Verifying the Selective Stateless Packet-Based Services Configuration—End-to-End Packet-Based

To verify selective stateless packet-based services configured in Example: Configuring Selective Stateless Packet-Based Services—End-to-End Packet-Based, perform these tasks:

Displaying the End-to-End Packet-Based Example Configuration

Purpose

Display the selective stateless packet-based services configuration.

Action

From the configuration mode in the CLI, enter the following commands:

The sample output in this section displays the complete configuration in the example.

On R0:

[edit]user@R0# show interfaces
ge-0/0/1 {description “Internal 1”unit 0 {family inet {address 10.1.1.2/24}}}
user@R0# show routing-optionsstatic {route 0.0.0.0/0 next-hop 10.1.1.1;}

On R2:

[edit]user@R2# show interfaces
ge-0/0/3 {description “Internet”unit 0 { family inet {address 1.1.1.2/30;}}}user@R2# show routing-optionsstatic {route 0.0.0.0/0 next-hop 1.1.1.1;}

On R3:

[edit]user@R3# show interfaces
ge-0/0/2 {description “Internal 2”unit 0 { family inet {address 10.2.1.2/24;}}}user@R3# show routing-optionsstatic {route 0.0.0.0/0 next-hop 10.2.1.1;}

On R1:

[edit]user@R1# show interfacesge-0/0/1 {description “internal 1”unit 0 { family inet {filter {input bypass-flow-filter;}address 10.1.1.1/24;}}}ge-0/0/2 {description “Internal 2”unit 0 { family inet {filter {input bypass-flow-filter;}address 10.2.1.1/24;}}}ge-0/0/3 {description “Internet”unit 0 { family inet {address 1.1.1.1/30;}}}user@R1# show routing-optionsstatic {route 0.0.0.0/0 next-hop 1.1.1.2;}user@R1# show firewallfamily inet {filter bypass-flow-filter {term bypass-flow-term-1 {from {source-address {10.1.1.0/24;}destination-address {10.2.1.0/24;}}then packet-mode;}term bypass-flow-term-2 {from {source-address {10.2.1.0/24;}destination-address {10.1.1.0/24;}}then packet-mode;}term accept-rest {then accept;}}}

Meaning

Verify that the output shows the intended configuration of the firewall filter, interfaces, and policies.

Verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command.

Related Topics

For a complete description of show interfaces command output, see the Junos Interfaces Command Reference.

For a complete description of show security zones and show security policies command outputs, see the Junos OS CLI Reference.

For a complete description of show firewall command output, see the Junos Routing Protocols and Policies Command Reference.

Verifying Session Establishment On Intranet Traffic

Purpose

Verify if, in this example configuration, sessions are established when traffic is transmitted to interfaces within the Intranet.

Action

To verify if selective stateless packet-based services are working, you check if Intranet traffic bypasses flow-based forwarding and no sessions are established. To verify if sessions are established, you perform the following tasks:

  1. On device R1, enter the operational mode command clear security flow session all in the CLI to clear all existing security flow sessions.
  2. On device R0, enter the operational mode command ping in the CLI to transmit traffic to device R3.
  3. On device R1, with traffic transmitting from devices R0 to R3 through R1, enter the operational mode command show security flow session in the CLI.

Note: To verify established sessions, make sure to enter the show security flow session command while the ping command is sending and receiving packets.

Sample Output


user@R0> ping 10.2.1.2
PING 10.2.1.2 (10.2.1.2): 56 data bytes
64 bytes from 10.2.1.2: icmp_seq=0 ttl=63 time=2.208 ms
64 bytes from 10.2.1.2: icmp_seq=1 ttl=63 time=2.568 ms
64 bytes from 10.2.1.2: icmp_seq=2 ttl=63 time=2.573 ms
64 bytes from 10.2.1.2: icmp_seq=3 ttl=63 time=2.310 ms
64 bytes from 10.2.1.2: icmp_seq=4 ttl=63 time=1.566 ms
64 bytes from 10.2.1.2: icmp_seq=5 ttl=63 time=1.569 ms
...

user@R1>show security flow session
0 sessions displayed

Meaning

The output shows traffic transmitting from R0 to R3 and no sessions are established. In this example, you applied the bypass-flow-filter with the packet-mode action modifier on interfaces Internal 1 and Internal 2 for your company’s Intranet traffic. This output verifies that the traffic between the two interfaces is correctly bypassing flow-based forwarding and hence no sessions are established.

Related Topics

For more information about the show security flow session command, see the Junos OS CLI Reference.

For information about the ping command, see the Junos OS Administration Guide for Security Devices or the Junos System Basics Configuration Guide.

Verifying Session Establishment On Internet Traffic

Purpose

Verify if in this example configuration, sessions are established when traffic is transmitted to the Internet.

Action

To verify if traffic to the Internet is using flow-based forwarding and sessions are established, perform the following tasks:

  1. On device R1, enter the operational mode command clear security flow session all in the CLI to clear all existing security flow sessions.
  2. On device R0, enter the operational mode command ping in the CLI to transmit traffic to device R2.
  3. On device R1, with traffic transmitting from R0 to R2 through R1, enter the operational mode command show security flow session in the CLI.

Note: To verify established sessions, make sure to enter the show security flow session command while the ping command is sending and receiving packets.

Sample Output


user@R0> ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2): 56 data bytes
64 bytes from 1.1.1.2: icmp_seq=0 ttl=63 time=2.326 ms
64 bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=2.569 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=2.565 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=63 time=2.563 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=63 time=2.306 ms
64 bytes from 1.1.1.2: icmp_seq=5 ttl=63 time=2.560 ms
64 bytes from 1.1.1.2: icmp_seq=6 ttl=63 time=4.130 ms
64 bytes from 1.1.1.2: icmp_seq=7 ttl=63 time=2.316 ms
...

user@R1>show security flow session
Session ID: 50522, Policy name: Internet-traffic/4, Timeout: 2
  In: 10.1.1.2/12 --> 1.1.1.2/2827;icmp, If: ge-0/0/1.0
  Out: 1.1.1.2/2827 --> 10.1.1.2/12;icmp, If: ge-0/0/3.0

Session ID: 50523, Policy name: Internet-traffic/4, Timeout: 2
  In: 10.1.1.2/13 --> 1.1.1.2/2827;icmp, If: ge-0/0/1.0
  Out: 1.1.1.2/2827 --> 10.1.1.2/13;icmp, If: ge-0/0/3.0

2 sessions displayed

Meaning

The output shows traffic transmitting from devices R0 to R1 and established sessions. In this example, you did not apply the bypass-flow-filter with the packet-mode action modifier on interface Internet for your company’s Internet traffic. This output verifies that the traffic to the Internet is correctly using flow-based forwarding and hence sessions are established.

Transmit traffic from device R3 to R2 and use the commands in this section to verify established sessions.

Related Topics

For more information about the show security flow session command, see the Junos OS CLI Reference.

For information about the ping command, see the Junos OS Administration Guide for Security Devices or the Junos System Basics Configuration Guide.

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.