Netflow Forward
These scenarios show how to configure and use Netflow to collect and export TCP forwarded flows. Different NAT topologies are described.
Netflow Without NAT
Description
Simple scenario without NAT configuration.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 flow egress selector TCP_SEL set interfaces ethernet eth0 flow ingress selector TCP_SEL set interfaces ethernet eth1 address 20.0.0.2/24 set system conntrack app-detect set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow app-id set system netflow destination 10.0.0.1 set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.1/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.2 set system conntrack app-detect set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 20.0.0.1/24 set protocols static route 0.0.0.0/0 next-hop 20.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system conntrack clear at DUT1.
Step 5: Ping IP address 10.0.0.1 from DUT0:
admin@DUT0$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.431 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.431/0.431/0.431/0.000 ms
Step 6: Ping IP address 20.0.0.1 from DUT0:
admin@DUT0$ ping 20.0.0.1 count 1 size 56 timeout 1Show output
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data. 64 bytes from 20.0.0.1: icmp_seq=1 ttl=64 time=0.451 ms --- 20.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 20.0.0.1 8080 tcp
Step 8: Run command system netflow show flows detailed at DUT0 and check if output matches the following regular expressions:
2\s+3\s+10.0.0.1:\d+\s+20.0.0.1:\d+\s*\d*\s*\d+[^\[]*\[L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ---------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ---------------------------------------------------------------------------------------------------------------------------------------------------- 1 b482 0 3 2 20.0.0.1:8080 10.0.0.1:55728 55728 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 13 784 431 37 2 b2e0 0 2 3 10.0.0.1:55728 20.0.0.1:8080 8080 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 14 836 431 37
Step 9: Run command system netflow show flows detailed at DUT0 and check if output matches the following regular expressions:
3\s+2\s+20.0.0.1:\d+\s+10.0.0.1:\d+\s*\d*\s*\d+[^\[]*\[L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ---------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ---------------------------------------------------------------------------------------------------------------------------------------------------- 1 b482 0 3 2 20.0.0.1:8080 10.0.0.1:55728 55728 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 13 784 459 65 2 b2e0 0 2 3 10.0.0.1:55728 20.0.0.1:8080 8080 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 14 836 459 65
Step 10: Run command system netflow show status at DUT0 and check if output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr 0, other 0Show output
ipt_NETFLOW 2.6, srcversion 0361A5DAA456583669E3FE1; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 2 (peak 2 reached 0d0h0m ago), mem 492K, worker delay 25/250 [1..25] (48 ms, 0 us, 2:0 [cpu1]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 27 pkt, 1 K, InPDU 0, 0. Rate: 344 bits/sec, 0 packets/sec; Avg 1 min: 43 bps, 0 pps; 5 min: 8 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 39 2 [1.00], 0 0 0 0, traffic: 27, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 0; 0 39 2 [1.00], 0 0 0 0, traffic: 27, 0 MB, drop: 0, 0 K cpu2 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu3 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K Export: Rate 161 bytes/s; Total 2 pkts, 0 MB, 0 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Netflow With SNAT
Description
Scenario with SNAT in DUT0 WAN interface (eth1).
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 flow egress selector TCP_SEL set interfaces ethernet eth0 flow ingress selector TCP_SEL set interfaces ethernet eth1 address 20.0.0.2/24 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 traffic nat source rule 1 selector TCP_SEL set system conntrack app-detect set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow app-id set system netflow destination 10.0.0.1 set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.1/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.2 set system conntrack app-detect set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 20.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system conntrack clear at DUT1.
Step 5: Ping IP address 10.0.0.1 from DUT0:
admin@DUT0$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.306 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.306/0.306/0.306/0.000 ms
Step 6: Ping IP address 20.0.0.1 from DUT0:
admin@DUT0$ ping 20.0.0.1 count 1 size 56 timeout 1Show output
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data. 64 bytes from 20.0.0.1: icmp_seq=1 ttl=64 time=0.613 ms --- 20.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.613/0.613/0.613/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 20.0.0.1 8080 tcp
Step 8: Run command system netflow show flows detailed at DUT0 and check if output matches the following regular expressions:
2\s+3\s+10.0.0.1:\d+\s+20.0.0.1:\d+\s*\d*\s*\d+[^\[]*\[L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ---------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ---------------------------------------------------------------------------------------------------------------------------------------------------- 1 651f 0 2 3 10.0.0.1:53228 20.0.0.1:8080 8080 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 14 836 425 37 2 74c0 0 3 2 20.0.0.1:8080 10.0.0.1:53228 53228 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 13 784 424 37
Step 9: Run command system netflow show flows detailed at DUT0 and check if output matches the following regular expressions:
3\s+2\s+20.0.0.1:\d+\s+10.0.0.1:\d+\s*\d*\s*\d+[^\[]*\[L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ---------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ---------------------------------------------------------------------------------------------------------------------------------------------------- 1 651f 0 2 3 10.0.0.1:53228 20.0.0.1:8080 8080 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 14 836 455 67 2 74c0 0 3 2 20.0.0.1:8080 10.0.0.1:53228 53228 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 13 784 454 67
Step 10: Run command system netflow show status at DUT0 and check if output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr 0, other 0Show output
ipt_NETFLOW 2.6, srcversion 0361A5DAA456583669E3FE1; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 2 (peak 2 reached 0d0h0m ago), mem 492K, worker delay 25/250 [1..25] (84 ms, 0 us, 2:0 [cpu3]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 27 pkt, 1 K, InPDU 0, 0. Rate: 3240 bits/sec, 6 packets/sec; Avg 1 min: 671 bps, 0 pps; 5 min: 156 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 6; 0 78 4 [1.00], 0 0 0 0, traffic: 54, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 6; 0 78 4 [1.00], 0 0 0 0, traffic: 54, 0 MB, drop: 0, 0 K cpu2 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu3 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K Export: Rate 0 bytes/s; Total 8 pkts, 0 MB, 2 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Netflow With DNAT
Description
Scenario with DNAT in DUT0 LAN interface (eth0).
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 flow egress selector TCP_SEL set interfaces ethernet eth0 flow ingress selector TCP_SEL set interfaces ethernet eth0 traffic nat destination rule 1 address 20.0.0.1 set interfaces ethernet eth0 traffic nat destination rule 1 selector TCP_SEL set interfaces ethernet eth1 address 20.0.0.2/24 set system conntrack app-detect set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow app-id set system netflow destination 10.0.0.1 set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.1/24 set system conntrack app-detect set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 20.0.0.1/24 set protocols static route 0.0.0.0/0 next-hop 20.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system conntrack clear at DUT1.
Step 5: Ping IP address 10.0.0.1 from DUT0:
admin@DUT0$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.316 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.316/0.316/0.316/0.000 ms
Step 6: Ping IP address 20.0.0.1 from DUT0:
admin@DUT0$ ping 20.0.0.1 count 1 size 56 timeout 1Show output
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data. 64 bytes from 20.0.0.1: icmp_seq=1 ttl=64 time=0.529 ms --- 20.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.529/0.529/0.529/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.0.0.2 8080 tcp
Step 8: Run command system netflow show flows detailed at DUT0 and check if output matches the following regular expressions:
2\s+3\s+10.0.0.1:\d+\s+20.0.0.1:\d+\s*\d*\s*\d+[^\[]*\[L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ---------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ---------------------------------------------------------------------------------------------------------------------------------------------------- 1 4a19 0 2 3 10.0.0.1:35690 20.0.0.1:8080 8080 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 14 836 431 37 2 6ea2 0 3 2 20.0.0.1:8080 10.0.0.1:35690 35690 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 13 784 430 37
Step 9: Run command system netflow show flows detailed at DUT0 and check if output matches the following regular expressions:
3\s+2\s+20.0.0.1:\d+\s+10.0.0.1:\d+\s*\d*\s*\d+[^\[]*\[L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ---------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ---------------------------------------------------------------------------------------------------------------------------------------------------- 1 4a19 0 2 3 10.0.0.1:35690 20.0.0.1:8080 8080 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 14 836 459 65 2 6ea2 0 3 2 20.0.0.1:8080 10.0.0.1:35690 35690 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 13 784 458 65
Step 10: Run command system netflow show status at DUT0 and check if output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr 0, other 0Show output
ipt_NETFLOW 2.6, srcversion 0361A5DAA456583669E3FE1; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 2 (peak 2 reached 0d0h0m ago), mem 492K, worker delay 25/250 [1..25] (60 ms, 0 us, 2:0 [cpu1]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 27 pkt, 1 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 448 bps, 0 pps; 5 min: 144 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 117 6 [1.00], 0 0 0 0, traffic: 81, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 0; 0 117 6 [1.00], 0 0 0 0, traffic: 81, 0 MB, drop: 0, 0 K cpu2 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu3 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K Export: Rate 118 bytes/s; Total 14 pkts, 0 MB, 4 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Netflow With SDNAT
Description
Scenario with SNAT in DUT0 WAN interface (eth1)
and DNAT in DUT0 LAN interface (eth0).
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 flow egress selector TCP_SEL set interfaces ethernet eth0 flow ingress selector TCP_SEL set interfaces ethernet eth0 traffic nat destination rule 1 address 20.0.0.1 set interfaces ethernet eth0 traffic nat destination rule 1 selector TCP_SEL set interfaces ethernet eth1 address 20.0.0.2/24 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 traffic nat source rule 1 selector TCP_SEL set system conntrack app-detect set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow app-id set system netflow destination 10.0.0.1 set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.1/24 set system conntrack app-detect set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 20.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system conntrack clear at DUT1.
Step 5: Ping IP address 10.0.0.1 from DUT0:
admin@DUT0$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.304 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.304/0.304/0.304/0.000 ms
Step 6: Ping IP address 20.0.0.1 from DUT0:
admin@DUT0$ ping 20.0.0.1 count 1 size 56 timeout 1Show output
PING 20.0.0.1 (20.0.0.1) 56(84) bytes of data. 64 bytes from 20.0.0.1: icmp_seq=1 ttl=64 time=0.582 ms --- 20.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.582/0.582/0.582/0.000 ms
Step 7: Initiate a tcp connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.0.0.2 8080 tcp
Step 8: Run command system netflow show flows detailed at DUT0 and check if output matches the following regular expressions:
2\s+3\s+10.0.0.1:\d+\s+20.0.0.1:\d+\s*\d*\s*\d+[^\[]*\[L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ---------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ---------------------------------------------------------------------------------------------------------------------------------------------------- 1 f2c1 0 2 3 10.0.0.1:45300 20.0.0.1:8080 8080 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 14 836 426 36 2 7dd7 0 3 2 20.0.0.1:8080 10.0.0.1:45300 45300 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 13 784 426 36
Step 9: Run command system netflow show flows detailed at DUT0 and check if output matches the following regular expressions:
3\s+2\s+20.0.0.1:\d+\s+10.0.0.1:\d+\s*\d*\s*\d+[^\[]*\[L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ---------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ---------------------------------------------------------------------------------------------------------------------------------------------------- 1 f2c1 0 2 3 10.0.0.1:45300 20.0.0.1:8080 8080 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 14 836 455 65 2 7dd7 0 3 2 20.0.0.1:8080 10.0.0.1:45300 45300 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 13 784 455 65
Step 10: Run command system netflow show status at DUT0 and check if output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr 0, other 0Show output
ipt_NETFLOW 2.6, srcversion 0361A5DAA456583669E3FE1; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 2 (peak 2 reached 0d0h0m ago), mem 492K, worker delay 25/250 [1..25] (44 ms, 0 us, 2:0 [cpu1]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 27 pkt, 1 K, InPDU 0, 0. Rate: 344 bits/sec, 0 packets/sec; Avg 1 min: 575 bps, 0 pps; 5 min: 213 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 156 8 [1.00], 0 0 0 0, traffic: 108, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 0; 0 156 8 [1.00], 0 0 0 0, traffic: 108, 0 MB, drop: 0, 0 K cpu2 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu3 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K Export: Rate 29 bytes/s; Total 20 pkts, 0 MB, 6 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0