Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Lab setup, debugs, and analysis of IP classification

0

0

Article ID: KB25618 KB Last Updated: 08 Mar 2013Version: 1.0
Summary:
This article provides information about the lab setup, debugs, and analysis of IP classification in a multi-VSYS setup.
Symptoms:
Information about the lab setup, debugs, and analysis of IP classification in a multi-VSYS setup.
Cause:

Solution:

Destination IP classification:

Lab setup:



  • VSYS:

    • Root VSYS

    • Vsys1

    • Vsys2

    • Vsys3


  • The Ethernet1/1 untrust interface is shared and defined in the root.

  • The Internal custom zone is shared and also defined in the root.

  • Ethernet1/4 is bound to the Internal zone and shared by all VSYSs.

  • The IP address of Ethernet1/4 is 10.1.0.1/16.

  • Ethernet1/4 has the 10.1.1.0/24 network connected behind Vsys1..

  • Ethernet1/ 4 has the 10.1.2.0/24 network connected behind Vsys2.

  • Ethernet1/ 4 has the 10.1.3.0/24 network connected behind Vsys3.

  • The traffic that is coming from the untrust network has to be handled by Vsys1 or Vsys2, depending on the subnet to which the destination IP address belongs.

Classification:

The E0/1 interface has the IP address of 10.1.0.1/16. Now, the question is that three networks are split up within this subnet and behind 3 different VSYSs. When a packet, which is destined for this network, arrives, the firewall has to understand the VSYS, to which it belogns. This is where the concept of classification comes in. In short, the destination IP address has to be classified to a particular VSYS for the packet to go into the respective VSYS and take the appropriate policy that is configured in that VSYS.

If  IP classification is not present, then the packet will be dropped due to classification, as without classification, policy look-up cannot occur.

Required configuration:
set route 10.1.1.0/24 vrouter Vsys1-vr
set route 10.1.2.0/24 vrouter Vsys2-vr
set zone Internal ip-classification net 10.1.1.0/24 vsys1
set zone Internal ip-classification net 10.1.2.0/24 vsys2
set zone Internal ip-classification net 10.1.3.0/24 vsys2
set zone Internal ip-classification
Debugs with IP classification being disabled:

Consider that the incoming packet is destined to 10.1.1.1, which is behind Vsys1:
**st: <Untrust|ethernet1/1|Root|0> 499c118: 20b7:1.1.1.1/400->10.1.1.1/6978,1,128
****** 38215.0: <Untrust/ethernet1/1> packet received [128]******
ipid = 8375(20b7), @0499c118
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet1/1:1.1.1.1/27000->10.1.1.1/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet1/1>, out <N/A>
chose interface ethernet1/1 as incoming nat if.
flow_first_routing: in <ethernet1/1>, out <N/A>
search route to (ethernet1/1, 1.1.1.1->10.1.1.1) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 9.route 10.1.1.1->10.1.1.1, to ethernet1/4
routed (x_dst_ip 10.1.1.1) from ethernet1/1 (ethernet1/1 in 0) to ethernet1/4
Cross vsys set nat crt vsys:Root, pak vsys:Root, vsys:Root, result:-2
packet dropped, IP classification failed
Debugs with destination IP classification being enabled:

Consider that the incoming packet is destined to 10.1.1.1, which is behind Vsys1:
**st: <Untrust|ethernet1/1|Root|0> 499c118: 2049:1.1.1.1/400->10.1.1.1/59d8,1,128
****** 37848.0: <Untrust/ethernet1/1> packet received [128]******
ipid = 8265(2049), @0499c118
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet1/1:1.1.1.1/23000->10.1.1.1/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet1/1>, out <N/A>
chose interface ethernet1/1 as incoming nat if.
flow_first_routing: in <ethernet1/1>, out <N/A>
search route to (ethernet1/1, 1.1.1.1->10.1.1.1) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 9.route 10.1.1.1->10.1.1.1, to ethernet1/4
routed (x_dst_ip 10.1.1.1) from ethernet1/1 (ethernet1/1 in 0) to ethernet1/4
IP classification from dst IP : vsys vsys1,rc:1
Cross vsys set nat crt vsys:vsys1, pak vsys:Root, vsys:vsys1, result:0
policy search from zone 1-> zone 1000
policy_flow_search policy search nat_crt from zone 1-> zone 1000
RPC Mapping Table search returned 0 matched service(s) for (vsys vsys1, ip 10.1.1.1, port 65113, proto1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 3/2/0x9
Permitted by policy 3
choose interface ethernet1/4 as outgoing phy if
no loop on ifp ethernet1/4.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1/1>, out <ethernet1/4>
existing vector list 0-4ebfca4.
Session (id:300049) created for first pak 0
flow_first_install_session======>
route to 10.1.1.1
arp entry found for 10.1.1.1
ifp2 ethernet1/4, out_ifp ethernet1/4, flag 10800000, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet1/4, 10.1.1.1->1.1.1.1) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet1/1
[ Dest] 7.route 1.1.1.1->1.1.1.1, to ethernet1/1
route to 1.1.1.1
arp entry found for 1.1.1.1
ifp2 ethernet1/1, out_ifp ethernet1/1, flag 00800001, tunnel ffffffff, rc 1
flow got session.
flow session id 300049
flow_main_body_vector in ifp ethernet1/1 out ifp ethernet1/4
flow vector index 0x0, vector addr 0x2d00750, orig vector 0x2d00750
post addr xlation: 10.1.0.1->10.1.1.1.
packet send out to 001bc06e9c07 (cached) through ethernet1/4
Flow:

  • The packet hits the ethernet1/1 interface, which is in the shared untrust zone.

  • Route look up occurs on the trust-Vr (root)( the default shared virtual router), to which the untrust zone is bound. Ideally, the route will point to Vsys1-vr and the outgoing interface will be found. As the outgoing interface is shared and it belongs to all the VSYSs, it has to understand which vsys it should go to for policy lookup.

  • Look up for destination IP classification on the internal zone occurs. If classification does not occur, the packet will be dropped (set zone Internal ip-classification net10.1..1.0/24 vsys1).

  • Policy lookup is performed in vsys1.

  • The session is created in vsys1.

  • ARP lookup for the 10.1.1.1 destination IP address occurs.

  • Reverse route lookup in trust-vr occurs.

  • The packet is forwarded to the destination out of ethernet1/4.

Source IP classification:

Lab setup:



  • VSYS:

    • Root vsys

    • Test vsys


  • The Ethernet1/4 untrust interface is shared and defined in the root.

  • The IP address of the Ethernet1/4 interface is 1.1.1.2/30.

  • The Internal custom zone is shared and also defined in the root.

  • Ethernet1/1 is bound to the Internal zone and is shared by all VSYSs.

  • The IP address of Ethernet1/1 is 10.1.0.1/16.

  • Traffic for the 10.1.1.0/24 subnet, which is behind ethernet1/1, has to be handled by root vsys.

  • Traffic for the 10.2.1.0/24 subnet, which is behind ethernet1/1, has to be handled by Test vsys.

  • The traffic flow is from 10.1.1.1 to 1.1.1.1.

Required configuration:
set zone Internal ip-classification net 10.1.1.0/24 root
set zone Internal ip-classification
Policy from Internal->Untrust needed in root-vsys
Debugs with source IP classification being enabled for the traffic that originates from the '10.1.1.0/24' subnet:
****** 154428.0: <Internal/ethernet1/1> packet received [128]******
ipid = 60674(ed02), @0479c118
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet1/1:10.1.1.1/26900->1.1.1.1/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet1/1>, out <N/A>
chose interface ethernet1/1 as incoming nat if.
IP classification from src IP : vsys Root,rc:1
flow_first_routing: in <ethernet1/1>, out <N/A>
search route to (ethernet1/1, 10.1.1.1->1.1.1.1) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 14.route 1.1.1.1->1.1.1.1, to ethernet1/4
routed (x_dst_ip 1.1.1.1) from ethernet1/1 (ethernet1/1 in 0) to ethernet1/4
Cross vsys set nat crt vsys:Root, pak vsys:Root, vsys:Root, result:0
policy search from zone 1000-> zone 1
policy_flow_search policy search nat_crt from zone 1000-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.1.1.1, port 61213, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 1/0/0x9
Permitted by policy 1
No src xlate choose interface ethernet1/4 as outgoing phy if
no loop on ifp ethernet1/4.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1/1>, out <ethernet1/4>
existing vector list 1-21be10d4.
Session (id:300052) created for first pak 1
flow_first_install_session======>
route to 1.1.1.1
arp entry found for 1.1.1.1
ifp2 ethernet1/4, out_ifp ethernet1/4, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet1/4, 1.1.1.1->10.1.1.1) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet1/1
[ Dest] 20.route 10.1.1.1->10.1.1.1, to ethernet1/1
route to 10.1.1.1
arp entry found for 10.1.1.1
ifp2 ethernet1/1, out_ifp ethernet1/1, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 300052
flow_main_body_vector in ifp ethernet1/1 out ifp ethernet1/4
flow vector index 0x1, vector addr 0x2c00750, orig vector 0x2c00750
post addr xlation: 10.1.1.1->1.1.1.1.
Flow:

  • The packet hits the ethernet1/1 interface, which is in the shared Internal zone.

  • Source IP classification classifies traffic for the configured VSYS.

  • Route look up for 1.1.1.1 occurs on trust-vr, to which the Internal zone is bound.

  • Policy lookup is performed in root vsys.

  • The session is created in root vsys

  • ARP lookup occurs for the 1.1.1.1 destination IP address.

  • Reverse route lookup occurs in trust-vr.

  • The packet is forwarded to the destination out of ethernet1/4.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search