3.3. features

3.3.1. acl suite

3.3.1.1. Configure MACIP ACLs

Configure MACIP ACL with required number of not-hitting permit ACEs plus two hitting ACEs for both traffic directions. Arguments: - dut_node - DUT node. Type: dictionary - dut_if1 - DUT node interface1 name (Optional). Type: string - dut_if2 - DUT node interface2 name (Optional). Type: string Example: | Configure MACIP ACLs | ${nodes[‘DUT1’]} | GigabitEthernet0/7/0 | GigabitEthernet0/8/0 | _NOTE:_ This KW uses following test case variables: - src_ip_start - Source IP address start. Type: string - ip_step - IP address step. Type: string - src_mac_start - Source MAC address start in format with colons. Type: string - src_mac_step - Source MAC address step. Type: string - src_mac_mask - Source MAC address mask. 00:00:00:00:00:00 is a wildcard mask. Type: string - no_hit_aces_number - Number of not-hitting ACEs to be configured. Type: integer - acl_action - Action for the rule - deny, permit, permit+reflect. Type: string - tg_stream1_subnet - IP subnet used by TG in direction 0->1. Type: string - tg_stream2_subnet - IP subnet used by TG in direction 1->0. Type: string - tg_stream1_mac - Source MAC address of traffic stream 1. Type: string - tg_stream2_mac - Source MAC address of traffic stream 2. Type: string - tg_mac_mask - MAC address mask for traffic streams. 00:00:00:00:00:00 is a wildcard mask. Type: string


${src_ip_int} =  IP To Int  ${src_ip_start}
${src_ip_int} =  Evaluate  ${src_ip_int} - ${ip_step}
${ip_limit} =  Set Variable  255.255.255.255
${ip_limit_int} =  IP To Int  ${ip_limit}
${src_mac_int} =  Mac To Int  ${src_mac_start}
${src_mac_int} =  Evaluate  ${src_mac_int} - ${src_mac_step}
${mac_limit} =  Set Variable  ff:ff:ff:ff:ff:ff
${mac_limit_int} =  Mac To Int  ${mac_limit}
${acl}=  Set Variable  ipv4 permit
FOR  ${nr}  IN RANGE  0  ${no_hit_aces_number}
\    ${src_ip_int} =  Evaluate  ${src_ip_int} + ${ip_step}
\    ${src_mac_int} =  Evaluate  ${src_mac_int} + ${src_mac_step}
\    ${ipv4_limit_reached}=  Set Variable If  ${src_ip_int} > ${ip_limit_int}  ${TRUE}
\    ${mac_limit_reached}=  Set Variable If  ${src_mac_int} > ${mac_limit_int}  ${TRUE}
\    Run Keyword If  '${ipv4_limit_reached}' == '${TRUE}'  Log  Can't do more iterations - IPv4 address limit has been reached.  WARN
\    Run Keyword If  '${mac_limit_reached}' == '${TRUE}'  Log  Can't do more iterations - MAC address limit has been reached.  WARN
\    ${src_ip} =  Run Keyword If  '${ipv4_limit_reached}' == '${TRUE}'  Set Variable  ${ip_limit}  ELSE  Int To IP  ${src_ip_int}
\    ${src_mac}=  Run Keyword If  '${mac_limit_reached}' == '${TRUE}'  Set Variable  ${mac_limit}  ELSE  Int To Mac  ${src_mac_int}
\    ${acl}=  Catenate  ${acl}  ip ${src_ip}/32  mac ${src_mac}  mask ${src_mac_mask},
\    Exit For Loop If  '${ipv4_limit_reached}' == '${TRUE}' or '${mac_limit_reached}' == '${TRUE}'
${acl0}=  Catenate  ${acl}  ipv4 ${acl_action} ip ${tg_stream1_subnet} mac ${tg_stream1_mac}  mask ${tg_mac_mask}
${acl1}=  Catenate  ${acl}  ipv4 ${acl_action} ip ${tg_stream2_subnet} mac ${tg_stream2_mac}  mask ${tg_mac_mask}
Add Macip Acl Multi Entries  ${dut}  rules=${acl0}
Add Macip Acl Multi Entries  ${dut}  rules=${acl1}
${acl_idx}=  Set Variable  0
Run Keyword Unless  '${dut_if1}' == '${NONE}'  Add Del Macip Acl Interface  ${dut}  ${dut_if1}  add  ${acl_idx}
${acl_idx}=  Set Variable  1
Run Keyword Unless  '${dut_if2}' == '${NONE}'  Add Del Macip Acl Interface  ${dut}  ${dut_if2}  add  ${acl_idx}

3.3.1.2. Configure IPv4 ACLs

Configure ACL with required number of not-hitting permit ACEs plus two hitting ACEs for both traffic directions. Arguments: - dut_node - DUT node. Type: dictionary - dut_if1 - DUT node interface1 name (Optional). Type: string - dut_if2 - DUT node interface2 name (Optional). Type: string Example: | Configure IPv4 ACLs | ${nodes[‘DUT1’]} | GigabitEthernet0/7/0 | GigabitEthernet0/8/0 | _NOTE:_ This KW uses following test case variables: - src_ip_start - Source IP address start. Type: string - dst_ip_start - Destination IP address start. Type: string - ip_step - IP address step. Type: string - sport_start - Source port number start. Type: string - dport_start - Destination port number start. Type: string - port_step - Port number step. Type: string - no_hit_aces_number - Number of not-hitting ACEs to be configured. Type: integer - acl_apply_type - To what path apply the ACL - input or output. Type: string - acl_action - Action for the rule - deny, permit, permit+reflect. Type: string - trex_stream1_subnet - IP subnet used by T-Rex in direction 0->1. Type: string - trex_stream2_subnet - IP subnet used by T-Rex in direction 1->0. Type: string


${src_ip_int} =  Evaluate  int(ipaddress.ip_address($src_ip_start)) - $ip_step  modules=ipaddress
${dst_ip_int} =  Evaluate  int(ipaddress.ip_address($dst_ip_start)) - $ip_step  modules=ipaddress
${ip_limit} =  Set Variable  255.255.255.255
${ip_limit_int} =  Evaluate  int(ipaddress.ip_address($ip_limit))  modules=ipaddress
${sport}=  Evaluate  $sport_start - $port_step
${dport}=  Evaluate  $dport_start - $port_step
${port_limit}=  Set Variable  ${65535}
${acl}=  Set Variable  ipv4 permit
FOR  ${nr}  IN RANGE  0  ${no_hit_aces_number}
\    ${src_ip_int} =  Evaluate  $src_ip_int + $ip_step
\    ${dst_ip_int} =  Evaluate  $dst_ip_int + $ip_step
\    ${sport}=  Evaluate  $sport + $port_step
\    ${dport}=  Evaluate  $dport + $port_step
\    ${ipv4_limit_reached}=  Set Variable If  $src_ip_int > $ip_limit_int or $src_ip_int > $ip_limit_int  ${TRUE}
\    ${udp_limit_reached}=  Set Variable If  $sport > $port_limit or $dport > $port_limit  ${TRUE}
\    Run Keyword If  $ipv4_limit_reached is True  Log  Can't do more iterations - IPv4 address limit has been reached.  WARN
\    Run Keyword If  $udp_limit_reached is True  Log  Can't do more iterations - UDP port limit has been reached.  WARN
\    ${src_ip} =  Run Keyword If  $ipv4_limit_reached is True  Set Variable  ${ip_limit}  ELSE  Evaluate  str(ipaddress.ip_address($src_ip_int))  modules=ipaddress
\    ${dst_ip} =  Run Keyword If  $ipv4_limit_reached is True  Set Variable  ${ip_limit}  ELSE  Evaluate  str(ipaddress.ip_address($dst_ip_int))  modules=ipaddress
\    ${sport}=  Set Variable If  ${sport} > $port_limit  $port_limit  ${sport}
\    ${dport}=  Set Variable If  ${dport} > $port_limit  $port_limit  ${dport}
\    ${acl}=  Catenate  ${acl}  src ${src_ip}/32 dst ${dst_ip}/32  sport ${sport}  dport ${dport},
\    Exit For Loop If  $ipv4_limit_reached is True or $udp_limit_reached is True
${acl}=  Catenate  ${acl}  ipv4 ${acl_action} src ${trex_stream1_subnet},  ipv4 ${acl_action} src ${trex_stream2_subnet}
Add Replace Acl Multi Entries  ${dut}  rules=${acl}
@{acl_list}=  Create List  ${0}
Run Keyword If  'input' in $acl_apply_type and $dut_if1 is not None  Set Acl List For Interface  ${dut}  ${dut_if1}  input  ${acl_list}
Run Keyword If  'input' in $acl_apply_type and $dut_if2 is not None  Set Acl List For Interface  ${dut}  ${dut_if2}  input  ${acl_list}
Run Keyword If  'output' in $acl_apply_type and $dut_if1 is not None  Set Acl List For Interface  ${dut}  ${dut_if1}  output  ${acl_list}
Run Keyword If  'output' in $acl_apply_type and $dut_if2 is not None  Set Acl List For Interface  ${dut}  ${dut_if2}  output  ${acl_list}

3.3.1.3. Configure ACLs on a single interface

Configure ACL Arguments: - dut - DUT node. Type: string - dut_if - DUT node interface name. Type: string - acl_apply_type - To what path apply the ACL - input or output. - acl_action - Action for the rule - deny, permit, permit+reflect. - subnets - Subnets to apply the specific ACL. Type: list Example: | Configure ACLs on a single interface | ${nodes[‘DUT1’]} | … | GigabitEthernet0/7/0 | input | permit 0.0.0.0/0


Set Test variable  ${acl}  ${EMPTY}
FOR  ${subnet}  IN  @{subnets}
\    ${acl} =  Run Keyword If  '${acl}' == '${EMPTY}'  Set Variable  ipv4 ${acl_action} src ${subnet}  ELSE  Catenate  SEPARATOR=", "  ${acl}  ipv4 ${acl_action} src ${subnet}
Add Replace Acl Multi Entries  ${dut}  rules=${acl}
@{acl_list} =  Create List  ${0}
Set Acl List For Interface  ${dut}  ${dut_if}  ${acl_apply_type}  ${acl_list}

3.3.1.4. Initialize IPv4 routing with IPv4 ACLs on DUT1 in circular topology

Set UP state on VPP interfaces in path on nodes in 2-node / 3-node circular topology. Get the interface MAC addresses and setup ARP on all VPP interfaces. Setup IPv4 addresses with /24 prefix on DUT-TG links. In case of 3-node topology setup IPv4 adresses with /30 prefix on DUT1-DUT2 link and set routing on both DUT nodes with prefix /24 and next hop of neighbour DUT interface IPv4 address. Apply required ACL rules to DUT1 interfaces. Arguments: - ip_nr - Number of IPs to be used. Type: integer Example: | Initialize IPv4 routing fwith IPv4 ACLs on DUT1 in 3-node circular topology |


${dut2_status}  ${value}=  Run Keyword And Ignore Error  Variable Should Exist  ${dut2}
${dut}=  Run Keyword If  '${dut2_status}' == 'PASS'  Set Variable  ${dut2}  ELSE  Set Variable  ${dut1}
${dut_if2}=  Run Keyword If  '${dut2_status}' == 'PASS'  Set Variable  ${DUT2_${int}2}[0]  ELSE  Set Variable  ${DUT1_${int}2}[0]
Set interfaces in path up
FOR  ${number}  IN RANGE  2  ${ip_nr}+2
\    VPP Add IP Neighbor  ${dut1}  ${DUT1_${int}1}[0]  10.10.10.${number}  ${TG_pf1_mac}[0]
\    VPP Add IP Neighbor  ${dut}  ${dut_if2}  20.20.20.${number}  ${TG_pf2_mac}[0]
Run Keyword If  '${dut2_status}' == 'PASS'  VPP Add IP Neighbor  ${dut1}  ${DUT1_${int}2}[0]  1.1.1.2  ${DUT2_${int}1_mac}[0]
Run Keyword If  '${dut2_status}' == 'PASS'  VPP Add IP Neighbor  ${dut2}  ${DUT2_${int}1}[0]  1.1.1.1  ${DUT1_${int}2_mac}[0]
VPP Interface Set IP Address  ${dut1}  ${DUT1_${int}1}[0]  10.10.10.1  24
VPP Interface Set IP Address  ${dut}  ${dut_if2}  20.20.20.1  24
Run Keyword If  '${dut2_status}' == 'PASS'  VPP Interface Set IP Address  ${dut1}  ${DUT1_${int}2}[0]  1.1.1.1  30
Run Keyword If  '${dut2_status}' == 'PASS'  VPP Interface Set IP Address  ${dut2}  ${DUT2_${int}1}[0]  1.1.1.2  30
Run Keyword If  '${dut2_status}' == 'PASS'  Vpp Route Add  ${dut1}  20.20.20.0  24  gateway=1.1.1.2  interface=${DUT1_${int}2}[0]
Run Keyword If  '${dut2_status}' == 'PASS'  Vpp Route Add  ${dut2}  10.10.10.0  24  gateway=1.1.1.1  interface=${DUT2_${int}1}[0]
Configure IPv4 ACLs  ${dut1}  ${DUT1_${int}1}[0]  ${DUT1_${int}2}[0]

3.3.2. policer suite

3.3.2.1. Initialize IPv4 policer 2r3c-${t} in circular topology

Setup of 2r3c color-aware or color-blind policer with dst IPv4 match on all DUT nodes in 2-node / 3-node circular topology. Policer is applied on links TG - DUTx.

${t}
${policer_index}=  Policer Set Configuration  ${dut1}  policer1  ${cir}  ${eir}  ${cb}  ${eb}  pps  Closest  2R3C_RFC_2698  Transmit  Mark_and_Transmit  Transmit  ${t}  exceed_dscp=${dscp}
${table_idx}  ${skip_n}  ${match_n}=  Vpp Creates Classify Table L3  ${dut1}  ip4  dst  255.255.255.255
${pre_color}=  Policer Classify Get Precolor  exceed_color
Vpp Configures Classify Session L3  ${dut1}  permit  ${table_idx}  ${skip_n}  ${match_n}  ip4  dst  20.20.20.2  hit_next_index=${policer_index}  opaque_index=${pre_color}
Policer Classify Set Interface  ${dut1}  ${DUT1_${int}1}[0]  ip4_table_index=${table_idx}
${dut2_status}  ${value}=  Run Keyword And Ignore Error  Variable Should Exist  ${dut2}
${dut}=  Run Keyword If  '${dut2_status}' == 'PASS'  Set Variable  ${dut2}  ELSE  Set Variable  ${dut1}
${dut_if2}=  Run Keyword If  '${dut2_status}' == 'PASS'  Set Variable  ${DUT2_${int}2}[0]  ELSE  Set Variable  ${DUT1_${int}2}[0]
${policer_index}=  Run Keyword If  '${dut2_status}' == 'PASS'  Policer Set Configuration  ${dut}  policer2  ${cir}  ${eir}  ${cb}  ${eb}  pps  Closest  2R3C_RFC_2698  Transmit  Mark_and_Transmit  Transmit  ${t}  exceed_dscp=${dscp}  ELSE  Set Variable  ${policer_index}
${table_idx}  ${skip_n}  ${match_n}=  Run Keyword If  '${dut2_status}' == 'PASS'  Vpp Creates Classify Table L3  ${dut}  ip4  dst  255.255.255.255  ELSE  Set Variable  ${table_idx}  ${skip_n}  ${match_n}
Vpp Configures Classify Session L3  ${dut}  permit  ${table_idx}  ${skip_n}  ${match_n}  ip4  dst  10.10.10.2  hit_next_index=${policer_index}  opaque_index=${pre_color}
Policer Classify Set Interface  ${dut}  ${dut_if2}  ip4_table_index=${table_idx}

3.3.2.2. Initialize IPv6 policer 2r3c-${t} in circular topology

Setup of 2r3c color-aware or color-blind policer with dst IPv6 match on all DUT nodes in 2-node / 3-node circular topology. Policer is applied on links TG - DUTx.

${t}
${policer_index}=  Policer Set Configuration  ${dut1}  policer1  ${cir}  ${eir}  ${cb}  ${eb}  pps  Closest  2R3C_RFC_2698  Transmit  Mark_and_Transmit  Transmit  ${t}  exceed_dscp=${dscp}
${table_idx}  ${skip_n}  ${match_n}=  Vpp Creates Classify Table L3  ${dut1}  ip6  dst  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
${pre_color}=  Policer Classify Get Precolor  exceed_color
Vpp Configures Classify Session L3  ${dut1}  permit  ${table_idx}  ${skip_n}  ${match_n}  ip6  dst  2001:2::2  hit_next_index=${policer_index}  opaque_index=${pre_color}
Policer Classify Set Interface  ${dut1}  ${DUT1_${int}1}[0]  ip6_table_index=${table_idx}
${dut2_status}  ${value}=  Run Keyword And Ignore Error  Variable Should Exist  ${dut2}
${dut}=  Run Keyword If  '${dut2_status}' == 'PASS'  Set Variable  ${dut2}  ELSE  Set Variable  ${dut1}
${dut_if2}=  Run Keyword If  '${dut2_status}' == 'PASS'  Set Variable  ${DUT2_${int}2}[0]  ELSE  Set Variable  ${DUT1_${int}2}[0]
${policer_index}=  Run Keyword If  '${dut2_status}' == 'PASS'  Policer Set Configuration  ${dut}  policer2  ${cir}  ${eir}  ${cb}  ${eb}  pps  Closest  2R3C_RFC_2698  Transmit  Mark_and_Transmit  Transmit  ${t}  exceed_dscp=${dscp}  ELSE  Set Variable  ${policer_index}
${table_idx}  ${skip_n}  ${match_n}=  Run Keyword If  '${dut2_status}' == 'PASS'  Vpp Creates Classify Table L3  ${dut}  ip6  dst  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff  ELSE  Set Variable  ${table_idx}  ${skip_n}  ${match_n}
Vpp Configures Classify Session L3  ${dut}  permit  ${table_idx}  ${skip_n}  ${match_n}  ip6  dst  2001:1::2  hit_next_index=${policer_index}  opaque_index=${pre_color}
Policer Classify Set Interface  ${dut}  ${dut_if2}  ip6_table_index=${table_idx}

3.3.2.3. Show Classify Tables Verbose on all DUTs

Show classify tables verbose on all DUT nodes in topology. Arguments: - nodes - Topology. Type: dictionary Example: | Show Classify Tables Verbose on all DUTs | ${nodes} |


FOR  ${dut}  IN  @{duts}
\    Show Classify Tables Verbose  ${nodes['${dut}']}