-sync ACL_FETCHER SYS_PORT\s+((1234,\s+4321)|(4321,\s+1234))\s+traffic-group-sync ACL_FETCHERShow output
Elements for address traffic groups -------------------------------------------------------- name elements source -------------------------------------------------------- LAN_ADDR 192.168.1.0/24 traffic-group-sync ACL_FETCHER WAN_ADDR 10.0.0.2 traffic-group-sync ACL_FETCHER Elements for port traffic groups ---------------------------------------------------- name elements source ---------------------------------------------------- SYS_PORT 1234, 4321 traffic-group-sync ACL_FETCHER
Step 24: Modify the following configuration lines in DUT0 :
delete service
Step 25: Run command traffic group show at DUT0 and check if output matches the following regular expressions:
LAN_ADDR\s+192\.168\.1\.2\s+configuration WAN_ADDR\s+10\.0\.0\.2\s+configuration SYS_PORT\s+-\s+configurationShow output
Elements for address traffic groups ------------------------------------ name elements source ------------------------------------ LAN_ADDR 192.168.1.2 configuration WAN_ADDR 10.0.0.2 configuration Elements for port traffic groups --------------------------------- name elements source --------------------------------- SYS_PORT - configuration
Step 26: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.210 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.210/0.210/0.210/0.000 ms
Step 27: Ping IP address 10.0.0.1 from DUT2:
admin@DUT2$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.247 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.247/0.247/0.247/0.000 ms
Step 28: Ping IP address 10.0.0.2 from DUT1:
admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.422 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.422/0.422/0.422/0.000 ms