App-Detect
These scenarios check the basic functions in app-detect feature.
Test App-Detect HTTP-Host
Description
DUT0 configures the HTTP application detector. DUT1 acts as a client behind DUT0 and downloads a file via HTTP. The connection in DUT0 is then monitored to verify that it is identified as HTTP and the destination hostname appears in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth1 address 192.168.100.1/24 set system conntrack app-detect http set system conntrack app-detect http-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.852 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.852/0.852/0.852/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1082 0 1082 0 0 206k 0 --:--:-- --:--:-- --:--:-- 211k
Step 5: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L4:80\shttp\-host:10.215.168.1\]Show output
tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=43164 dport=80 packets=6 bytes=574 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=43164 packets=4 bytes=1465 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1353] mark=0 use=3 appdetect[L4:80 http-host:10.215.168.1] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=387 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=387 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Test App-Detect HTTP-Host Chained App-ID
Description
DUT0 configures the HTTP application detector together with app-detect chained storage mode. DUT1 acts as a client behind DUT0 and downloads a file via HTTP. The connection in DUT0 is then monitored to verify that all detected App-ID results are stored together in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth1 address 192.168.100.1/24 set system conntrack app-detect app-id-storage chained set system conntrack app-detect http set system conntrack app-detect http-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.708 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.708/0.708/0.708/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1082 0 1082 0 0 237k 0 --:--:-- --:--:-- --:--:-- 264k
Step 5: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L3:6;L4:80\shttp\-host:10.215.168.1\]Show output
tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=50138 dport=80 packets=6 bytes=574 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=50138 packets=4 bytes=1465 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1353] mark=0 use=3 appdetect[L3:6;L4:80 http-host:10.215.168.1] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=388 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=388 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Test App-Detect DNS-Host
Description
DUT0 configures the DNS application detector. DUT1 acts as a client that performs a DNS lookup through DUT0 to DUT2, which runs a DNS server. The connection in DUT0 is then monitored to verify that the queried hostname appears in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set system conntrack app-detect dictionary 1 custom app-id 1001 fqdn 1teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=1.00 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.002/1.002/1.002/0.000 ms
Step 5: Run command nslookup 1teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 6: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
src=192.168.100\.2 dst=192.168.200\.2.+dport=53.*appdetect\[L4:53\sdns\-host:1teldat.com\]Show output
udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=42343 dport=53 packets=1 bytes=57 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=42343 packets=1 bytes=73 mark=0 use=1 appdetect[L4:53 dns-host:1teldat.com] icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=389 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=389 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=33688 dport=53 packets=1 bytes=57 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=33688 packets=1 bytes=57 mark=0 use=1 appdetect[L4:53] conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Test App-Detect IP-Cache
Description
DUT0 configures DNS detection with a custom dictionary and together with app-detect chained storage mode. DUT1 pings a hostname resolved by DUT2 through DUT0. The IP-cache in DUT0 is monitored to verify that it contains the resolved address and its matching App-ID. The test also verifies that IP-cache entries expire after the configured timeout.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces dummy dum1 address 172.30.0.0/32 set interfaces dummy dum2 address 172.30.0.1/32 set interfaces ethernet eth0 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 172.30.0.0/31 next-hop 192.168.100.1 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set protocols static route 172.30.0.0/31 next-hop 192.168.200.2 set system conntrack app-detect dictionary 1 custom app-id 1001 fqdn 1teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Modify the following configuration lines in DUT0 :
set system conntrack app-detect ip-cache timeout 5
Step 5: Ping IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.785 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.785/0.785/0.785/0.000 ms
Step 6: Ping IP address 1teldat.com from DUT1:
admin@DUT1$ ping 1teldat.com count 1 size 56 timeout 1Show output
PING 1teldat.com (172.30.0.0) 56(84) bytes of data. 64 bytes from 1teldat.com (172.30.0.0): icmp_seq=1 ttl=63 time=0.392 ms --- 1teldat.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.392/0.392/0.392/0.000 ms
Step 7: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
icmp\s+.*src=192.168.100\.2 dst=172.30.0.0.*appdetect\[U6:1001\]Show output
icmp 1 29 src=192.168.100.2 dst=172.30.0.0 type=8 code=0 id=394 packets=1 bytes=84 src=172.30.0.0 dst=192.168.100.2 type=0 code=0 id=394 packets=1 bytes=84 mark=0 use=1 appdetect[U6:1001] icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=393 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=393 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=53022 dport=53 packets=2 bytes=114 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=53022 packets=2 bytes=130 mark=0 use=1 appdetect[L4:53 dns-host:1teldat.com] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=39737 dport=53 packets=1 bytes=69 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=39737 packets=1 bytes=94 mark=0 use=1 appdetect[L4:53] conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 8: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4s824ms
Step 9: Run command system conntrack app-detect show at DUT0 and check if output matches the following regular expressions:
Matches in IP-cache\s*1(.*\n)+Modifications in IP-cache\s*1Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 1 Modifications in IP-cache 1 Matches in dynamic dictionaries 1 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 10: Run command system conntrack app-detect show ip-cache at DUT0 and check if output does not match the following regular expressions:
172.30.0.0\s*U6:1001
Step 11: Ping IP address 1teldat.com from DUT1:
admin@DUT1$ ping 1teldat.com count 1 size 56 timeout 1Show output
PING 1teldat.com (172.30.0.0) 56(84) bytes of data. 64 bytes from 1teldat.com (172.30.0.0): icmp_seq=1 ttl=63 time=0.396 ms --- 1teldat.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.396/0.396/0.396/0.000 ms
Step 12: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4s932ms
Test App-Detect IP-Cache Blacklist
Description
DUT0 configures DNS detection and a custom dictionary with two entries that map different App-IDs to the same IP address, causing App-ID flapping. The test first verifies that flapping is detected without blacklisting. Then the IP-cache blacklist option is enabled and the test verifies that the flapping address is blacklisted.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set service dns static host-name 2teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set system conntrack app-detect dictionary 1 custom app-id 1001 fqdn 1teldat.com set system conntrack app-detect dictionary 1 custom app-id 2002 fqdn 2teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.929 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.929/0.929/0.929/0.000 ms
Step 5: Run command nslookup 1teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 6: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s924ms
Step 7: Run command nslookup 2teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 8: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:2002 4m59s904ms
Step 9: Run command nslookup 1teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 10: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s908ms
Step 11: Run command nslookup 2teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 12: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:2002 4m59s924ms
Step 13: Run command system conntrack app-detect show at DUT0 and check if output matches the following regular expressions:
Modifications in IP-cache\s*4(.*\n)+Ips blacklisted from cache due to appid flapping\s*0Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 0 Modifications in IP-cache 4 Matches in dynamic dictionaries 4 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 14: Run command system conntrack app-detect show ip-blacklist-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0Show output
-------------------------------- IP Changes Expires in -------------------------------- 172.30.0.0 3 14m59s744ms
Step 15: Modify the following configuration lines in DUT0 :
set system conntrack app-detect ip-cache blacklist
Step 16: Run command nslookup 1teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 17: Run command nslookup 2teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 18: Run command nslookup 1teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 19: Run command nslookup 2teldat.com dns-server 192.168.200.2 at DUT1 and check if output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 20: Run command system conntrack app-detect show at DUT0 and check if output matches the following regular expressions:
Modifications in IP-cache\s*8(.*\n)+Ips blacklisted from cache due to appid flapping\s*1Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 0 Modifications in IP-cache 8 Matches in dynamic dictionaries 8 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 1 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 21: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
^s*$
Step 22: Run command system conntrack app-detect show ip-blacklist-cache at DUT0 and check if output matches the following regular expressions:
172.30.0.0\s*3Show output
-------------------------------- IP Changes Expires in -------------------------------- 172.30.0.0 3 14m59s716ms
Test App-Detect IP-Cache Chained App-ID
Description
DUT0 configures HTTP detection, DNS detection and a custom dictionary, together with app-detect chained storage mode and refresh-flow-appid option. DUT1 downloads a file via HTTP through DUT0, resolved by DUT2. On the first request the appdetect annotation shows the App-ID chain in real-time detection order. After clearing conntrack, a second request verifies that the IP-cache match appears first in the App-ID chain of the connection.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name enterprise.opentok.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth1 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set system conntrack app-detect app-id-storage chained set system conntrack app-detect dictionary 1 custom app-id 1001 fqdn enterprise.opentok.com set system conntrack app-detect http set system conntrack app-detect http-host set system conntrack app-detect refresh-flow-appid set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.943 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.943/0.943/0.943/0.000 ms
Step 5: Ping IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.649 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.649/0.649/0.649/0.000 ms
Step 6: Run command file copy http://enterprise.opentok.com/~robot/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1082 0 1082 0 0 204k 0 --:--:-- --:--:-- --:--:-- 211k
Step 7: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L3:6;L4:80;U6:1001\shttp\-host:enterprise.opentok.com\]Show output
icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=398 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=398 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=397 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=397 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] udp 17 src=192.168.100.2 dst=192.168.200.2 sport=54983 dport=53 packets=2 bytes=136 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=54983 packets=2 bytes=152 [OFFLOAD, packets=0 bytes=0 packets=0 bytes=0] mark=0 use=2 appdetect[L3:17;L4:53] tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=37760 dport=80 packets=6 bytes=584 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=37760 packets=4 bytes=1465 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1353] mark=0 use=3 appdetect[L3:6;L4:80;U6:1001 http-host:enterprise.opentok.com] conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 8: Run command system conntrack app-detect show ip-cache at DUT0 and check if output matches the following regular expressions:
10.215.168.1\s*U6:1001Show output
---------------------------------------- IP Application ID Expires in ---------------------------------------- 10.215.168.1 U6:1001 4m59s788ms
Step 9: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 10: Run command file copy http://enterprise.opentok.com/~robot/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1082 0 1082 0 0 235k 0 --:--:-- --:--:-- --:--:-- 264k
Step 11: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[U6:1001;L3:6;L4:80\shttp\-host:enterprise.opentok.com\]Show output
udp 17 src=192.168.100.2 dst=192.168.200.2 sport=44555 dport=53 packets=2 bytes=136 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=44555 packets=2 bytes=152 [OFFLOAD, packets=0 bytes=0 packets=0 bytes=0] mark=0 use=2 appdetect[L3:17;L4:53] tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=37774 dport=80 packets=6 bytes=584 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=37774 packets=4 bytes=1465 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1353] mark=0 use=3 appdetect[U6:1001;L3:6;L4:80 http-host:enterprise.opentok.com] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.