Skip to content

Example: interface inspection with selective egress drop

Alt text

r1

hostname r1
vrf def v1
 rd 1:1
 exit
int lo0
 vrf for v1
 ipv4 addr 2.2.2.1 255.255.255.255
 ipv6 addr 4321::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 exit
int eth1
 vrf for v1
 ipv4 addr 1.1.1.1 255.255.255.0
 ipv6 addr 1234:1::1 ffff:ffff::
 ipv6 host-static 1234:1::2 0000.0000.2222
 exit
ipv4 route v1 2.2.2.2 255.255.255.255 1.1.1.2
ipv4 route v1 2.2.2.3 255.255.255.255 1.1.1.2
ipv6 route v1 4321::2 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 1234:1::2
ipv6 route v1 4321::3 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 1234:1::2

r2

hostname r2
vrf def v1
 rd 1:1
 exit
int lo0
 vrf for v1
 ipv4 addr 2.2.2.2 255.255.255.255
 ipv6 addr 4321::2 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 exit
access-list test4
 permit all 2.2.2.3 255.255.255.255 all any all
 exit
access-list test6
 permit all 4321::3 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all any all
 exit
int eth1
 vrf for v1
 ipv4 addr 1.1.1.2 255.255.255.0
 ipv6 addr 1234:1::2 ffff:ffff::
 ipv6 host-static 1234:1::1 0000.0000.1111
 ipv4 inspect mac drop-tx allow-list test4
 ipv6 inspect mac drop-tx allow-list test6
 exit
int eth2
 vrf for v1
 ipv4 addr 1.1.2.2 255.255.255.0
 ipv6 addr 1234:2::2 ffff:ffff::
 exit
ipv4 route v1 2.2.2.1 255.255.255.255 1.1.1.1
ipv4 route v1 2.2.2.3 255.255.255.255 1.1.2.3
ipv6 route v1 4321::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 1234:1::1
ipv6 route v1 4321::3 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 1234:2::3

r3

hostname r3
vrf def v1
 rd 1:1
 exit
int lo0
 vrf for v1
 ipv4 addr 2.2.2.3 255.255.255.255
 ipv6 addr 4321::3 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 exit
int eth1
 vrf for v1
 ipv4 addr 1.1.2.3 255.255.255.0
 ipv6 addr 1234:2::3 ffff:ffff::
 exit
ipv4 route v1 2.2.2.1 255.255.255.255 1.1.2.2
ipv4 route v1 2.2.2.2 255.255.255.255 1.1.2.2
ipv6 route v1 4321::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 1234:2::2
ipv6 route v1 4321::2 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 1234:2::2
r1 tping 100 10 2.2.2.2 vrf v1 sou lo0
r1 tping 100 10 4321::2 vrf v1 sou lo0
r1 tping 100 10 2.2.2.3 vrf v1 sou lo0
r1 tping 100 10 4321::3 vrf v1 sou lo0
r2 tping 0 10 2.2.2.1 vrf v1 sou lo0
r2 tping 0 10 4321::1 vrf v1 sou lo0
r2 tping 100 10 2.2.2.3 vrf v1 sou lo0
r2 tping 100 10 4321::3 vrf v1 sou lo0
r3 tping 100 10 2.2.2.1 vrf v1 sou lo0
r3 tping 100 10 4321::1 vrf v1 sou lo0
r3 tping 100 10 2.2.2.2 vrf v1 sou lo0
r3 tping 100 10 4321::2 vrf v1 sou lo0
r2 output show ipv4 insp eth1
r2 output show ipv6 insp eth1
r2 output show ipv4 top eth1
r2 output show ipv6 top eth1
  1. Install ContainerLab as described here
  2. Fetch crypt-insp11 file
  3. Launch ContainerLab crypt-insp11.yml topology:

   containerlab deploy --topo crypt-insp11.yml  
4. Destroy ContainerLab crypt-insp11.yml topology:

   containerlab destroy --topo crypt-insp11.yml  
5. Copy-paste configuration for each node in the lab topology

  1. Fetch or compile freeRtr rtr.jar file.
    You can grab it here
  2. Fetch crypt-insp11.tst file here
  3. Launch crypt-insp11.tst test:

   java -jar ../../rtr.jar test tester crypt-insp11 path ./ temp ./ wait
4. Destroy freeRtr crypt-insp11.tst test:

   Ctrl-C (In freeRtr test window)