tests/func/honeycomb/081_ietf_acl_traffic.robot

   1 # Copyright (c) 2016 Cisco and/or its affiliates.
   2 # Licensed under the Apache License, Version 2.0 (the "License");
   3 # you may not use this file except in compliance with the License.
   4 # You may obtain a copy of the License at:
   5 #
   6 #     http://www.apache.org/licenses/LICENSE-2.0
   7 #
   8 # Unless required by applicable law or agreed to in writing, software
   9 # distributed under the License is distributed on an "AS IS" BASIS,
  10 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  11 # See the License for the specific language governing permissions and
  12 # limitations under the License.
  13
  14 *** Variables ***
  15 | &{if_settings}= | enabled=True
  16 # Bridge domain settings
  17 | ${bd_name}= | bd1
  18 | &{bd_settings}= | flood=${True} | forward=${True} | learn=${True}
  19 | ... | unknown-unicast-flood=${True} | arp-termination=${False}
  20 | &{bd_if_settings}= | split_horizon_group=${0} | bvi=${False}
  21 # Names for AC lists
  22 | ${acl_name_l2}= | acl_l2
  23 | ${acl_name_l3_ip4}= | acl_l3_ip4
  24 | ${acl_name_l3_ip6}= | acl_l3_ip6
  25
  26 *** Settings ***
  27 | Resource | resources/libraries/robot/default.robot
  28 | Resource | resources/libraries/robot/honeycomb/honeycomb.robot
  29 | Resource | resources/libraries/robot/honeycomb/interfaces.robot
  30 | Resource | resources/libraries/robot/honeycomb/bridge_domain.robot
  31 | Resource | resources/libraries/robot/honeycomb/access_control_lists.robot
  32 | Resource | resources/libraries/robot/testing_path.robot
  33 | Resource | resources/libraries/robot/traffic.robot
  34 | Library | resources.libraries.python.honeycomb.HcAPIKwACL.ACLKeywords
  35 | Library | resources.libraries.python.Trace
  36 | Library | resources.libraries.python.IPv4Setup
  37 | Library | resources.libraries.python.IPv4Util
  38 | Library | resources.libraries.python.IPv6Util
  39 | Library | resources.libraries.python.Routing
  40 | Test Teardown | Run Keywords | Clear IETF-ACL settings
  41 | ... | ${node} | ${dut_to_tg_if1} | AND
  42 | ... | Show Packet Trace on All DUTs | ${nodes}
  43 | Suite Teardown | Run Keyword If Any Tests Failed
  44 | ... | Restart Honeycomb And VPP And Clear Persisted Configuration | ${node}
  45 | Documentation | *Honeycomb access control lists test suite for IETF-ACL node.*
  46 | Force Tags | Honeycomb_sanity
  47
  48 *** Test Cases ***
  49 | TC01: Honeycomb can configure L2 ACL MAC filtering through IETF-ACL node
  50 | | [Documentation]
  51 | | ... | [Top] TG=DUT1=TG.
  52 | | ... | [Enc] Eth-IPv4-TCP.
  53 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
  54 | | ... | and configure L2 MAC ACL on ingress interface.
  55 | | ... | [Ver] Send simple TCP packets from one TG interface to the other,\
  56 | | ... | using different MACs. Receive all packets except those with\
  57 | | ... | MACs in the filtered ranges.
  58 | | [Teardown] | Run Keywords
  59 | | ... | Clear IETF-ACL settings | ${node} | ${dut_to_tg_if1} | AND
  60 | | ... | Show Packet Trace on All DUTs | ${nodes} | AND
  61 | | ... | Honeycomb removes all bridge domains
  62 | | ... | ${node} | ${dut_to_tg_if1} | ${dut_to_tg_if2}
  63 | | Given Setup interfaces and bridge domain for ietf-ACL test
  64 | | ... | L2 | ${acl_name_l2}
  65 | | When Honeycomb creates ACL chain through IETF node
  66 | | ... | ${dut_node} | ${acl_name_l2} | L2 | ${acl_settings}
  67 | | And Honeycomb assigns IETF-ACL chain to interface
  68 | | ... | ${dut_node} | ${dut_to_tg_if1} | L2 | ingress | ${acl_name_l2}
  69 | | ... | permit
  70 | | Then Send TCP or UDP packet | ${tg_node} | ${src_ip} | ${dst_ip}
  71 | | ... | ${tg_to_dut_if1} | ${src_mac}
  72 | | ... | ${tg_to_dut_if2} | ${dst_mac}
  73 | | ... | TCP | ${src_port} | ${dst_port}
  74 | | And Run keyword and expect error | TCP/UDP Rx timeout
  75 | | ... | Send TCP or UDP packet | ${tg_node} | ${src_ip} | ${dst_ip}
  76 | | ... | ${tg_to_dut_if1} | ${classify_src}
  77 | | ... | ${tg_to_dut_if2} | ${classify_dst}
  78 | | ... | TCP | ${src_port} | ${dst_port}
  79 | | And Run keyword and expect error | TCP/UDP Rx timeout
  80 | | ... | Send TCP or UDP packet | ${tg_node} | ${src_ip} | ${dst_ip}
  81 | | ... | ${tg_to_dut_if1} | ${classify_src2}
  82 | | ... | ${tg_to_dut_if2} | ${classify_dst2}
  83 | | ... | TCP | ${src_port} | ${dst_port}
  84
  85 | TC02: Honeycomb can configure L3 ACL IPv4 filtering through IETF-ACL node
  86 | | [Documentation]
  87 | | ... | [Top] TG=DUT1=TG.
  88 | | ... | [Enc] Eth-IPv4-TCP.
  89 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
  90 | | ... | interfaces to TG, add ARP entry and routes, and configure L3 IPv4 ACL\
  91 | | ... | on ingress interface with src/dst IP and protocol.
  92 | | ... | [Ver] Send simple TCP packets from one TG interface to the other,\
  93 | | ... | using different IPv4 IPs. Receive all packets except those with\
  94 | | ... | IPs in the filtered ranges and UDP protocol payload.
  95 | | Given Setup interface IPs and routes for IPv4 ietf-ACL test
  96 | | ... | L3_IP4 | ${acl_name_l3_ip4}
  97 | | When Honeycomb creates ACL chain through IETF node
  98 | | ... | ${dut_node} | ${acl_name_l3_ip4} | L3_IP4 | ${acl_settings}
  99 | | And Honeycomb assigns IETF-ACL chain to interface
 100 | | ... | ${dut_node} | ${dut_to_tg_if1} | L3_IP4 | ingress | ${acl_name_l3_ip4}
 101 | | ... | permit
 102 | | Then Send TCP or UDP packet | ${tg_node}
 103 | | ... | ${src_ip} | ${dst_ip}
 104 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
 105 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
 106 | | ... | UDP | ${src_port} | ${dst_port}
 107 | | And Send TCP or UDP packet | ${tg_node}
 108 | | ... | ${classify_src} | ${classify_dst}
 109 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
 110 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
 111 | | ... | TCP | ${src_port} | ${dst_port}
 112 | | And Run keyword and expect error | TCP/UDP Rx timeout
 113 | | ... | Send TCP or UDP packet | ${tg_node}
 114 | | ... | ${classify_src} | ${classify_dst}
 115 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
 116 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
 117 | | ... | UDP | ${src_port} | ${dst_port}
 118
 119 | TC03: Honeycomb can configure L3 ACL IPv6 filtering through IETF-ACL node
 120 | | [Documentation]
 121 | | ... | [Top] TG=DUT1=TG.
 122 | | ... | [Enc] Eth-IPv4-TCP.
 123 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv6 addresses on both\
 124 | | ... | interfaces to TG, add IP neighbor entry and routes, and configure\
 125 | | ... | L3 IPv6 ACL on ingress interface with src/dst IP and next-header.
 126 | | ... | [Ver] Send simple TCP packets from one TG interface to the other,\
 127 | | ... | using different IPv6 IPs. Receive all packets except those with\
 128 | | ... | IPs in the filtered ranges and UDP protocol payload.
 129 | | Given Path for 2-node testing is set
 130 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
 131 | | And Import Variables | resources/test_data/honeycomb/ietf_acl.py
 132 | | ... | L3_IP6 | ${acl_name_l3_ip6}
 133 | | And Honeycomb sets interface state | ${dut_node} | ${dut_to_tg_if1} | up
 134 | | And Honeycomb sets interface state | ${dut_node} | ${dut_to_tg_if2} | up
 135 # TODO: Configure addresses through Honeycomb when implemented. (Honeycomb-102)
 136 | | And Set Interface Address | ${dut_node}
 137 | | ... | ${dut_to_tg_if1} | ${dut_to_tg_if1_ip} | ${prefix_length}
 138 | | And Set Interface Address | ${dut_node}
 139 | | ... | ${dut_to_tg_if2} | ${dut_to_tg_if2_ip} | ${prefix_length}
 140 | | And VPP RA suppress link layer | ${dut_node} | ${dut_to_tg_if2}
 141 # TODO: Configure route through Honeycomb when implemented.(Honeycomb-58)
 142 | | And Add IP Neighbor
 143 | | ... | ${node} | ${dut_to_tg_if2} | ${gateway} | ${tg_to_dut_if2_mac}
 144 | | And VPP Route Add | ${node} | ${dst_net} | ${prefix_length}
 145 | | ... | ${gateway} | interface=${dut_to_tg_if2} | use_sw_index=False
 146 | | And VPP Route Add | ${node} | ${classify_dst_net} | ${prefix_length}
 147 | | ... | ${gateway} | interface=${dut_to_tg_if2} | use_sw_index=False
 148 | | When Honeycomb creates ACL chain through IETF node
 149 | | ... | ${dut_node} | ${acl_name_l3_ip6} | L3_IP6 | ${acl_settings}
 150 | | And Honeycomb assigns IETF-ACL chain to interface
 151 | | ... | ${dut_node} | ${dut_to_tg_if1} | L3_IP6 | ingress | ${acl_name_l3_ip6}
 152 | | ... | permit
 153 | | Then Send TCP or UDP packet | ${tg_node}
 154 | | ... | ${src_ip} | ${dst_ip}
 155 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
 156 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
 157 | | ... | UDP | ${src_port} | ${dst_port}
 158 | | And Send TCP or UDP packet | ${tg_node}
 159 | | ... | ${classify_src} | ${classify_dst}
 160 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
 161 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
 162 | | ... | TCP | ${src_port} | ${dst_port}
 163 | | And Run keyword and expect error | TCP/UDP Rx timeout
 164 | | ... | Send TCP or UDP packet | ${tg_node}
 165 | | ... | ${classify_src} | ${classify_dst}
 166 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
 167 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
 168 | | ... | UDP | ${src_port} | ${dst_port}
 169
 170 # TODO: Test case for L4 ACL port-based filtering
 171 # TODO: Test case for multiple classify rules and rule ordering
 172
 173 *** Keywords ***
 174 | Setup interface IPs and routes for IPv4 ietf-ACL test
 175 | | [Arguments] | ${test_data_id} | ${acl_name}
 176 | | Path for 2-node testing is set
 177 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
 178 | | Import Variables | resources/test_data/honeycomb/ietf_acl.py
 179 | | ... | ${test_data_id} | ${acl_name}
 180 | | Honeycomb sets interface state | ${dut_node} | ${dut_to_tg_if1} | up
 181 | | Honeycomb sets interface state | ${dut_node} | ${dut_to_tg_if2} | up
 182 | | Honeycomb sets interface ipv4 address with prefix | ${dut_node}
 183 | | ... | ${dut_to_tg_if1} | ${dut_to_tg_if1_ip}
 184 | | ... | ${prefix_length} | ${if_settings}
 185 | | Honeycomb sets interface ipv4 address with prefix | ${dut_node}
 186 | | ... | ${dut_to_tg_if2} | ${dut_to_tg_if2_ip}
 187 | | ... | ${prefix_length} | ${if_settings}
 188 # TODO: Configure routes through Honeycomb when implemented.(Honeycomb-58)
 189 | | Add ARP on DUT
 190 | | ... | ${node} | ${dut_to_tg_if2} | ${gateway} | ${tg_to_dut_if2_mac}
 191 | | VPP Route Add
 192 | | ... | ${node} | ${dst_net} | ${prefix_length} | ${gateway}
 193 | | ... | interface=${dut_to_tg_if2} | use_sw_index=False
 194 | | VPP Route Add
 195 | | ... | ${node} | ${classify_dst_net} | ${prefix_length} | ${gateway}
 196 | | ... | interface=${dut_to_tg_if2} | use_sw_index=False
 197
 198 | Setup interfaces and bridge domain for ietf-ACL test
 199 | | [Arguments] | ${test_data_id} | ${acl_name}
 200 | | Path For 2-node Testing Is Set
 201 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
 202 | | Import Variables | resources/test_data/honeycomb/ietf_acl.py
 203 | | ... | ${test_data_id} | ${acl_name}
 204 | | Honeycomb Sets Interface State | ${dut_node} | ${dut_to_tg_if1} | up
 205 | | Honeycomb Sets Interface State | ${dut_node} | ${dut_to_tg_if2} | up
 206 | | Honeycomb Creates L2 Bridge Domain
 207 | | ... | ${dut_node} | ${bd_name} | ${bd_settings}
 208 | | Honeycomb Adds Interfaces To Bridge Domain
 209 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${dut_to_tg_if2}
 210 | | ... | ${bd_name} | ${bd_if_settings}