Netflow Forward
These scenarios demonstrate how to configure and use NetFlow to collect and export forwarded TCP flows, covering different modes and NAT/VRF topologies.
Test NetFlow Forwarding Scenario
Description
These examples demonstrate how to configure and use NetFlow to collect and export TCP forwarded flows across different NAT topologies.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow destination 10.215.168.1 set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.64 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d0h59m ago), mem 491K, worker delay 25/250 [1..25] (72 ms, 0 us, 0:0 [cpu2]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 0 bps, 0 pps; 5 min: 0 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 35 8 [1.00], 0 0 0 0, traffic: 59, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 0; 0 22 4 [1.00], 0 0 0 0, traffic: 19, 0 MB, drop: 0, 0 K cpu2 0; 0 11 4 [1.00], 0 0 0 0, traffic: 33, 0 MB, drop: 0, 0 K cpu3 0; 0 2 0 [1.00], 0 0 0 0, traffic: 7, 0 MB, drop: 0, 0 K Export: Rate 88 bytes/s; Total 11 pkts, 0 MB, 4 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 5: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.666 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.666/0.666/0.666/0.000 ms
Step 6: Ping the IP address 10.215.168.65 from DUT0:
admin@DUT0$ ping 10.215.168.65 count 1 size 56 timeout 1Show output
PING 10.215.168.65 (10.215.168.65) 56(84) bytes of data. 64 bytes from 10.215.168.65: icmp_seq=1 ttl=64 time=0.416 ms --- 10.215.168.65 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.416/0.416/0.416/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and exchange messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.215.168.65 8080 tcp
Step 8: Run the command system netflow show flows on DUT0 and check whether the output matches the following regular expressions:
3\s+2\s+192.168.1.2:\d+\s+10.215.168.65:8080\s+6(\s+\S+){0}\s+[1-9]\d* 2\s+3\s+10.215.168.65:8080\s+192.168.1.2:\d+\s+6(\s+\S+){0}\s+[1-9]\d*Show output
----------------------------- Field Description ----------------------------- iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier pkts Packets counter bytes Bytes counter ----------------------------------------------------------------------- iif oif src dst protocol pkts bytes ----------------------------------------------------------------------- 3 2 192.168.1.2:47732 10.215.168.65:8080 6 5 288 2 3 10.215.168.65:8080 192.168.1.2:47732 6 4 216
Step 9: Run the command system conntrack show protocol tcp on DUT0 and check whether the output matches the following regular expressions:
src=192.168.1.2\s.*dst=10.215.168.65 src=10.215.168.65\s.*dst=192.168.1.2 \[OFFLOAD, packets=[1-9]\d* bytes=\d+ packets=[1-9]\d*Show output
tcp 6 src=192.168.1.2 dst=10.215.168.65 sport=47732 dport=8080 packets=10 bytes=628 src=10.215.168.65 dst=192.168.1.2 sport=8080 dport=47732 packets=10 bytes=628 [ASSURED] [OFFLOAD, packets=6 bytes=412 packets=7 bytes=464] mark=0 use=4 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 10: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 3 11 164 976 eth1 ingress 4 5 216 300 -------------------------------------------------------------- Total 7 16 380 1276
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth0 traffic nat source rule 1 selector TCP_SEL set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow destination 10.215.168.1 set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.65/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d0h59m ago), mem 491K, worker delay 25/250 [1..25] (48 ms, 0 us, 0:0 [cpu2]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 274 bps, 0 pps; 5 min: 61 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 48 10 [1.00], 0 0 0 0, traffic: 79, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 0; 0 24 5 [1.00], 0 0 0 0, traffic: 22, 0 MB, drop: 0, 0 K cpu2 0; 0 22 5 [1.00], 0 0 0 0, traffic: 50, 0 MB, drop: 0, 0 K cpu3 0; 0 2 0 [1.00], 0 0 0 0, traffic: 7, 0 MB, drop: 0, 0 K Export: Rate 0 bytes/s; Total 14 pkts, 0 MB, 6 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 5: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.628 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.628/0.628/0.628/0.000 ms
Step 6: Ping the IP address 10.215.168.65 from DUT0:
admin@DUT0$ ping 10.215.168.65 count 1 size 56 timeout 1Show output
PING 10.215.168.65 (10.215.168.65) 56(84) bytes of data. 64 bytes from 10.215.168.65: icmp_seq=1 ttl=64 time=0.442 ms --- 10.215.168.65 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.442/0.442/0.442/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and exchange messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.215.168.65 8080 tcp
Step 8: Run the command system netflow show flows on DUT0 and check whether the output matches the following regular expressions:
3\s+2\s+192.168.1.2:\d+\s+10.215.168.65:8080\s+6(\s+\S+){0}\s+[1-9]\d* 2\s+3\s+10.215.168.65:8080\s+192.168.1.2:\d+\s+6(\s+\S+){0}\s+[1-9]\d*Show output
----------------------------- Field Description ----------------------------- iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier pkts Packets counter bytes Bytes counter ----------------------------------------------------------------------- iif oif src dst protocol pkts bytes ----------------------------------------------------------------------- 3 2 192.168.1.2:51596 10.215.168.65:8080 6 6 340 2 3 10.215.168.65:8080 192.168.1.2:51596 6 5 288
Step 9: Run the command system conntrack show protocol tcp on DUT0 and check whether the output matches the following regular expressions:
src=192.168.1.2\s.*dst=10.215.168.65 src=10.215.168.65\s.*dst=10.215.168.64 \[OFFLOAD, packets=[1-9]\d* bytes=\d+ packets=[1-9]\d*Show output
tcp 6 src=192.168.1.2 dst=10.215.168.65 sport=51596 dport=8080 packets=10 bytes=628 src=10.215.168.65 dst=10.215.168.64 sport=8080 dport=51596 packets=9 bytes=576 [ASSURED] [OFFLOAD, packets=6 bytes=412 packets=6 bytes=412] mark=0 use=6 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 10: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 3 10 164 904 eth1 ingress 4 5 216 300 -------------------------------------------------------------- Total 7 15 380 1204
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set interfaces ethernet eth1 traffic nat destination rule 1 address 10.215.168.65 set interfaces ethernet eth1 traffic nat destination rule 1 selector TCP_SEL set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow destination 10.215.168.1 set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.64 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d0h59m ago), mem 491K, worker delay 25/250 [1..25] (8 ms, 0 us, 0:0 [cpu3]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 441 bps, 0 pps; 5 min: 115 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 61 12 [1.00], 0 0 0 0, traffic: 98, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 0; 0 26 6 [1.00], 0 0 0 0, traffic: 25, 0 MB, drop: 0, 0 K cpu2 0; 0 31 6 [1.00], 0 0 0 0, traffic: 62, 0 MB, drop: 0, 0 K cpu3 0; 0 4 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K Export: Rate 136 bytes/s; Total 17 pkts, 0 MB, 8 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 5: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=1.03 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.032/1.032/1.032/0.000 ms
Step 6: Ping the IP address 10.215.168.65 from DUT0:
admin@DUT0$ ping 10.215.168.65 count 1 size 56 timeout 1Show output
PING 10.215.168.65 (10.215.168.65) 56(84) bytes of data. 64 bytes from 10.215.168.65: icmp_seq=1 ttl=64 time=0.386 ms --- 10.215.168.65 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.386/0.386/0.386/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and exchange messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 192.168.1.1 8080 tcp
Step 8: Run the command system netflow show flows on DUT0 and check whether the output matches the following regular expressions:
3\s+2\s+192.168.1.2:\d+\s+10.215.168.65:8080\s+6(\s+\S+){0}\s+[1-9]\d* 2\s+3\s+10.215.168.65:8080\s+192.168.1.2:\d+\s+6(\s+\S+){0}\s+[1-9]\d*Show output
----------------------------- Field Description ----------------------------- iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier pkts Packets counter bytes Bytes counter ----------------------------------------------------------------------- iif oif src dst protocol pkts bytes ----------------------------------------------------------------------- 3 2 192.168.1.2:41890 10.215.168.65:8080 6 10 628 2 3 10.215.168.65:8080 192.168.1.2:41890 6 10 628
Step 9: Run the command system conntrack show protocol tcp on DUT0 and check whether the output matches the following regular expressions:
src=192.168.1.2\s.*dst=192.168.1.1 src=10.215.168.65\s.*dst=192.168.1.2 \[OFFLOAD, packets=[1-9]\d* bytes=\d+ packets=[1-9]\d*Show output
tcp 6 src=192.168.1.2 dst=192.168.1.1 sport=41890 dport=8080 packets=10 bytes=628 src=10.215.168.65 dst=192.168.1.2 sport=8080 dport=41890 packets=10 bytes=628 [ASSURED] [OFFLOAD, packets=6 bytes=412 packets=7 bytes=464] mark=0 use=4 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 10: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 3 12 164 1112 eth1 ingress 4 5 216 300 -------------------------------------------------------------- Total 7 17 380 1412
Example 4
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth0 traffic nat source rule 1 selector TCP_SEL set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set interfaces ethernet eth1 traffic nat destination rule 1 address 10.215.168.65 set interfaces ethernet eth1 traffic nat destination rule 1 selector TCP_SEL set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow destination 10.215.168.1 set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.65/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d0h59m ago), mem 491K, worker delay 25/250 [1..25] (104 ms, 0 us, 0:0 [cpu2]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 611 bps, 0 pps; 5 min: 170 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 74 14 [1.00], 0 0 0 0, traffic: 118, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 0; 0 30 7 [1.00], 0 0 0 0, traffic: 39, 0 MB, drop: 0, 0 K cpu2 0; 0 40 7 [1.00], 0 0 0 0, traffic: 68, 0 MB, drop: 0, 0 K cpu3 0; 0 4 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K Export: Rate 0 bytes/s; Total 20 pkts, 0 MB, 10 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 5: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.500 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.500/0.500/0.500/0.000 ms
Step 6: Ping the IP address 10.215.168.65 from DUT0:
admin@DUT0$ ping 10.215.168.65 count 1 size 56 timeout 1Show output
PING 10.215.168.65 (10.215.168.65) 56(84) bytes of data. 64 bytes from 10.215.168.65: icmp_seq=1 ttl=64 time=0.582 ms --- 10.215.168.65 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.582/0.582/0.582/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and exchange messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 192.168.1.1 8080 tcp
Step 8: Run the command system netflow show flows on DUT0 and check whether the output matches the following regular expressions:
3\s+2\s+192.168.1.2:\d+\s+10.215.168.65:8080\s+6(\s+\S+){0}\s+[1-9]\d* 2\s+3\s+10.215.168.65:8080\s+192.168.1.2:\d+\s+6(\s+\S+){0}\s+[1-9]\d*Show output
----------------------------- Field Description ----------------------------- iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier pkts Packets counter bytes Bytes counter ----------------------------------------------------------------------- iif oif src dst protocol pkts bytes ----------------------------------------------------------------------- 2 3 10.215.168.65:8080 192.168.1.2:33960 6 4 216 3 2 192.168.1.2:33960 10.215.168.65:8080 6 5 288
Step 9: Run the command system conntrack show protocol tcp on DUT0 and check whether the output matches the following regular expressions:
src=192.168.1.2\s.*dst=192.168.1.1 src=10.215.168.65\s.*dst=10.215.168.64 \[OFFLOAD, packets=[1-9]\d* bytes=\d+ packets=[1-9]\d*Show output
tcp 6 src=192.168.1.2 dst=192.168.1.1 sport=33960 dport=8080 packets=10 bytes=628 src=10.215.168.65 dst=10.215.168.64 sport=8080 dport=33960 packets=11 bytes=680 [ASSURED] [OFFLOAD, packets=6 bytes=412 packets=8 bytes=516] mark=0 use=6 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 10: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 3 10 164 904 eth1 ingress 4 5 216 300 -------------------------------------------------------------- Total 7 15 380 1204
Example 5
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf WAN set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set interfaces ethernet eth1 vrf LAN set protocols vrf LAN static route 0.0.0.0/0 next-hop-vrf WAN set protocols vrf WAN static route 192.168.1.0/24 next-hop-vrf LAN set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow destination 10.215.168.1 set system netflow engine-id 1111 set system netflow local-vrf WAN set system vrf LAN set system vrf WAN set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.64 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d1h0m ago), mem 491K, worker delay 25/250 [1..25] (48 ms, 0 us, 0:0 [cpu2]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 694 bps, 0 pps; 5 min: 221 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 87 16 [1.00], 0 0 0 0, traffic: 139, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 0; 0 32 8 [1.00], 0 0 0 0, traffic: 42, 0 MB, drop: 0, 0 K cpu2 0; 0 51 8 [1.00], 0 0 0 0, traffic: 86, 0 MB, drop: 0, 0 K cpu3 0; 0 4 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K Export: Rate 136 bytes/s; Total 23 pkts, 0 MB, 12 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 5: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 vrf LAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN PING 192.168.1.2 (192.168.1.2) from 192.168.1.1 LAN: 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=1.47 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.474/1.474/1.474/0.000 ms
Step 6: Ping the IP address 10.215.168.65 from DUT0:
admin@DUT0$ ping 10.215.168.65 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 10.215.168.65 (10.215.168.65) from 10.215.168.64 WAN: 56(84) bytes of data. 64 bytes from 10.215.168.65: icmp_seq=1 ttl=64 time=1.11 ms --- 10.215.168.65 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.109/1.109/1.109/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and exchange messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.215.168.65 8080 tcp
Step 8: Run the command system netflow show flows on DUT0 and check whether the output matches the following regular expressions:
3\s+2\s+192.168.1.2:\d+\s+10.215.168.65:8080\s+6(\s+\S+){0}\s+[1-9]\d* 2\s+3\s+10.215.168.65:8080\s+192.168.1.2:\d+\s+6(\s+\S+){0}\s+[1-9]\d*Show output
----------------------------- Field Description ----------------------------- iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier pkts Packets counter bytes Bytes counter ----------------------------------------------------------------------- iif oif src dst protocol pkts bytes ----------------------------------------------------------------------- 3 2 192.168.1.2:41570 10.215.168.65:8080 6 10 628 2 3 10.215.168.65:8080 192.168.1.2:41570 6 12 732
Step 9: Run the command system conntrack show protocol tcp on DUT0 and check whether the output matches the following regular expressions:
src=192.168.1.2\s.*dst=10.215.168.65 src=10.215.168.65\s.*dst=192.168.1.2 \[OFFLOAD, packets=[1-9]\d* bytes=\d+ packets=[1-9]\d* vrf=LAN vrf=WANShow output
tcp 6 src=192.168.1.2 dst=10.215.168.65 sport=41570 dport=8080 vrf=LAN packets=10 bytes=628 src=10.215.168.65 dst=192.168.1.2 sport=8080 dport=41570 vrf=WAN packets=12 bytes=732 [ASSURED] [OFFLOAD, packets=6 bytes=412 packets=9 bytes=568] mark=0 use=5 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 10: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 3 12 164 1092 eth1 ingress 4 5 216 300 -------------------------------------------------------------- Total 7 17 380 1392
Example 6
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth0 traffic nat source rule 1 selector TCP_SEL set interfaces ethernet eth0 vrf WAN set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set interfaces ethernet eth1 vrf LAN set protocols vrf LAN static route 0.0.0.0/0 next-hop-vrf WAN set protocols vrf WAN static route 192.168.1.0/24 next-hop-vrf LAN set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow destination 10.215.168.1 set system netflow engine-id 1111 set system netflow local-vrf WAN set system vrf LAN set system vrf WAN set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.65/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d1h0m ago), mem 491K, worker delay 25/250 [1..25] (76 ms, 0 us, 0:0 [cpu2]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 756 bps, 0 pps; 5 min: 270 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 104 18 [1.00], 0 0 0 0, traffic: 161, 0 MB, drop: 0, 0 K cpu0 0; 0 2 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K cpu1 0; 0 34 9 [1.00], 0 0 0 0, traffic: 45, 0 MB, drop: 0, 0 K cpu2 0; 0 64 9 [1.00], 0 0 0 0, traffic: 94, 0 MB, drop: 0, 0 K cpu3 0; 0 4 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K Export: Rate 136 bytes/s; Total 26 pkts, 0 MB, 14 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 5: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 vrf LAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN PING 192.168.1.2 (192.168.1.2) from 192.168.1.1 LAN: 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.519 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.519/0.519/0.519/0.000 ms
Step 6: Ping the IP address 10.215.168.65 from DUT0:
admin@DUT0$ ping 10.215.168.65 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 10.215.168.65 (10.215.168.65) from 10.215.168.64 WAN: 56(84) bytes of data. 64 bytes from 10.215.168.65: icmp_seq=1 ttl=64 time=0.879 ms --- 10.215.168.65 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.879/0.879/0.879/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and exchange messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.215.168.65 8080 tcp
Step 8: Run the command system netflow show flows on DUT0 and check whether the output matches the following regular expressions:
3\s+2\s+192.168.1.2:\d+\s+10.215.168.65:8080\s+6(\s+\S+){0}\s+[1-9]\d* 2\s+3\s+10.215.168.65:8080\s+192.168.1.2:\d+\s+6(\s+\S+){0}\s+[1-9]\d*Show output
----------------------------- Field Description ----------------------------- iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier pkts Packets counter bytes Bytes counter ----------------------------------------------------------------------- iif oif src dst protocol pkts bytes ----------------------------------------------------------------------- 3 2 192.168.1.2:46526 10.215.168.65:8080 6 10 628 2 3 10.215.168.65:8080 192.168.1.2:46526 6 9 576
Step 9: Run the command system conntrack show protocol tcp on DUT0 and check whether the output matches the following regular expressions:
src=192.168.1.2\s.*dst=10.215.168.65 src=10.215.168.65\s.*dst=10.215.168.64 \[OFFLOAD, packets=[1-9]\d* bytes=\d+ packets=[1-9]\d* vrf=LAN vrf=WANShow output
tcp 6 src=192.168.1.2 dst=10.215.168.65 sport=46526 dport=8080 vrf=LAN packets=10 bytes=628 src=10.215.168.65 dst=10.215.168.64 sport=8080 dport=46526 vrf=WAN packets=9 bytes=576 [ASSURED] [OFFLOAD, packets=6 bytes=412 packets=6 bytes=412] mark=0 use=5 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 10: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 3 12 164 1092 eth1 ingress 4 5 216 300 -------------------------------------------------------------- Total 7 17 380 1392
Example 7
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf WAN set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set interfaces ethernet eth1 traffic nat destination rule 1 address 10.215.168.65 set interfaces ethernet eth1 traffic nat destination rule 1 selector TCP_SEL set interfaces ethernet eth1 vrf LAN set protocols vrf LAN static route 0.0.0.0/0 next-hop-vrf WAN set protocols vrf WAN static route 192.168.1.0/24 next-hop-vrf LAN set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow destination 10.215.168.1 set system netflow engine-id 1111 set system netflow local-vrf WAN set system vrf LAN set system vrf WAN set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.64 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d1h0m ago), mem 491K, worker delay 25/250 [1..25] (68 ms, 0 us, 0:0 [cpu3]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 764 bps, 0 pps; 5 min: 307 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 119 20 [1.00], 0 0 0 0, traffic: 180, 0 MB, drop: 0, 0 K cpu0 0; 0 2 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K cpu1 0; 0 38 10 [1.00], 0 0 0 0, traffic: 60, 0 MB, drop: 0, 0 K cpu2 0; 0 75 10 [1.00], 0 0 0 0, traffic: 98, 0 MB, drop: 0, 0 K cpu3 0; 0 4 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K Export: Rate 0 bytes/s; Total 29 pkts, 0 MB, 16 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 5: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 vrf LAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN PING 192.168.1.2 (192.168.1.2) from 192.168.1.1 LAN: 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=1.54 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.535/1.535/1.535/0.000 ms
Step 6: Ping the IP address 10.215.168.65 from DUT0:
admin@DUT0$ ping 10.215.168.65 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 10.215.168.65 (10.215.168.65) from 10.215.168.64 WAN: 56(84) bytes of data. 64 bytes from 10.215.168.65: icmp_seq=1 ttl=64 time=0.423 ms --- 10.215.168.65 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.423/0.423/0.423/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and exchange messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 192.168.1.1 8080 tcp
Step 8: Run the command system netflow show flows on DUT0 and check whether the output matches the following regular expressions:
3\s+2\s+192.168.1.2:\d+\s+10.215.168.65:8080\s+6(\s+\S+){0}\s+[1-9]\d* 2\s+3\s+10.215.168.65:8080\s+192.168.1.2:\d+\s+6(\s+\S+){0}\s+[1-9]\d*Show output
----------------------------- Field Description ----------------------------- iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier pkts Packets counter bytes Bytes counter ----------------------------------------------------------------------- iif oif src dst protocol pkts bytes ----------------------------------------------------------------------- 2 3 10.215.168.65:8080 192.168.1.2:58792 6 5 288 3 2 192.168.1.2:58792 10.215.168.65:8080 6 6 340
Step 9: Run the command system conntrack show protocol tcp on DUT0 and check whether the output matches the following regular expressions:
src=192.168.1.2\s.*dst=192.168.1.1 src=10.215.168.65\s.*dst=192.168.1.2 \[OFFLOAD, packets=[1-9]\d* bytes=\d+ packets=[1-9]\d* vrf=LAN vrf=WANShow output
tcp 6 src=192.168.1.2 dst=192.168.1.1 sport=58792 dport=8080 vrf=LAN packets=10 bytes=628 src=10.215.168.65 dst=192.168.1.2 sport=8080 dport=58792 vrf=WAN packets=9 bytes=576 [ASSURED] [OFFLOAD, packets=6 bytes=412 packets=6 bytes=412] mark=0 use=4 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 10: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 3 11 164 976 eth1 ingress 4 5 216 300 -------------------------------------------------------------- Total 7 16 380 1276
Example 8
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth0 traffic nat source rule 1 selector TCP_SEL set interfaces ethernet eth0 vrf WAN set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set interfaces ethernet eth1 traffic nat destination rule 1 address 10.215.168.65 set interfaces ethernet eth1 traffic nat destination rule 1 selector TCP_SEL set interfaces ethernet eth1 vrf LAN set protocols vrf LAN static route 0.0.0.0/0 next-hop-vrf WAN set protocols vrf WAN static route 192.168.1.0/24 next-hop-vrf LAN set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow destination 10.215.168.1 set system netflow engine-id 1111 set system netflow local-vrf WAN set system vrf LAN set system vrf WAN set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.65/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d1h0m ago), mem 491K, worker delay 25/250 [1..25] (104 ms, 0 us, 0:0 [cpu3]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 770 bps, 0 pps; 5 min: 342 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 136 22 [1.00], 0 0 0 0, traffic: 199, 0 MB, drop: 0, 0 K cpu0 0; 0 2 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K cpu1 0; 0 40 11 [1.00], 0 0 0 0, traffic: 63, 0 MB, drop: 0, 0 K cpu2 0; 0 90 11 [1.00], 0 0 0 0, traffic: 114, 0 MB, drop: 0, 0 K cpu3 0; 0 4 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K Export: Rate 136 bytes/s; Total 32 pkts, 0 MB, 18 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 5: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 vrf LAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LAN PING 192.168.1.2 (192.168.1.2) from 192.168.1.1 LAN: 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=1.15 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.147/1.147/1.147/0.000 ms
Step 6: Ping the IP address 10.215.168.65 from DUT0:
admin@DUT0$ ping 10.215.168.65 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 10.215.168.65 (10.215.168.65) from 10.215.168.64 WAN: 56(84) bytes of data. 64 bytes from 10.215.168.65: icmp_seq=1 ttl=64 time=1.19 ms --- 10.215.168.65 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.186/1.186/1.186/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and exchange messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 192.168.1.1 8080 tcp
Step 8: Run the command system netflow show flows on DUT0 and check whether the output matches the following regular expressions:
3\s+2\s+192.168.1.2:\d+\s+10.215.168.65:8080\s+6(\s+\S+){0}\s+[1-9]\d* 2\s+3\s+10.215.168.65:8080\s+192.168.1.2:\d+\s+6(\s+\S+){0}\s+[1-9]\d*Show output
----------------------------- Field Description ----------------------------- iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier pkts Packets counter bytes Bytes counter ----------------------------------------------------------------------- iif oif src dst protocol pkts bytes ----------------------------------------------------------------------- 3 2 192.168.1.2:33862 10.215.168.65:8080 6 6 340 2 3 10.215.168.65:8080 192.168.1.2:33862 6 5 288
Step 9: Run the command system conntrack show protocol tcp on DUT0 and check whether the output matches the following regular expressions:
src=192.168.1.2\s.*dst=192.168.1.1 src=10.215.168.65\s.*dst=10.215.168.64 \[OFFLOAD, packets=[1-9]\d* bytes=\d+ packets=[1-9]\d* vrf=LAN vrf=WANShow output
tcp 6 src=192.168.1.2 dst=192.168.1.1 sport=33862 dport=8080 vrf=LAN packets=13 bytes=784 src=10.215.168.65 dst=10.215.168.64 sport=8080 dport=33862 vrf=WAN packets=11 bytes=680 [ASSURED] [OFFLOAD, packets=9 bytes=568 packets=8 bytes=516] mark=0 use=6 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 10: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 3 12 164 1136 eth1 ingress 4 5 216 300 -------------------------------------------------------------- Total 7 17 380 1436