Connlimit

Contents

The following scenario shows how to filter packets based on the number of simultaneous connections.

Test System Drop Over Connections

Description

This scenario shows how to limit the number of simultaneous system connections using traffic selectors

Scenario

Note

In the example below, we use NSM operation on both DUT1 and DUT2 devices to establish two ICMP connections.

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.0.0.1/24
set interfaces ethernet eth1 address 10.0.1.1/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system traffic policy local-in DROP_CONNLIMIT
set traffic policy DROP_CONNLIMIT rule 1 action drop
set traffic policy DROP_CONNLIMIT rule 1 selector CONNLIMIT_SEL
set traffic selector CONNLIMIT_SEL rule 1 connlimit 2
set traffic selector CONNLIMIT_SEL rule 1 protocol icmp
set traffic selector CONNLIMIT_SEL rule 1 state new

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.0.0.2/24
set interfaces ethernet eth1 address 10.0.1.2/24
set service nsm operation TEST_OPER_1 destination-address 10.0.0.1
set service nsm operation TEST_OPER_1 interval 0.10
set service nsm operation TEST_OPER_1 type icmp
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth0 address 10.0.0.3/24
set service nsm operation TEST_OPER_1 destination-address 10.0.0.1
set service nsm operation TEST_OPER_1 interval 0.10
set service nsm operation TEST_OPER_1 type icmp
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command system conntrack show protocol icmp destination 10.0.0.1 at DUT1 and expect this output:

Show output

icmp     1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=40715 packets=14 bytes=448 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=40715 packets=14 bytes=448 mark=0 use=1
conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.

Step 5: Run command service nsm operation show at DUT1 and expect this output:

Show output

-------------------------------------------------------------------------------------------
 Operation   Alarm  Status    RTT(s)    Jitter(s)   Loss(%)   Window  Toggled  Prev-toggled
-------------------------------------------------------------------------------------------
TEST_OPER_1  ---    ---     0.000233    0.000006    0.000000  2/2     ---      ---

Step 6: Run command system conntrack show protocol icmp destination 10.0.0.1 at DUT2 and expect this output:

Show output

icmp     1 29 src=10.0.0.3 dst=10.0.0.1 type=8 code=0 id=17644 packets=6 bytes=192 src=10.0.0.1 dst=10.0.0.3 type=0 code=0 id=17644 packets=6 bytes=192 mark=0 use=1
conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.

Step 7: Run command service nsm operation show at DUT2 and expect this output:

Show output

-------------------------------------------------------------------------------------------
 Operation   Alarm  Status    RTT(s)    Jitter(s)   Loss(%)   Window  Toggled  Prev-toggled
-------------------------------------------------------------------------------------------
TEST_OPER_1  ---    ---     0.000296    0.000019    0.000000  2/2     ---      ---

Step 8: Expect a failure in the following command: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1

Show output

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4084ms

Step 9: Expect a failure in the following command: Ping IP address 10.0.1.1 from DUT1:

admin@DUT1$ ping 10.0.1.1 count 5 size 56 timeout 1

Show output

PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.

--- 10.0.1.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4098ms

Note

In this case, both pings fail because the policy is applied at system level.

---

Test Interface Drop Over Connections

Description

This scenario shows how to limit the number of simultaneous interface connections using traffic selectors

Scenario

Note

In the example below, we use NSM operation on both DUT1 and DUT2 devices to establish two ICMP connections.

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.0.0.1/24
set interfaces ethernet eth0 traffic policy local-in DROP_CONNLIMIT
set interfaces ethernet eth1 address 10.0.1.1/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy DROP_CONNLIMIT rule 1 action drop
set traffic policy DROP_CONNLIMIT rule 1 selector CONNLIMIT_SEL
set traffic selector CONNLIMIT_SEL rule 1 connlimit 2
set traffic selector CONNLIMIT_SEL rule 1 protocol icmp
set traffic selector CONNLIMIT_SEL rule 1 state new

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.0.0.2/24
set interfaces ethernet eth1 address 10.0.1.2/24
set service nsm operation TEST_OPER_1 destination-address 10.0.0.1
set service nsm operation TEST_OPER_1 interval 0.10
set service nsm operation TEST_OPER_1 type icmp
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth0 address 10.0.0.3/24
set service nsm operation TEST_OPER_1 destination-address 10.0.0.1
set service nsm operation TEST_OPER_1 interval 0.10
set service nsm operation TEST_OPER_1 type icmp
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command system conntrack show protocol icmp destination 10.0.0.1 at DUT1 and expect this output:

Show output

icmp     1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=41161 packets=14 bytes=448 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=41161 packets=14 bytes=448 mark=0 use=1
conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.

Step 5: Run command service nsm operation show at DUT1 and expect this output:

Show output

-------------------------------------------------------------------------------------------
 Operation   Alarm  Status    RTT(s)    Jitter(s)   Loss(%)   Window  Toggled  Prev-toggled
-------------------------------------------------------------------------------------------
TEST_OPER_1  ---    ---     0.000261    0.000092    0.000000  2/2     ---      ---

Step 6: Run command system conntrack show protocol icmp destination 10.0.0.1 at DUT2 and expect this output:

Show output

icmp     1 29 src=10.0.0.3 dst=10.0.0.1 type=8 code=0 id=17965 packets=8 bytes=256 src=10.0.0.1 dst=10.0.0.3 type=0 code=0 id=17965 packets=8 bytes=256 mark=0 use=1
conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.

Step 7: Run command service nsm operation show at DUT2 and expect this output:

Show output

-------------------------------------------------------------------------------------------
 Operation   Alarm  Status    RTT(s)    Jitter(s)   Loss(%)   Window  Toggled  Prev-toggled
-------------------------------------------------------------------------------------------
TEST_OPER_1  ---    ---     0.000311    0.000021    0.000000  2/2     ---      ---

Step 8: Expect a failure in the following command: Ping IP address 10.0.0.1 from DUT1:

admin@DUT1$ ping 10.0.0.1 count 5 size 56 timeout 1

Show output

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4101ms

Step 9: Ping IP address 10.0.1.1 from DUT1:

admin@DUT1$ ping 10.0.1.1 count 5 size 56 timeout 1

Show output

PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.
64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=0.247 ms
64 bytes from 10.0.1.1: icmp_seq=2 ttl=64 time=0.252 ms
64 bytes from 10.0.1.1: icmp_seq=3 ttl=64 time=0.215 ms
64 bytes from 10.0.1.1: icmp_seq=4 ttl=64 time=0.223 ms
64 bytes from 10.0.1.1: icmp_seq=5 ttl=64 time=0.226 ms

--- 10.0.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4091ms
rtt min/avg/max/mdev = 0.215/0.232/0.252/0.014 ms

Note

In this case, the second ping succeeds because the policy is applied at interface level.

---

Test Interface Log Under Connections

Description

This scenario shows how to log new incomming connections using traffic selectors

Scenario

Note

In the example below, we use NSM operation on both DUT1 and DUT2 devices to establish two ICMP connections.

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.0.0.1/24
set interfaces ethernet eth0 traffic policy local-in DROP_CONNLIMIT
set interfaces ethernet eth1 address 10.0.1.1/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy DROP_CONNLIMIT rule 1 action accept
set traffic policy DROP_CONNLIMIT rule 1 log prefix Incomming_connection
set traffic policy DROP_CONNLIMIT rule 1 selector CONNLIMIT_SEL
set traffic selector CONNLIMIT_SEL rule 1 not connlimit 2
set traffic selector CONNLIMIT_SEL rule 1 protocol icmp
set traffic selector CONNLIMIT_SEL rule 1 state new

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.0.0.2/24
set interfaces ethernet eth1 address 10.0.1.2/24
set service nsm operation TEST_OPER_1 destination-address 10.0.0.1
set service nsm operation TEST_OPER_1 interval 0.10
set service nsm operation TEST_OPER_1 type icmp
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth0 address 10.0.0.3/24
set service nsm operation TEST_OPER_1 destination-address 10.0.0.1
set service nsm operation TEST_OPER_1 interval 0.10
set service nsm operation TEST_OPER_1 type icmp
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command system conntrack show protocol icmp destination 10.0.0.1 at DUT1 and expect this output:

Show output

icmp     1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=41615 packets=14 bytes=448 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=41615 packets=14 bytes=448 mark=0 use=1
conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.

Step 5: Run command service nsm operation show at DUT1 and expect this output:

Show output

-------------------------------------------------------------------------------------------
 Operation   Alarm  Status    RTT(s)    Jitter(s)   Loss(%)   Window  Toggled  Prev-toggled
-------------------------------------------------------------------------------------------
TEST_OPER_1  ---    ---     0.000610    0.000345    0.000000  2/2     ---      ---

Step 6: Run command system conntrack show protocol icmp destination 10.0.0.1 at DUT2 and expect this output:

Show output

icmp     1 29 src=10.0.0.3 dst=10.0.0.1 type=8 code=0 id=18288 packets=5 bytes=160 src=10.0.0.1 dst=10.0.0.3 type=0 code=0 id=18288 packets=5 bytes=160 mark=0 use=1
conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.

Step 7: Run command service nsm operation show at DUT2 and expect this output:

Show output

-------------------------------------------------------------------------------------------
 Operation   Alarm  Status    RTT(s)    Jitter(s)   Loss(%)   Window  Toggled  Prev-toggled
-------------------------------------------------------------------------------------------
TEST_OPER_1  ---    ---     0.000273    0.000046    0.000000  2/2     ---      ---

Step 8: Ping IP address 10.0.1.1 from DUT1:

admin@DUT1$ ping 10.0.1.1 count 5 size 56 timeout 1

Show output

PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.
64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=0.390 ms
64 bytes from 10.0.1.1: icmp_seq=2 ttl=64 time=0.275 ms
64 bytes from 10.0.1.1: icmp_seq=3 ttl=64 time=0.220 ms
64 bytes from 10.0.1.1: icmp_seq=4 ttl=64 time=0.126 ms
64 bytes from 10.0.1.1: icmp_seq=5 ttl=64 time=0.274 ms

--- 10.0.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4100ms
rtt min/avg/max/mdev = 0.126/0.257/0.390/0.085 ms

Step 9: Run command system journal show | grep ACCEPT at DUT0 and expect this output:

Show output

Mar 20 15:32:05.312148 osdx kernel: [Incomming_connection-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=10.0.0.2 DST=10.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=38043 DF PROTO=ICMP TYPE=8 CODE=0 ID=41615 SEQ=1
Mar 20 15:32:06.369024 osdx kernel: [Incomming_connection-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:20:08:00 SRC=10.0.0.3 DST=10.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=59420 DF PROTO=ICMP TYPE=8 CODE=0 ID=18288 SEQ=1

Note

As you can see in the output of the previous command, only the first two incoming connections are logged in the journal.

---