OSDx Documentation Logo
v4.2.7.0
  • About
  • Releases

First steps

  • Setting Up
  • Quick Start
  • Licensing
  • CLI Overview
  • Configuration Management

Admin Guide

  • System Administration
  • Articles
  • Troubleshooting
  • Examples
    • Basic
    • Interfaces
      • Bonding
      • Bridge
        • Address
        • Fdb
        • Hardware-Offload
        • Mac
        • Stp
        • Traffic
      • Cellular
      • Dummy
      • Ethernet
      • Tunnel
      • Vti
      • Vxlan
      • Wlan
    • Protocols
    • Service
    • System
    • Tech Support
    • Traffic
    • User-Level
    • Vpn

Command reference

  • Configuration commands
  • Operational commands
OSDx Documentation
  • Examples
  • Interfaces
  • Bridge
  • Traffic
  • Policy
  • Link-In
  • Check Link Hook
  • View page source

Check Link Hook

This scenario shows how to attach a traffic policy to the link-in hook in a bridge interface. This hook is triggered at a very early stage of the network packet stack (level 2 layer).

../../../../../../_images/topology42.svg

Test Early Packet Drop

Description

A traffic policy is configured in DUT0 to drop all incoming traffic at the link-in stage. ARP and ICMP packets are allowed.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces bridge br0 address 10.0.0.1/24
set interfaces bridge br0 traffic policy link-in EDROP_POLICY
set interfaces ethernet eth0 bridge-group bridge br0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy EDROP_POLICY rule 1 action accept
set traffic policy EDROP_POLICY rule 1 selector ACCEPT_SEL
set traffic policy EDROP_POLICY rule 2 action drop
set traffic selector ACCEPT_SEL rule 1 protocol icmp
set traffic selector ACCEPT_SEL rule 2 ether-type arp

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.0.0.2/24
set interfaces ethernet eth0 vrf A
set interfaces ethernet eth1 address 10.0.0.3/24
set interfaces ethernet eth1 vrf B
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf A
set system vrf B

Step 3: Send arp ping from DUT1 to IP address 10.0.0.1:

admin@DUT1$ arping 10.0.0.1 interface eth0 timeout 5 count 1
Show output
ARPING 10.0.0.1 from 10.0.0.2 eth0
Unicast reply from 10.0.0.1 [DE:AD:BE:EF:6C:00]  0.810ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)

Step 4: Send arp ping from DUT1 to IP address 10.0.0.1:

admin@DUT1$ arping 10.0.0.1 interface eth1 timeout 5 count 1
Show output
ARPING 10.0.0.1 from 10.0.0.3 eth1
Unicast reply from 10.0.0.1 [DE:AD:BE:EF:6C:00]  0.697ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)

Step 5: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 vrf A count 1 size 56 timeout 1
Show output
ping: Warning: source address might be selected on device other than: A
PING 10.0.0.1 (10.0.0.1) from 10.0.0.2 A: 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.285 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.285/0.285/0.285/0.000 ms

Step 6: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 vrf B count 1 size 56 timeout 1
Show output
ping: Warning: source address might be selected on device other than: B
PING 10.0.0.1 (10.0.0.1) from 10.0.0.3 B: 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.281 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.281/0.281/0.281/0.000 ms

Step 7: Ping IP address 10.0.0.3 from DUT1:

admin@DUT1$ ping 10.0.0.3 vrf A count 1 size 56 timeout 1
Show output
ping: Warning: source address might be selected on device other than: A
PING 10.0.0.3 (10.0.0.3) from 10.0.0.2 A: 56(84) bytes of data.
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.213 ms

--- 10.0.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.213/0.213/0.213/0.000 ms

Step 8: Expect a failure in the following command: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints

admin@DUT0$ monitor test connection server 2000 tcp
admin@DUT1$ monitor test connection client 10.0.0.1 2000 tcp vrf A

Step 9: Expect a failure in the following command: Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints

admin@DUT0$ monitor test connection server 3000 udp
admin@DUT1$ monitor test connection client 10.0.0.1 3000 udp vrf A

Step 10: Expect a failure in the following command: Initiate a tcp connection from DUT1 to DUT0 and try to send some messages between both endpoints

admin@DUT0$ monitor test connection server 2000 tcp
admin@DUT1$ monitor test connection client 10.0.0.1 2000 tcp vrf B

Step 11: Expect a failure in the following command: Initiate a udp connection from DUT1 to DUT0 and try to send some messages between both endpoints

admin@DUT0$ monitor test connection server 3000 udp
admin@DUT1$ monitor test connection client 10.0.0.1 3000 udp vrf B

Step 12: Run command traffic policy show at DUT0 and check if output matches the following regular expressions:

1\s+ACCEPT_SEL\s+\b[^0]\d*
Show output
Policy EDROP_POLICY -- ifc br0 -- hook link-in prio very-high

-----------------------------------------------------------------
rule    selector   pkts match  pkts eval  bytes match  bytes eval
-----------------------------------------------------------------
1      ACCEPT_SEL          11         37          420        2764
2      -                   26         26         2344        2344
-----------------------------------------------------------------
Total                      37         37         2764        2764
Previous Next

© Copyright 2025, Teldat.

Built with Sphinx using a theme provided by Read the Docs.