Policy Traffic Filtering HowTo

This document details an example and use-case for how the policy traffic filter can be used.

For an overview of what Policy Traffic Filtering is and how it may be configured, refer to:

• Policy Traffic Filtering Configuration Guide.

iface: vlan10, 10.0.0.0/16                            iface: vlan20, 192.168.1.0/24
.-------------------------------------.               .------.     
|                 S1                  | eth4     eth4 |      |
| eth1           eth2            eth3 +---------------+  S2  |
|VLAN10         VLAN10          VLAN20|  VLAN Trunk   |VLAN20|
'--+---------------+---------------+--'               '--+---'
   |.1             |.1             |.2                   |.1
   |               |               |                     |
   |.11            |.12            |.20                  |.25 
.--+--.         .--+--.         .--+--.               .--+--.
|  H1 |         |  H2 |         |  H3 |               |  H4 |
'-----'         '-----'         '-----'               '-----'

Figure 1: Policy Traffic Filtering setup with four end devices connected through two switches.

In an individual network there might be a desire to accept or deny individual hosts or devices. To ensure that applied rules always are valid it is recommended to match on the MAC address of the host. Matching on the IP address of the host can cause rules to become invalid if dynamic address allocation is used (DHCP), unless static IP address allocation is used.

In the following example the desire is to:

• Only traffic with a destination IP to H3 and a source IP address originating from vlan 20, may ingress interface eth4 on S1.
• Only allow MAC address of H2 to egress interface eth4 on S1 from VLAN 10.

Configuration

First we start of by creating our policy groups and filters.

example:/#> configure
example:/config/#> policy
example:/config/policy/#> ingress-policy net
example:/config/policy/ingress-policy-1/#> filter 1
example:/config/policy/ingress-policy-1/filter-1/#> match saddr 192.168.1.0/24
example:/config/policy/ingress-policy-1/filter-1/#> match daddr 192.168.1.20
example:/config/policy/ingress-policy-1/filter-1/#> action accept
example:/config/policy/ingress-policy-1/filter-1/#> exit
example:/config/policy/ingress-policy-1/#> description Allow VLAN 20 to H3
example:/config/policy/ingress-policy-1/#> exit
example:/config/policy/#> egress-policy management
example:/config/policy/egress-policy-1/#> filter 1
example:/config/policy/egress-policy-1/filter-1/#> match smac 00:11:b4:39:8e:20
example:/config/policy/egress-policy-1/filter-1/#> action accept
example:/config/policy/egress-policy-1/filter-1/#> exit
example:/config/policy/egress-policy-1/#> description Allow management from H2
example:/config/policy/egress-policy-1/#> exit
example:/config/policy/#>

Now our policies have been created. However, they are yet to be applied to any port.

example:/config/policy/#> port eth4
example:/config/policy/port-eth4/#> ingress-chain
example:/config/policy/port-eth4/ingress-chain/#> ingress net vid 20
example:/config/policy/port-eth4/ingress-chain/#> default-action drop
example:/config/policy/port-eth4/ingress-chain/#> exit
example:/config/policy/port-eth4/#> exit
example:/config/policy/#> port eth4
example:/config/policy/port-eth4/#> egress-chain
example:/config/policy/port-eth4/egress-chain/#> egress management
example:/config/policy/port-eth4/egress-chain/#> default-action drop
example:/config/policy/port-eth4/egress-chain/#> exit
example:/config/policy/port-eth4/#> exit
example:/config/policy/#> leave

Status

In order to see the currently applied policies and rules, the following command can be used:

example:/#> show policy

Enabled : Yes

╒ Ingress-policies ══════════════════════════════════════════════════════════╕
│NAME                  FILTER  POS     ACTION      MATCH    VALUE            │
│1: net                                                                      │
│                      1       1       Accept      saddr:   192.168.1.0/24   │
│                                                  daddr:   192.168.1.20/32  │
│Description:                                                                │
│ Allow VLAN 20 to H3                                                        │
└────────────────────────────────────────────────────────────────────────────┘
╒ Egress-policies ═══════════════════════════════════════════════════════════╕
│NAME                  FILTER  POS     ACTION      MATCH    VALUE            │
│1: management                                                               │
│                      1       1       Accept      smac:    00:11:b4:39:8e:20│
│Description:                                                                │
│ Allow management...                                                        │
└────────────────────────────────────────────────────────────────────────────┘
╒ Ingress-chains ════════════════════════════════════════════════════════════╕
│PORTS             POS     VLAN    POLICY                                    │
│eth4                                                                        │
│                  1       20      1: net                                    │
│                          all     Default-Drop                              │
└────────────────────────────────────────────────────────────────────────────┘
╒ Egress-chains ═════════════════════════════════════════════════════════════╕
│PORTS             POS     VLAN    POLICY                                    │
│eth4                                                                        │
│                  1       all     1: management                             │
│                          all     Default-Drop                              │
└────────────────────────────────────────────────────────────────────────────┘