Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Follow the Packets in Hub and Spoke VCN Routing Architecture inside Oracle Cloud Infrastructure

Introduction

Instances, databases, and network services are the typical building blocks of the application inside Oracle Cloud Infrastructure (OCI). When we build an application on the network it is good practice to know if the traffic you are sending from a source is reaching the destination. OCI offers the Network Path Analyzer to verify the path, but sometimes you want to have a bit more information on what is happening on the endpoints itself on a hop-by-hop basis.

This tutorial will provide a few scenarios that you can use to follow your packets in a hub and spoke network architecture inside OCI.

Routing Flow Scenarios

Multiple routing flow scenarios are applicable in a hub and spoke VCN routing architecture.

• Scenario 1: Follow the Packet from One Spoke VCN Instance to another Spoke VCN Instance
• Scenario 2: Follow the Packet from Spoke VCN Instance to Hub Instance
• Scenario 3: Follow the Packet from Hub Instance to Spoke VCN Instance
• Scenario 4: Follow the Packet from Spoke VCN Instance to Internet
• Scenario 5: Follow the Packet from Spoke VCN Instance to OCI Service Network
• Scenario 6: Follow the Packet from Hub Instance to Internet
• Scenario 7: Follow the Packet from Internet to Hub Instance
• Scenario 8: Follow the Packet from On-Premises to Spoke VCN Instance
• Scenario 9: Follow the Packet from Spoke VCN Instance to On-Premises
• Scenario 10: Follow the Packet from Remote Computer to Load Balancer to Spoke VCN Instance

We are only going to explain how you can follow the packet with Scenario 1. For the other scenarios, you can use the same method.

Objectives

• This tutorial will demonstrate a method for tracing network packets within an OCI tenant environment utilizing a Hub and Spoke network routing architecture. We will use the combination of packet captures, TCPdumps, and subnet-level logging within VCNs to gather necessary data. Through subsequent data analysis, we will identify the packet’s complete path. This approach will facilitate troubleshooting end-to-end connectivity and will be easy to find on what hop a possible issue occurs.

Scenario 1: Follow the Packet from One Spoke VCN Instance to another Spoke VCN Instance

In this scenario, we are going to follow the packet from one spoke VCN instance to an instance in another spoke VCN.

The following diagram is shown with the hops specified. A to F points indicate the places where you can enable some form of logging or packet capturing. We will explore all these places one by one so we can follow the packet.

We need to determine our source, destination and the port that we are going to test with. This will ensure we have a targeted way of analyzing the packet without distraction.

In this example, we will use the following source, destination and port.

Source	Destination	Destination Port
172.16.1.93	172.16.2.88	TCP/80

To start this journey properly, the order of operations is important to be as effective as possible with setting up the logging, capturing and collecting the information properly.

Task 1: Note Down the Time

1. In this tutorial, we are using a central computer to collect all the data.

2. Note down the time when you start the analytics. For this example, it is 8:44 AM.

   

Task 2: Open the First SSH Session on Instance A

• We will use this session to initiate the HTTP connection to the destination.

  1. Connect with SSH to the terminal of Instance A located in VCN A.
  2. Try to use a tabbed connection. This enables quick switching between the sessions.
  3. Run timedatectl command to get the current time of the instance.
  4. Make sure the time set is ok. For this example, it is 8:44 AM.

  

Task 3: Open a Second SSH Session on Instance A

• Open a second connection to the Instance A located in VCN A.

• We will use this session to enable the tcpdump commands so we can start the packet following using tcpdump.

  

Task 4: Open an SSH Session on Instance B

• We will use this session to receive the HTTP connection from the source.

  1. Connect with SSH to the terminal of Instance B located in VCN B.
  2. Try to use a tabbed connection. This enables quick switching between the sessions.
  3. Run timedatectl command to get the current time of the instance.
  4. Make sure the time set is ok. For this example, it is 8:45 AM.

  

Task 5: Open a Web Session on the pfSense Firewall

• Because we are using a Hub and Spoke VCN routing architecture, the traffic will transit the pfSense firewall if traffic is flowing from one spoke to another spoke. The pfSense firewall will either permit or deny the traffic. We want to see this in the pfSense firewall using the packet captures.

  1. Open the pfSense firewall management console.
  2. Click Diagnostics and Packet Capture.

  

• You will be redirected to the Packet Capture page. Do not start the packet capture, we just want to have it open.

  

Task 6: Enable Logging (All Logs) on the Spoke A Private Subnet

• Because our source is attached to the private subnet in the spoke A VCN, we will enable logging on the subnet level in the VCN.

  1. Click the hamburger menu (≡) from the upper left corner.
  2. Click Networking.
  3. Click Virtual cloud networks.

  

• Click spoke A VCN.

  

• Click private subnet inside VCN A.

  

  1. Click Logs.
  2. Select Enable Log for all logs and set it to enabled.

  

• Keep all log settings default and click Enable log.

  

• Note that the status is Creating.

  

  1. After a few minutes status will change to Active.
  2. Note that the Enable log for all is Enabled.

  

Task 7: Enable Logging (All Logs) on the Spoke B Private Subnet

• Follow the steps for the spoke VCN B private subnet same as Task 6.

  1. Navigate to Networking, Virtual Cloud Networking, Spoke B VCN, Subnet Details and Logs.
  2. After a few minutes status will change to Active.
  3. Note that the Enable log for all is Enabled.

  

Task 8: Enable Logging (All Logs) on the Hub Private Subnet

• Follow the steps for the hub private subnet same as Task 6.

  1. Navigate to Networking, Virtual Cloud Networking, Hub VCN, Subnet Details and Logs.
  2. After a few minutes status will change to Active.
  3. Note that the Enable log for all is Enabled.

  

Task 9: Start the tcpdump Session on the Second SSH Session of Instance A

• Go to second SSH session of Instance A.

• Run the following command to enable tcpdump: sudo tcpdump -i ens3 dst 172.16.2.88 and src 172.16.1.93 and dst port 80.

  Note: In the tcpdump command, make sure you use proper filters, so you can only see information on the traffic you are looking for. For this example, we specify the source, destination, and port.

• Note that tcpdump will be enabled.

  

Task 10: Start the tcpdump Session on the SSH Session on Instance B

• Go to the SSH session of Instance B.

• Run the following command to enable tcpdump: sudo tcpdump -i ens3 src 172.16.0.20 and port 80.

• Note that tcpdump will be enabled.

  `

Task 11: Start the Packet Capture on the pfSense Firewall

• Go to the pfSense firewall console.

• Scroll down to the Custom Filter Options section.

• In the Untagged Filter section, enter the following information and click Start.

  • Select include any of.
  • HOST ID ADDRESS OR SUBNET: For destination, select all of and enter 172.16.2.88.
  • PROTOCOL AND PORT NUMBER: For port, select any of and enter 80.

  

• Scroll down.

  

• Note that there are already packets captured. This will be all traffic that is on port 80 and that is for our destination IP address (172.16.2.88). There is already traffic visible because we have a load balancer active which is doing health checks on port 80 as well.

• We will leave the capture on for a few minutes while we do our HTTP test from our source so that we can use the Wireshark application later to filter out the correct information that we are looking for.

  

Task 12: Send HTTP Traffic to the Instance B Web Server from the first SSH Session of Instance A

• Initiate the traffic from source to destination.

  • Go to the first SSH session of Instance A.
  • Run timedatectl command again to get the current time of the instance.
  • Make a note of the time. For this example, it is 8:56 AM.

  

• Run the following command to send HTTP traffic: curl http://172.16.2.88.

• Note that the web server on Instance B is replying with the HTML content.

  

• Repeat the process by running the same command three or four times to send HTTP traffic multiple times.

  

Task 13: Look at all the Logging Points and Packet Captures and Follow the Path

We can start collecting the information so we can follow the packet.

Stop All Logging, Packet Captures and tcpdumps:

Before we start the collection information, stop all the logging, packet captures and tcpdumps to make sure we do not get too much information.

• Stop tcpdump of Instance A and Instance B.

  • Go to second SSH session of Instance A and click ctrl+c to stop tcpdump.
  • Go to SSH session of Instance B and click ctrl+c to stop tcpdump.

• Go to the pfSense firewall management console and stop the packet capture.

  

• Disable logging on hub VCN.

  1. Go to Networking, Virtual Cloud Networking, Hub VCN, Subnet Details and click Logs.
  2. Toggle the Enable log for all to disable the logging.

  

• The status is Updating.

  

• After a few minutes status will change to Inactive.

  

• Disable logging on spoke VCN A.

  • Go to Networking, Virtual Cloud Networking, Spoke VCN A, Subnet Details and click Logs.
  • After a few minutes status will change to Inactive.
  • Ensure that the Enable Log for all is Disabled.

  

• Disable logging on spoke VCN B.

  • Go to Networking, Virtual Cloud Networking, Spoke VCN B, Subnet Details and click Logs.
  • After a few minutes status will change to Inactive.
  • Ensure that the Enable Log for all is Disabled.

  

• We have disabled all the logging, packet captures and tcpdumps, it is time to look at the data.

The following diagram shows all logging points A, B, C, D, E, and F

Logging Point A: tcpdump on Instance A

1. Go to the second SSH session of Instance A.
2. Note that the generated tcpdump output.

• Tcpdump output.

  [opc@ih-instance-vcn-a ~]$ sudo tcpdump -i ens3 dst 172.16.2.88 and src 172.16.1.93 and dst port 80
  dropped privs to tcpdump
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
  08:56:50.489159 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.57422 > 172.16.2.88.http: Flags [S], seq 1817516973, win 62720, options [mss 8960,sackOK,TS val 3736091466 ecr 0,nop,wscale 7], length
  0
  08:56:50.491649 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.57422 > 172.16.2.88.http: Flags [.], ack 372277210, win 490, options [nop,nop,TS val 3736091468 ecr 671349263], length 0
  08:56:50.491702 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.57422 > 172.16.2.88.http: Flags [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736091468 ecr 671349263], length 75: HTTP: GET / HTTP/1.1
  08:56:50.492114 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.57422 > 172.16.2.88.http: Flags [.], ack 239, win 489, options [nop,nop,TS val 3736091469 ecr 671349265], length 0
  08:56:50.492210 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.57422 > 172.16.2.88.http: Flags [.], ack 873, win 485, options [nop,nop,TS val 3736091469 ecr 671349265], length 0
  08:56:50.492982 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.57422 > 172.16.2.88.http: Flags [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736091469 ecr 671349265], length 0
  08:56:50.493488 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.57422 > 172.16.2.88.http: Flags [.], ack 874, win 485, options [nop,nop,TS val 3736091470 ecr 671349267], length 0
  08:57:09.284210 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54210 > 172.16.2.88.http: Flags [S], seq 3049648180, win 62720, options [mss 8960,sackOK,TS val 3736110261 ecr 0,nop,wscale 7], length
  0
  08:57:09.284913 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54210 > 172.16.2.88.http: Flags [.], ack 728296369, win 490, options [nop,nop,TS val 3736110261 ecr 671368058], length 0
  08:57:09.284973 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54210 > 172.16.2.88.http: Flags [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736110261 ecr 671368058], length 75: HTTP: GET / HTTP/1.1
  08:57:09.285422 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54210 > 172.16.2.88.http: Flags [.], ack 239, win 489, options [nop,nop,TS val 3736110262 ecr 671368059], length 0
  08:57:09.285522 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54210 > 172.16.2.88.http: Flags [.], ack 873, win 485, options [nop,nop,TS val 3736110262 ecr 671368059], length 0
  08:57:09.285590 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54210 > 172.16.2.88.http: Flags [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736110262 ecr 671368059], length 0
  08:57:09.286060 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54210 > 172.16.2.88.http: Flags [.], ack 874, win 485, options [nop,nop,TS val 3736110263 ecr 671368059], length 0
  08:57:10.963760 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54214 > 172.16.2.88.http: Flags [S], seq 1863177286, win 62720, options [mss 8960,sackOK,TS val 3736111940 ecr 0,nop,wscale 7], length
  0
  08:57:10.964504 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54214 > 172.16.2.88.http: Flags [.], ack 464215720, win 490, options [nop,nop,TS val 3736111941 ecr 671369737], length 0
  08:57:10.964551 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54214 > 172.16.2.88.http: Flags [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736111941 ecr 671369737], length 75: HTTP: GET / HTTP/1.1
  08:57:10.965048 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54214 > 172.16.2.88.http: Flags [.], ack 239, win 489, options [nop,nop,TS val 3736111942 ecr 671369738], length 0
  08:57:10.965135 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54214 > 172.16.2.88.http: Flags [.], ack 873, win 485, options [nop,nop,TS val 3736111942 ecr 671369738], length 0
  08:57:10.965351 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54214 > 172.16.2.88.http: Flags [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736111942 ecr 671369738], length 0
  08:57:10.965865 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.54214 > 172.16.2.88.http: Flags [.], ack 874, win 485, options [nop,nop,TS val 3736111942 ecr 671369739], length 0
  08:58:23.663598 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.53200 > 172.16.2.88.http: Flags [S], seq 407465876, win 62720, options [mss 8960,sackOK,TS val 3736184640 ecr 0,nop,wscale 7], length 0
  08:58:23.664381 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.53200 > 172.16.2.88.http: Flags [.], ack 3047424129, win 490, options [nop,nop,TS val 3736184641 ecr 671442437], length 0
  08:58:23.664430 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.53200 > 172.16.2.88.http: Flags [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736184641 ecr 671442437], length 75: HTTP: GET / HTTP/1.1
  08:58:23.665005 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.53200 > 172.16.2.88.http: Flags [.], ack 239, win 489, options [nop,nop,TS val 3736184641 ecr 671442438], length 0
  08:58:23.665129 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.53200 > 172.16.2.88.http: Flags [.], ack 873, win 485, options [nop,nop,TS val 3736184642 ecr 671442438], length 0
  08:58:23.665297 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.53200 > 172.16.2.88.http: Flags [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736184642 ecr 6714
  08:58:23.666655 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [.], ack 874, win 485, options [nop,nop,TS val 3736184643 ecr 671442440], l
  08:58:24.529502 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [S], seq 3610633804, win 62720, options [mss 8960,sackOK,TS val 3736185506
  0
  08:58:24.530337 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [.], ack 575035162, win 490, options [nop,nop,TS val 3736185507 ecr 6714433
  08:58:24.530386 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736185507 ecr 6714
  / HTTP/1.1
  08:58:24.530886 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [.], ack 239, win 489, options [nop,nop,TS val 3736185507 ecr 671443304], l
  08:58:24.530966 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [.], ack 873, win 485, options [nop,nop,TS val 3736185507 ecr 671443304], l
  08:58:24.531347 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736185508 ecr 6714
  08:58:24.531891 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [.], ack 874, win 485, options [nop,nop,TS val 3736185508 ecr 671443305], l
  08:58:25.562327 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [S], seq 3415948315, win 62720, options [mss 8960,sackOK,TS val 3736186539
  0
  08:58:25.563186 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [.], ack 2043572435, win 490, options [nop,nop,TS val 3736186540 ecr 671444
  08:58:25.563244 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736186540 ecr 6714
  / HTTP/1.1
  08:58:25.563718 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [.], ack 239, win 489, options [nop,nop,TS val 3736186540 ecr 671444337], l
  08:58:25.563845 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [.], ack 873, win 485, options [nop,nop,TS val 3736186540 ecr 671444337], l
  08:58:25.564627 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736186541 ecr 6714
  08:58:25.565113 IP ih-instance-vcn-a.ihprivatesubnet.spokevcna.oraclevcn.com.5
  gs [.], ack 874, win 485, options [nop,nop,TS val 3736186542 ecr 671444338], l
  

• Analyze the output. This output indicates that HTTP traffic was sent out of Instance A.

  1. The first output section of the curl request that was made.
  2. The second output section of the curl request that was made.
  3. The source DNS/IP.
  4. The destination DNS/IP.
  5. The port.
  6. The TCP Flags.

  

Logging Point B: Logging on the Spoke VCN A Private Subnet

Now, look at the subnet level logging to see if the packets are visible on the subnet of the VCN.

• Navigate to Networking, Virtual cloud networks, Spoke VCN A, (Private) Subnet Details, Logs and click log name for all category.

  

  1. Click Actions drop-down menu.
  2. Click Explore with Log Search.

  

• In Custom filters, enter the following filters.

  • data.destinationAddress='172.16.2.88'.
  • data.sourceAddress='172.16.1.93'.

  

• The filter for the destination is added.

  

• The filter for the source is added.

  

  1. Filter by time: Select Past hour.
  2. Note that the bar chart indicates that there is log data available for the source and destination we use in the filter.
  3. Scroll down.

  

  1. Notice the source IP.
  2. Notice the destination IP.
  3. Notice the port.

  

  1. Scroll up.
  2. Click Logs.

  

Logging Point C: Logging on the Hub VCN Private Subnet

• Click log name for the Hub VCN.

  

• The traffic is not going from the firewall to the Instance B VCN so we need to change the source and destination filters.

  1. In Custom filters, enter the following filters.
     • data.destinationAddress='172.16.0.20'
     • data.sourceAddress='172.16.1.93'
     • data.destinationPort='80'
  2. Note that the bar chart indicates that there is log data available for the source and destination we use in the filter.
  3. Scroll down.

  

  1. Note the detailed logging section.
  2. Note the source IP.
  3. Note the destination IP.
  4. Note the port.

  

Logging Point D: Packet Capture on the pfSense Firewall

• Go to the pfSense firewall management console.

  1. Click download.
  2. Make sure the capture is downloaded.

  

• Open the packet capture in Wireshark.

  1. Enter the following Wireshark filter.
     • (ip.dst == 172.16.2.88 && ip.src == 172.16.1.93) || (ip.dst == 172.16.2.88 && ip.src == 172.16.1.93) && http
  2. Note the source IP.
  3. Note the destination IP.
  4. Note the port or protocol.

  

Logging Point E: Logging on the Spoke VCN B Private Subnet

• Navigate to Logging, Logs and click log name for the spoke VCN B.

  

  1. Click Actions drop-down menu.
  2. Click Explore with Log Search.

  

  1. In Custom filters, enter the following filters.
     • data.destinationAddress='172.16.2.88'.
     • data.sourceAddress='172.16.0.20'.
  2. Note that the bar chart indicates that there is log data available for the source and destination we use in the filter.
  3. Scroll down.

  

  1. Note the detailed logging section.
  2. Note the source IP.
  3. Note the destination IP.
  4. Note the port.

  

Logging Point F: Tcpdump on Instance B

1. Go to the SSH session of Instance B.
2. Note the generated tcpdump output.

• Tcpdump output.

  [opc@ih-instance-vcn-b ~]$ sudo tcpdump -i ens3 src 172.16.0.20 and port 80
  dropped privs to tcpdump
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
  08:56:50.489551 IP 172.16.0.20.23408 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [S], seq 1817516973, win 62720, options [mss 8960,sackOK,TS val 3736091466 ecr 0,nop,wscale 7], length
  0
  08:56:50.491813 IP 172.16.0.20.23408 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 372277210, win 490, options [nop,nop,TS val 3736091468 ecr 671349263], length 0
  08:56:50.491849 IP 172.16.0.20.23408 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736091468 ecr 671349263], length 75: HTTP: GET / HTTP/1.1
  08:56:50.492311 IP 172.16.0.20.23408 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 239, win 489, options [nop,nop,TS val 3736091469 ecr 671349265], length 0
  08:56:50.492327 IP 172.16.0.20.23408 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 873, win 485, options [nop,nop,TS val 3736091469 ecr 671349265], length 0
  08:56:50.493247 IP 172.16.0.20.23408 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736091469 ecr 671349265], length 0
  08:56:50.493667 IP 172.16.0.20.23408 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 874, win 485, options [nop,nop,TS val 3736091470 ecr 671349267], length 0
  08:57:09.284597 IP 172.16.0.20.22060 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [S], seq 3049648180, win 62720, options [mss 8960,sackOK,TS val 3736110261 ecr 0,nop,wscale 7], length
  0
  08:57:09.285040 IP 172.16.0.20.22060 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 728296369, win 490, options [nop,nop,TS val 3736110261 ecr 671368058], length 0
  08:57:09.285102 IP 172.16.0.20.22060 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736110261 ecr 671368058], length 75: HTTP: GET / HTTP/1.1
  08:57:09.285534 IP 172.16.0.20.22060 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 239, win 489, options [nop,nop,TS val 3736110262 ecr 671368059], length 0
  08:57:09.285641 IP 172.16.0.20.22060 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 873, win 485, options [nop,nop,TS val 3736110262 ecr 671368059], length 0
  08:57:09.285855 IP 172.16.0.20.22060 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736110262 ecr 671368059], length 0
  08:57:09.286211 IP 172.16.0.20.22060 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 874, win 485, options [nop,nop,TS val 3736110263 ecr 671368059], length 0
  08:57:10.964151 IP 172.16.0.20.47275 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [S], seq 1863177286, win 62720, options [mss 8960,sackOK,TS val 3736111940 ecr 0,nop,wscale 7], length
  0
  08:57:10.964645 IP 172.16.0.20.47275 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 464215720, win 490, options [nop,nop,TS val 3736111941 ecr 671369737], length 0
  08:57:10.964694 IP 172.16.0.20.47275 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736111941 ecr 671369737], length 75: HTTP: GET / HTTP/1.1
  08:57:10.965157 IP 172.16.0.20.47275 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 239, win 489, options [nop,nop,TS val 3736111942 ecr 671369738], length 0
  08:57:10.965243 IP 172.16.0.20.47275 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 873, win 485, options [nop,nop,TS val 3736111942 ecr 671369738], length 0
  08:57:10.965612 IP 172.16.0.20.47275 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736111942 ecr 671369738], length 0
  08:57:10.966035 IP 172.16.0.20.47275 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 874, win 485, options [nop,nop,TS val 3736111942 ecr 671369739], length 0
  08:58:23.664041 IP 172.16.0.20.16336 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [S], seq 407465876, win 62720, options [mss 8960,sackOK,TS val 3736184640 ecr 0,nop,wscale 7], length 0
  08:58:23.664613 IP 172.16.0.20.16336 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 3047424129, win 490, options [nop,nop,TS val 3736184641 ecr 671442437], length 0
  08:58:23.664620 IP 172.16.0.20.16336 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736184641 ecr 671442437], length 75: HTTP: GET / HTTP/1.1
  08:58:23.665349 IP 172.16.0.20.16336 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 239, win 489, options [nop,nop,TS val 3736184641 ecr 671442438], length 0
  08:58:23.666335 IP 172.16.0.20.16336 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 873, win 485, options [nop,nop,TS val 3736184642 ecr 671442438], length 0
  08:58:23.666344 IP 172.16.0.20.16336 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736184642 ecr 671442438], length 0
  08:58:23.666816 IP 172.16.0.20.16336 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 874, win 485, options [nop,nop,TS val 3736184643 ecr 671442440], length 0
  08:58:24.529970 IP 172.16.0.20.27720 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [S], seq 3610633804, win 62720, options [mss 8960,sackOK,TS val 3736185506 ecr 0,nop,wscale 7], length
  0
  08:58:24.530465 IP 172.16.0.20.27720 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 575035162, win 490, options [nop,nop,TS val 3736185507 ecr 671443303], length 0
  08:58:24.530545 IP 172.16.0.20.27720 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736185507 ecr 671443303], length 75: HTTP: GET / HTTP/1.1
  08:58:24.531020 IP 172.16.0.20.27720 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 239, win 489, options [nop,nop,TS val 3736185507 ecr 671443304], length 0
  08:58:24.531079 IP 172.16.0.20.27720 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 873, win 485, options [nop,nop,TS val 3736185507 ecr 671443304], length 0
  08:58:24.531619 IP 172.16.0.20.27720 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736185508 ecr 671443304], length 0
  08:58:24.532042 IP 172.16.0.20.27720 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 874, win 485, options [nop,nop,TS val 3736185508 ecr 671443305], length 0
  08:58:25.562872 IP 172.16.0.20.33101 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [S], seq 3415948315, win 62720, options [mss 8960,sackOK,TS val 3736186539 ecr 0,nop,wscale 7], length
  0
  08:58:25.563301 IP 172.16.0.20.33101 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 2043572435, win 490, options [nop,nop,TS val 3736186540 ecr 671444336], length 0
  08:58:25.563424 IP 172.16.0.20.33101 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [P.], seq 0:75, ack 1, win 490, options [nop,nop,TS val 3736186540 ecr 671444336], length 75: HTTP: GET / HTTP/1.1
  08:58:25.563812 IP 172.16.0.20.33101 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 239, win 489, options [nop,nop,TS val 3736186540 ecr 671444337], length 0
  08:58:25.563960 IP 172.16.0.20.33101 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 873, win 485, options [nop,nop,TS val 3736186540 ecr 671444337], length 0
  08:58:25.564877 IP 172.16.0.20.33101 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [F.], seq 75, ack 873, win 485, options [nop,nop,TS val 3736186541 ecr 671444337], length 0
  08:58:25.565259 IP 172.16.0.20.33101 > ih-instance-vcn-b.ihprivatesubnet.spokevcnb.oraclevcn.com.http: Flags [.], ack 874, win 485, options [nop,nop,TS val 3736186542 ecr 671444338], length 0
  

• Analyze the output. This output indicates that HTTP traffic was received from the hub firewall IP.

  1. The first output section of the curl request that was made.
  2. The second output section of the curl request that was made.
  3. The third output section of the curl request that was made.
  4. The source DNS/IP.
  5. The destination DNS/IP.
  6. The port.
  7. The TCP Flags.

  

Note: Collect the logs, packet captures and tcpdumps same as Scenario 1 for other scenarios.

Scenario 2: Follow the Packet from Spoke VCN Instance to Hub Instance

Scenario 3: Follow the Packet from Hub Instance to Spoke VCN Instance

Scenario 4: Follow the Packet from Spoke VCN Instance to Internet

Scenario 5: Follow the Packet from Spoke VCN Instance to OCI Service Network

Scenario 6: Follow the Packet from Hub Instance to Internet

Scenario 7: Follow the Packet from Internet to Hub Instance

Scenario 8: Follow the Packet from On-Premises to Spoke VCN Instance

Scenario 9: Follow the Packet from Spoke VCN Instance to On-Premises

Scenario 10: Follow the Packet from Remote Computer to Load Balancer to Spoke VCN Instance

Acknowledgments

• Author - Iwan Hoogendoorn (OCI Network Specialist)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Follow the Packets in a Hub and Spoke VCN Routing Architecture inside Oracle Cloud Infrastructure

G12793-02

August 2024

Copyright ©2024,

Oracle and/or its affiliates.