Connectivity
Overview
- Is an outgoing packet hitting an excluded network?
- Does an outgoing packet have a destination IP in the target network?
- Is there network address translation (NAT) in between the source and destination?
- Did source NAT or port address translation (PAT) happen?
- Did destination NAT or PAT happen?
- In layer 3 traffic, did a middle box change sequence numbers?
Control messages
- pingEnabled: starts ping to the destination
- pingIterations: number of iterations (default 1)
- pingAddress: destination address to ping
- pingPort: destination port to ping
Specifying the number of iterations
By default, oam ping completes a single iteration.
To specify more iterations, you can pass an integer using the --iterations flag.
Selecting the mode
Examples
Prerequisites
If the server endpoint resides in an different Microsegmentation namespace, you can pass the app credential that has the
namespace administrator
role access using the --appcreds flag.Apoctl command
Syntax
apoctl oam ping <client-processing-unit-id> <destination-ip>:<destination-port>
Example
apoctl oam ping 5f21363139483e3b048eda02 192.168.100.100:9000
Output
INFO Generating report(s)... Report 1 of processing unit 5f21363139483e3b048eda02 talking to processing unit 5f2136cb39483e3b048eda04, +-----------------+-----------------+-------------------------------------------+-------------------------------------------+ | Category | Name | Source | Destination | +-----------------+-----------------+-------------------------------------------+-------------------------------------------+ | Processing Unit | Controller | https://localhost:4443 | https://localhost:4443 | | | ID | 5f21363139483e3b048eda02 | 5f2136cb39483e3b048eda04 | | | Name | centos | nginx | | | Namespace | /apomux | /apomux | | | Claims | $identity=processingunit | $identity=processingunit | | | | $namespace=/apomux | $namespace=/apomux | | | | app=frontend | AporetoContextID=5f2136cb39483e3b048eda04 | | | | AporetoContextID=5f21363139483e3b048eda02 | | | | ClaimsType | Transmitted | Transmitted | | Enforcer | ID | 5f20f86039483e3b048ed9fe | 5f2136b339483e3b048eda03 | | | Name | apomux-enforcerd-4 | apomux-enforcerd-1 | | | Namespace | /apomux | /apomux | | | Version | 0.0.0-dev | 0.0.0-dev | | Policy | ID | 5eaa175a39483e075f411be3 | 5e504e7a39483e4d3a6404ff | | | Name | pu-service | pu-pu | | | Namespace | /apomux | /apomux | | | Action | accept | accept | | Packet | SourceIP | 172.17.0.2 | 192.168.100.103 | | | SourcePort | 34909 | 34909 | | | DestinationIP | 192.168.100.100 | 172.17.0.2 | | | DestinationPort | 9000 | 80 | | | PayloadSize | 945 | 808 | | | PayloadSizeType | Received | Received | | Other | Error | | | | | Timestamp | 2020-07-29 08:46:04.74 +0000 UTC | 2020-07-29 08:45:54.741 +0000 UTC | +-----------------+-----------------+-------------------------------------------+-------------------------------------------+ Verdict: Communication flows through L3 service. The protocol medium used is TCP. It took 1.431995ms for the ping handshake to complete. An application is listening on port 80. ACL policy is applied. The ID of the policy is 5e45d2ab39483e1bb9b811e1 and action accept. NAT: SNAT,DNAT,DPAT. --------------------------------------------------------------------------
Output with layer 4 service
INFO Generating report(s)... Report 1 of processing unit 5f21363139483e3b048eda02 talking to processing unit 5f2136cb39483e3b048eda04, +-----------------+-----------------+--------------------------------------------------------------+------------------------------------------------------------+ | Category | Name | Source | Destination | +-----------------+-----------------+--------------------------------------------------------------+------------------------------------------------------------+ | Processing Unit | Controller | https://localhost:4443 | https://localhost:4443 | | | ID | 5f21363139483e3b048eda02 | 5f2136cb39483e3b048eda04 | | | Name | centos | nginx | | | Namespace | /apomux | /apomux | | | Claims | $controller=https://localhost:4443 | $controller=https://localhost:4443 | | | | $datapathtype=Aporeto | $datapathtype=Aporeto | | | | $enforcementstatus=Active | $enforcementstatus=Active | | | | $enforcerid=5f2136b339483e3b048eda03 | $enforcerid=5f20f86039483e3b048ed9fe | | | | $enforcernamespace=/apomux | $enforcernamespace=/apomux | | | | $id=5f2136cb39483e3b048eda04 | $id=5f21363139483e3b048eda02 | | | | $identity=processingunit | $identity=processingunit | | | | $image=nginx | $image=gcr.io/aporetodev/centos | | | | $image=nginx | $image=gcr.io/aporetodev/centos | | | | $name=nginx | $name=centos | | | | $namespace=/apomux | $namespace=/apomux | | | | $operationalstatus=Running | $operationalstatus=Running | | | | $type=Docker | $type=Docker | | | | $vulnerabilitylevel=none | $vulnerabilitylevel=none | | | | @app:docker:exposedport=tcp:80 | @app:docker:name=centos | | | | @app:docker:hostport=tcp:9000 | @app:docker:networkmode=bridge | | | | @app:docker:name=nginx | @app:docker:pid=0 | | | | @app:docker:networkmode=bridge | @app:extractor=docker | | | | @app:docker:pid=0 | @os:host=linux | | | | @app:extractor=docker | app=frontend | | | | @os:host=linux | org.label-schema.build-date=20190801 | | | | maintainer=NGINX Docker Maintainers <docker-maint@nginx.com> | org.label-schema.license=GPLv2 | | | | role=service | org.label-schema.name=CentOS Base Image | | | | | org.label-schema.schema-version=1.0 | | | | | org.label-schema.vendor=CentOS | | | ClaimsType | Received | Received | | | CertIssuer | CN=Apomux Public Signing CA,OU=apomux,O=Aporeto | CN=Apomux Public Signing CA,OU=apomux,O=Aporeto | | | CertSubject | CN=5f21363139483e3b048eda02,OU=aporeto-enforcerd,O=/apomux | CN=5f2136cb39483e3b048eda04,OU=aporeto-enforcerd,O=/apomux | | | CertExpiry | 2020-07-29 09:22:32 +0000 UTC | 2020-08-05 08:52:23 +0000 UTC | | Enforcer | ID | 5f20f86039483e3b048ed9fe | 5f2136b339483e3b048eda03 | | | Name | apomux-enforcerd-4 | apomux-enforcerd-1 | | | Namespace | /apomux | /apomux | | | Version | 0.0.0-dev | 0.0.0-dev | | Policy | ID | 5eaa175a39483e075f411be3 | 5e504e7a39483e4d3a6404ff | | | Name | pu-service | pu-pu | | | Namespace | /apomux | /apomux | | | Action | accept | accept | | Packet | SourceIP | 172.17.0.2 | 192.168.100.103 | | | SourcePort | 48624 | 48624 | | | DestinationIP | 192.168.100.100 | 172.17.0.2 | | | DestinationPort | 9000 | 80 | | | PayloadSize | 208 | 208 | | | PayloadSizeType | Transmitted | Received | | Other | Error | | | | | Timestamp | 2020-07-29 08:52:32.209 +0000 UTC | 2020-07-29 08:52:32.21 +0000 UTC | +-----------------+-----------------+--------------------------------------------------------------+------------------------------------------------------------+ Verdict: Communication flows through L4 service. The protocol medium used is TCP. It took 3.098666ms for the ping handshake to complete. An application is listening on port 80. ACL policy is applied. The ID of the policy is 5e45d2ab39483e1bb9b811e1 and action accept. NAT: SNAT,DNAT,DPAT. --------------------------------------------------------------------------
Output with layer 7 service
INFO Generating report(s)... Report 1 of processing unit 5f21363139483e3b048eda02 talking to processing unit 5f2136cb39483e3b048eda04, +-----------------+-----------------+------------------------------------------------------------+------------------------------------------------------------+ | Category | Name | Source | Destination | +-----------------+-----------------+------------------------------------------------------------+------------------------------------------------------------+ | Processing Unit | Controller | https://localhost:4443 | https://localhost:4443 | | | ID | 5f21363139483e3b048eda02 | 5f2136cb39483e3b048eda04 | | | Name | centos | nginx | | | Namespace | /apomux | /apomux | | | Claims | $identity=processingunit | $identity=processingunit | | | | $namespace=/apomux | $namespace=/apomux | | | | app=frontend | app=frontend | | | | AporetoContextID=5f21363139483e3b048eda02 | AporetoContextID=5f21363139483e3b048eda02 | | | | | kDMRXWckV9k6mGuJ | | | | | a=b | | | ClaimsType | Transmitted | Received | | | CertIssuer | CN=Apomux Public Signing CA,OU=apomux,O=Aporeto | CN=Apomux Public Signing CA,OU=apomux,O=Aporeto | | | CertSubject | CN=5f21363139483e3b048eda02,OU=aporeto-enforcerd,O=/apomux | CN=5f2136cb39483e3b048eda04,OU=aporeto-enforcerd,O=/apomux | | | CertExpiry | 2020-08-05 08:43:17 +0000 UTC | 2020-08-05 08:55:33 +0000 UTC | | Enforcer | ID | 5f20f86039483e3b048ed9fe | 5f2136b339483e3b048eda03 | | | Name | apomux-enforcerd-4 | apomux-enforcerd-1 | | | Namespace | /apomux | /apomux | | | Version | 0.0.0-dev | 0.0.0-dev | | Policy | ID | | 5e504e7a39483e4d3a6404ff | | | Name | | pu-pu | | | Namespace | | /apomux | | | Action | passthrough | accept | | | ServiceID | 5ec1d21b39483e4dbe85ec92 | 5ec1d21b39483e4dbe85ec92 | | Packet | SourceIP | 172.17.0.2 | 192.168.100.103 | | | SourcePort | 48626 | 48626 | | | DestinationIP | 192.168.100.100 | 172.17.0.2 | | | DestinationPort | 9000 | 80 | | | PayloadSize | 970 | 970 | | | PayloadSizeType | Transmitted | Received | | Other | Error | | | | | Timestamp | 2020-07-29 08:55:41.709 +0000 UTC | 2020-07-29 08:55:41.709 +0000 UTC | +-----------------+-----------------+------------------------------------------------------------+------------------------------------------------------------+ Verdict: Communication flows through L7 service. The protocol medium used is TCP. It took 11.578028ms for the ping handshake to complete. An application is listening on port 80. ACL policy is applied. The ID of the policy is 5e45d2ab39483e1bb9b811e1 and action accept. NAT: SNAT,DNAT,DPAT. --------------------------------------------------------------------------
The examples above are for reference purposes only and the actual output might not be similar.
Most Popular
