Verifying the Selective Stateless Packet-Based Services Configuration—Packet-Based to Flow-Based

To verify selective stateless packet-based services configured in Example: Configuring Selective Stateless Packet-Based Services—Packet-Based to Flow-Based , perform these tasks:

Displaying the Packet-Based to Flow-Based Example Configuration

Purpose

Display the selective stateless packet-based services configuration for packet-based to flow-based forwarding.

Action

From the configuration mode in the CLI, enter the following commands:

The sample output in this section displays the complete configuration in the example.

On R0:

[edit]user@R0# show interfaces
ge-0/0/2 {description “Connect to Master-VR”unit 0 {family inet {address 9.9.9.9/24}}}
user@R0# show protocolsospf {area 0.0.0.0/0 {interface ge-0/0/2.0;}}

On R2:

[edit]user@R2# show interfacesge-0/0/3 {description “Connect to Internet-VR”unit 0 { family inet {address 5.5.5.9/24;}}}
user@R2# show protocolsospf {area 0.0.0.0/0 {interface ge-0/0/3.0;}}

On R1:

[edit]user@R1# show interfacesge-0/0/2 {description “Connect to R0”unit 0 { family inet {filter {input bypass-flow-filter;}address 9.9.9.10/24;}}}lt-0/0/0 {unit 0 { encapsulation frame-relay;dlci 100;peer-unit 1;family inet {filter {input bypass-flow-filter}address 1.1.1.1/16;}}unit 1{ encapsulation frame-relay;dlci 100;peer-unit 0;family inet {address 1.1.1.2/16;}}}user@R1# show protocolsospf {area 0.0.0.0/0 {interface ge-0/0/2.0;interface lt-0/0/0.0;}}user@R1# show firewallfilter bypass-flow-filter {term bypass-flow-term {then {packet-mode;accept;}}}
user@R1# show routing-instancesInternet-VR {instance-type virtual-router;interface lt-0/0/0.1;interface ge-0/0/3.0;protocols {ospf {area 0.0.0.0 {interface ge-0/0/3.0;lt-0/0/0.1;}}}}
user@R1# show securityzones {security-zone HOST {host-inbound-traffic {system-services {any-service;}protocols {all;}}interfaces {all;}}}policies {default-policy {permit-all;}}

Meaning

Verify that the output shows the intended configuration of the firewall filter, routing instances, interfaces, and policies.

Verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command.

Related Topics

For a complete description of show interfaces command output, see the Junos Interfaces Command Reference.

For a complete description of show security zones and show security policies command outputs, see the Junos OS CLI Reference.

For a complete description of show firewall command output, see the Junos Routing Protocols and Policies Command Reference.

Verifying Session Establishment On LAN Traffic

Purpose

Verify if, in this example configuration, sessions are established when traffic is transmitted on interfaces with the firewall filter bypass-flow-filter.

Action

To verify if selective stateless packet-based services are working, you check if internal traffic bypasses flow-based forwarding and no sessions are established. To verify if sessions are established, you perform the following tasks:

  1. On device R1, enter the operational mode command clear security flow session all in the CLI to clear all existing security flow sessions.
  2. On device R0, enter the operational mode command ping in the CLI to transmit traffic to device Master-VR.
  3. On device R1, with traffic transmitting from devices R0 through R1, enter the operational mode command show security flow session in the CLI.

Note: To verify established sessions, make sure to enter the show security flow session command while the ping command is sending and receiving packets.

Sample Output


user@R0> ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=63 time=2.208 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=63 time=2.568 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=63 time=2.573 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=63 time=2.310 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=63 time=1.566 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=63 time=1.569 ms
...

user@R1>show security flow session
0 sessions displayed

Meaning

The output shows traffic transmitting from R0 to Master-VR and no sessions are established. In this example, you applied the bypass-flow-filter with the packet-mode action modifier on interfaces ge-0/0/0 and lt-0/0/0.0 for your company’s LAN traffic. This output verifies that the traffic between the two interfaces is correctly bypassing flow-based forwarding and hence no sessions are established.

Related Topics

For more information about the show security flow session command, see the Junos OS CLI Reference.

For information about the ping command, see the Junos OS Administration Guide for Security Devices or the Junos System Basics Configuration Guide.

Verifying Session Establishment On Internet Traffic

Purpose

Verify if in this example configuration, sessions are established when traffic is transmitted to the Internet.

Action

To verify if traffic to the Internet is using flow-based forwarding and sessions are established, perform the following tasks:

  1. On device R1, enter the operational mode command clear security flow session all in the CLI to clear all existing security flow sessions.
  2. On device R0, enter the operational mode command ping in the CLI to transmit traffic to device R2.
  3. On device R1, with traffic transmitting from R0 to R2 through R1, enter the operational mode command show security flow session in the CLI.

Note: To verify established sessions, make sure to enter the show security flow session command while the ping command is sending and receiving packets.

Sample Output


user@R0> ping 5.5.5.9
PING 5.5.5.9 (5.5.5.9): 56 data bytes

64 bytes from 5.5.5.9: icmp_seq=0 ttl=62 time=2.593 ms
64 bytes from 5.5.5.9: icmp_seq=1 ttl=62 time=2.562 ms
64 bytes from 5.5.5.9: icmp_seq=2 ttl=62 time=2.563 ms
64 bytes from 5.5.5.9: icmp_seq=3 ttl=62 time=2.561 ms
64 bytes from 5.5.5.9: icmp_seq=4 ttl=62 time=2.310 ms
64 bytes from 5.5.5.9: icmp_seq=5 ttl=62 time=3.880 ms

...

user@R1>show security flow session
Session ID: 189900, Policy name: default-policy/2, Timeout: 2
  In: 9.9.9.9/0 --> 5.5.5.9/5924;icmp, If: lt-0/0/0.1
  Out: 5.5.5.9/5924 --> 9.9.9.9/0;icmp, If: ge-0/0/3.0

Session ID: 189901, Policy name: default-policy/2, Timeout: 2
  In: 9.9.9.9/1 --> 5.5.5.9/5924;icmp, If: lt-0/0/0.1
  Out: 5.5.5.9/5924 --> 9.9.9.9/1;icmp, If: ge-0/0/3.0

Session ID: 189902, Policy name: default-policy/2, Timeout: 4
  In: 9.9.9.9/2 --> 5.5.5.9/5924;icmp, If: lt-0/0/0.1
  Out: 5.5.5.9/5924 --> 9.9.9.9/2;icmp, If: ge-0/0/3.0

 3 sessions displayed

Meaning

The output shows traffic transmitting from devices R0 to R2 and established sessions. In this example, you did not apply the bypass-flow-filter with the packet-mode action modifier on routing instance Internet-VR for your company’s Internet traffic. This output verifies that the traffic to the Internet is correctly using flow-based forwarding and hence sessions are established.

Note that sessions are established only when traffic is flowing between lt-0/0/0.1 and ge-0/0/3 and not when traffic is flowing between ge-0/0/2 and lt-0/0/0.0.

Related Topics

For more information about the show security flow session command, see the Junos OS CLI Reference.

For information about the ping command, see the Junos OS Administration Guide for Security Devices or the Junos System Basics Configuration Guide.

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.