Traffic Policy
This chapter covers some aspects related to traffic policy,
which is a set of rules that allows us to perform different actions
on network packets (such as packet mangling (ToS, TTL, etc),
PBR (Policy-Based Routing), firewalling, or rate-limit).
Policies can be applied to the different types of traffic:
link traffic: incoming level 2 traffic (only for physical devices).
in traffic: incoming traffic.
out traffic: outgoing traffic.
local-in: local incoming traffic.
local-out: local outgoing traffic.
Every traffic policy contains a set of rules that are processed in order.
If a rule has a traffic selector configured and the network packet
matches at least one of the selector rules, policy actions are
applied. If the policy rule has no traffic selector configured, then
all packets will match.
Here you can find more information about traffic
selectors.
Policy rules always perform an action, the default one being to accept the
packet; i.e., no more policy rules are processed. This default behavior can
be changed by setting the action field. For example, with the drop
action we can drop a packet. Therefore, later stages or hooks in the network
path will not be aware of the existence of that packet. Another useful action
is continue. This can be set to change some fields in the packet (like dscp,
ttl, tcp-mss) and continue the policy rule processing.
Configuration command traffic policy <txt> rule <u32> advisor <txt> can be
used to dynamically enable/disable a policy rule depending on an advisor status.
If the advisor is enabled, the policy rule will be enabled too. Otherwise, the
policy rule will be disabled and it will be skipped.
Traffic policies can also be used for QoS pre-classification, ensuring
packets are automatically assigned to the appropriate traffic control class
without executing any filter. As a result, packet processing is optimized, and
performance is improved.
Here you can find more information about traffic
control.
Configuration
This is the syntax to create a traffic policy:
set traffic policy <policy_name> [ ... ]
In order to assign a traffic policy to an interface, you have to use
the following command:
set interfaces <if_type> <if_name> traffic policy <in / out / local-in / local-out> <policy_name> [priority <priority>]
traffic policies can also be globally configured. This means that policy
rules will be evaluated regardless of the input/output interface. They can be
configured by using the following command:
set system traffic policy <in / out / local-in / local-out> <policy_name> [priority <priority>]
Since traffic policies can be configured at both interface and system
levels, it is important to define the execution order using the priority
field. This field indicates at what point in the network path the traffic
policy will be executed. Higher priority means it will be executed earlier.
If an interface policy has the same priority as a system policy, the one
attached to the interface will be executed before.
Attention
priority must be carefully chosen because the actions that a traffic
policy performs may affect the following traffic policies. For example, a traffic
policy with very-high priority could mangle a packet and subsequent traffic
policies may not even be processed.
The priority field can also be used to indicate if the traffic policy has to
be executed before or after NAT (Network Address Translation) rules. traffic policies configured with a very-high or high priority
will be executed before NAT. traffic policies configured
with a low or very-low priority will be executed afterwards.
Finally, some traffic policies can also be attached to the link hooks of physical interfaces (Ethernet, Cellular, etc). In this case, you have to use the following commands:
set interfaces <if_type> <if_name> traffic policy <link-in / link-out> <policy_name>
Examples
Let’s suppose we want to define a traffic policy to process outgoing
traffic. We need to mark all packets that match the ‘’SEL_1’’ selector and
we want to drop all packets that match ‘’SEL_2’’.
To create that policy, we have to type the following commands:
set traffic policy POLICY_1 rule 1 selector SEL_1
set traffic policy POLICY_1 rule 1 set mark 1
set traffic policy POLICY_1 rule 2 selector SEL_2
set traffic policy POLICY_1 rule 2 action drop
Now, if we want to attach that traffic policy to a specific interface,
we can use the following command:
set interfaces ethernet eth1 traffic policy out POLICY_1
On the other hand, if we want to always execute that traffic policy,
(regardless of the interface the packets traverses), we would use this command:
set system traffic policy out POLICY_1
Here, you can find more examples related
to traffic policies.
Port Mirroring
Port mirroring allows you to duplicate network traffic for monitoring, analysis, or security purposes. The original packet continues its normal path while a copy is sent to another destination.
OSDx supports two types of port mirroring:
Local Mirror
Local mirroring duplicates traffic to another physical interface on the same device.
This type of mirroring can only be used with link-in and link-out traffic
policies attached to physical interfaces.
Example:
Let’s suppose we want to mirror all incoming traffic from eth0 to eth2, where
a monitoring device is connected.
set traffic policy MIRROR_LOCAL rule 1 duplicate device eth2
set interfaces ethernet eth0 traffic policy link-in MIRROR_LOCAL
Note
Local mirror is only available for interfaces using link-in or
link-out hooks.
Remote Mirror
Remote mirroring sends a copy of the traffic to a remote IP address (IPv4 or IPv6).
This type of mirroring can be used with in, out, local-in, and local-out
traffic policies.
The duplicated packet is sent to the specified IP address using the normal routing table. Optionally, you can specify an output interface or VRF to control the path of the mirrored traffic.
Example 1: Basic remote mirroring
set traffic policy MIRROR_REMOTE rule 1 duplicate remote 192.168.100.50
set interfaces ethernet eth0 traffic policy in MIRROR_REMOTE
Example 2: Remote mirroring with output interface
set traffic policy MIRROR_REMOTE rule 1 duplicate remote 192.168.100.50 local-interface eth1
set interfaces ethernet eth0 traffic policy in MIRROR_REMOTE
Example 3: Remote mirroring with VRF
set traffic policy MIRROR_REMOTE rule 1 duplicate remote 192.168.100.50 local-vrf MGMT
set interfaces ethernet eth0 traffic policy in MIRROR_REMOTE
set system vrf MGNT
Attention
Remote mirror is not available for link-in or link-out hooks.
You cannot configure both local and remote mirroring in the same rule.
Warning
Be careful when configuring port mirroring to avoid traffic loops. Incorrect configurations may cause mirrored traffic to be duplicated multiple times, potentially affecting network performance.
Here, you can find more examples related
to traffic policy duplicate feature.
Monitoring
The traffic policy <txt> show detailed operational command can be used to
display some network statistics.
Example:
admin@osdx$ traffic policy show detailed
Policy SET_VRF -- ifc eth0 -- hook in
---------------------------------------------------------------------
rule selector pkts match pkts eval bytes match bytes eval
---------------------------------------------------------------------
1 ACTION_TRIGGER 7 7 444 444
---------------------------------------------------------------------
Total 7 7 444 444
Selector ACTION_TRIGGER (Policy SET_VRF -- ifc eth0 -- hook in -- rule 1)
---------------------------------------------------------
rule pkts match pkts eval bytes match bytes eval
---------------------------------------------------------
1 (excl.) 0 7 0 444
2 7 7 444 444
---------------------------------------------------------
Total 7 7 444 444