App-Detect
These scenarios check the basic functions in app-detect feature.
Test App-Detect HTTP-Host
Description
DUT0 configures the HTTP application detector. DUT1 acts as a client behind DUT0 and downloads a file via HTTP. The connection in DUT0 is then monitored to verify that it is identified as HTTP and the destination hostname appears in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth1 address 192.168.100.1/24 set system conntrack app-detect http set system conntrack app-detect http-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.850 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.850/0.850/0.850/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4704 0 4704 0 0 1564k 0 --:--:-- --:--:-- --:--:-- 2296k
Step 5: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L4:80\shttp\-host:10.215.168.1\]Show output
tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=36686 dport=80 packets=9 bytes=730 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=36686 packets=7 bytes=5244 [ASSURED] [OFFLOAD, packets=4 bytes=208 packets=5 bytes=5132] mark=0 use=3 appdetect[L4:80 http-host:10.215.168.1] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=523 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=523 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Test App-Detect HTTP-Host Chained App-ID
Description
DUT0 configures the HTTP application detector together with app-detect chained storage mode. DUT1 acts as a client behind DUT0 and downloads a file via HTTP. The connection in DUT0 is then monitored to verify that all detected App-ID results are stored together in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth1 address 192.168.100.1/24 set system conntrack app-detect app-id-storage chained set system conntrack app-detect http set system conntrack app-detect http-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.478 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.478/0.478/0.478/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4704 0 4704 0 0 557k 0 --:--:-- --:--:-- --:--:-- 574k
Step 5: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L3:6;L4:80\shttp\-host:10.215.168.1\]Show output
tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=51286 dport=80 packets=9 bytes=730 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=51286 packets=7 bytes=5244 [ASSURED] [OFFLOAD, packets=4 bytes=208 packets=5 bytes=5132] mark=0 use=3 appdetect[L3:6;L4:80 http-host:10.215.168.1] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=524 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=524 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Test App-Detect DNS-Host
Description
DUT0 configures the DNS application detector. DUT1 acts as a client that performs a DNS lookup through DUT0 to DUT2, which runs a DNS server. The connection in DUT0 is then monitored to verify that the queried hostname appears in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set system conntrack app-detect dictionary 1 custom app-id 1001 fqdn 1teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.667 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.667/0.667/0.667/0.000 ms
Step 5: Run command nslookup 1teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 6: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
src=192.168.100\.2 dst=192.168.200\.2.+dport=53.*appdetect\[L4:53\sdns\-host:1teldat.com\]Show output
icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=525 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=525 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=43116 dport=53 packets=1 bytes=57 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=43116 packets=1 bytes=73 mark=0 use=1 appdetect[L4:53 dns-host:1teldat.com] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=39351 dport=53 packets=1 bytes=57 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=39351 packets=1 bytes=57 mark=0 use=1 appdetect[L4:53] conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Test App-Detect IP-Cache
Description
DUT0 configures DNS detection with a custom dictionary and together with app-detect chained storage mode. DUT1 pings a hostname resolved by DUT2 through DUT0. The IP-cache in DUT0 is monitored to verify that it contains the resolved address and its matching App-ID. The test also verifies that IP-cache entries expire after the configured timeout.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces dummy dum1 address 172.30.0.0/32 set interfaces dummy dum2 address 172.30.0.1/32 set interfaces ethernet eth0 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 172.30.0.0/31 next-hop 192.168.100.1 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set protocols static route 172.30.0.0/31 next-hop 192.168.200.2 set system conntrack app-detect dictionary 1 custom app-id 1001 fqdn 1teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Modify the following configuration lines in DUT0 :
set system conntrack app-detect ip-cache timeout 5
Step 5: Ping IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.605 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.605/0.605/0.605/0.000 ms
Step 6: Ping IP address 1teldat.com from DUT1:
admin@DUT1$ ping 1teldat.com count 1 size 56 timeout 1Show output
PING 1teldat.com (172.30.0.0) 56(84) bytes of data. 64 bytes from 1teldat.com (172.30.0.0): icmp_seq=1 ttl=63 time=0.181 ms --- 1teldat.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.181/0.181/0.181/0.000 ms
Step 7: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
icmp\s+.*src=192.168.100\.2 dst=172.30.0.0.*appdetect\[U6:1001\]Show output
udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=53961 dport=53 packets=2 bytes=114 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=53961 packets=2 bytes=130 mark=0 use=1 appdetect[L4:53 dns-host:1teldat.com] icmp 1 29 src=192.168.100.2 dst=172.30.0.0 type=8 code=0 id=530 packets=1 bytes=84 src=172.30.0.0 dst=192.168.100.2 type=0 code=0 id=530 packets=1 bytes=84 mark=0 use=1 appdetect[U6:1001] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=59172 dport=53 packets=1 bytes=69 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=59172 packets=1 bytes=94 mark=0 use=1 appdetect[L4:53] icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=529 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=529 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 8: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4s832ms
Step 9: Run command system conntrack app-detect show at DUT0 and check if output matches the following regular expressions:
Matches in IP-cache\s*1(.*\n)+Modifications in IP-cache\s*1Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 1 Modifications in IP-cache 1 Matches in dynamic dictionaries 1 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 10: Run command system conntrack app-detect show ip-cache at DUT0 and check if output does not match the following regular expressions:
172.30.0.0\s*U6:1001
Step 11: Ping IP address 1teldat.com from DUT1:
admin@DUT1$ ping 1teldat.com count 1 size 56 timeout 1Show output
PING 1teldat.com (172.30.0.0) 56(84) bytes of data. 64 bytes from 1teldat.com (172.30.0.0): icmp_seq=1 ttl=63 time=0.453 ms --- 1teldat.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.453/0.453/0.453/0.000 ms
Step 12: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4s916ms
Test App-Detect IP-Cache Blacklist
Description
DUT0 configures DNS detection and a custom dictionary with two entries that map different App-IDs to the same IP address, causing App-ID flapping. The test first verifies that flapping is detected without blacklisting. Then the IP-cache blacklist option is enabled and the test verifies that the flapping address is blacklisted.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set service dns static host-name 2teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set system conntrack app-detect dictionary 1 custom app-id 1001 fqdn 1teldat.com set system conntrack app-detect dictionary 1 custom app-id 2002 fqdn 2teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.651 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.651/0.651/0.651/0.000 ms
Step 5: Run command nslookup 1teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 6: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s900ms
Step 7: Run command nslookup 2teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 8: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:2002 4m59s936ms
Step 9: Run command nslookup 1teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 10: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s916ms
Step 11: Run command nslookup 2teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 12: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:2002 4m59s888ms
Step 13: Run command system conntrack app-detect show at DUT0 and check if output matches the following regular expressions:
Modifications in IP-cache\s*4(.*\n)+Ips blacklisted from cache due to appid flapping\s*0Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 0 Modifications in IP-cache 4 Matches in dynamic dictionaries 4 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 14: Run command system conntrack app-detect show ip-blacklist-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0Show output
-------------------------------- IP Changes Expires in -------------------------------- 172.30.0.0 3 14m59s652ms
Step 15: Modify the following configuration lines in DUT0 :
set system conntrack app-detect ip-cache blacklist
Step 16: Run command nslookup 1teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 17: Run command nslookup 2teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 18: Run command nslookup 1teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 19: Run command nslookup 2teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 20: Run command system conntrack app-detect show at DUT0 and check if output matches the following regular expressions:
Modifications in IP-cache\s*8(.*\n)+Ips blacklisted from cache due to appid flapping\s*1Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 0 Modifications in IP-cache 8 Matches in dynamic dictionaries 8 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 1 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 21: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
^s*$
Step 22: Run command system conntrack app-detect show ip-blacklist-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*3Show output
-------------------------------- IP Changes Expires in -------------------------------- 172.30.0.0 3 14m59s620ms
Test App-Detect IP-Cache Chained App-ID
Description
DUT0 configures HTTP detection, DNS detection and a custom dictionary, together with app-detect chained storage mode and refresh-flow-appid option. DUT1 downloads a file via HTTP through DUT0, resolved by DUT2. On the first request the appdetect annotation shows the App-ID chain in real-time detection order. After clearing conntrack, a second request verifies that the IP-cache match appears first in the App-ID chain of the connection.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name enterprise.opentok.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth1 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set system conntrack app-detect app-id-storage chained set system conntrack app-detect dictionary 1 custom app-id 1001 fqdn enterprise.opentok.com set system conntrack app-detect http set system conntrack app-detect http-host set system conntrack app-detect refresh-flow-appid set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.697 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.697/0.697/0.697/0.000 ms
Step 5: Ping IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.709 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.709/0.709/0.709/0.000 ms
Step 6: Run command file copy http://enterprise.opentok.com/~robot/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4704 0 4704 0 0 773k 0 --:--:-- --:--:-- --:--:-- 918k
Step 7: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L3:6;L4:80;U6:1001\shttp\-host:enterprise.opentok.com\]Show output
icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=533 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=533 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=51230 dport=80 packets=9 bytes=740 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=51230 packets=7 bytes=5244 [ASSURED] [OFFLOAD, packets=4 bytes=208 packets=5 bytes=5132] mark=0 use=3 appdetect[L3:6;L4:80;U6:1001 http-host:enterprise.opentok.com] udp 17 src=192.168.100.2 dst=192.168.200.2 sport=58659 dport=53 packets=2 bytes=136 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=58659 packets=2 bytes=152 [OFFLOAD, packets=0 bytes=0 packets=0 bytes=0] mark=0 use=2 appdetect[L3:17;L4:53] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=534 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=534 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 8: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
10.215.168.1\s*U6:1001Show output
---------------------------------------- IP Application ID Expires in ---------------------------------------- 10.215.168.1 U6:1001 4m59s820ms
Step 9: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 10: Run command file copy http://enterprise.opentok.com/~robot/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4704 0 4704 0 0 780k 0 --:--:-- --:--:-- --:--:-- 918k
Step 11: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[U6:1001;L3:6;L4:80\shttp\-host:enterprise.opentok.com\]Show output
udp 17 src=192.168.100.2 dst=192.168.200.2 sport=34564 dport=53 packets=2 bytes=136 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=34564 packets=2 bytes=152 [OFFLOAD, packets=0 bytes=0 packets=0 bytes=0] mark=0 use=3 appdetect[L3:17;L4:53] tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=51246 dport=80 packets=9 bytes=740 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=51246 packets=7 bytes=5244 [ASSURED] [OFFLOAD, packets=4 bytes=208 packets=5 bytes=5132] mark=0 use=3 appdetect[U6:1001;L3:6;L4:80 http-host:enterprise.opentok.com] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.