[vpp-dev] Rejecting large frequency change

2021-08-05 Thread Gudimetla, Leela Sankar via lists.fd.io 
Hello,

We have started seeing the below warning message coming continuously. Traffic 
is running on several vhost-ports and physical ports. These messages are coming 
even after a restart with a slow rate.

VPP clib_warning: clib_time_verify_frequency:248: Rejecting large frequency 
change of 1.01%

Does this mean something ?

Thanks,
Leela sankar

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19924): https://lists.fd.io/g/vpp-dev/message/19924
Mute This Topic: https://lists.fd.io/mt/84701132/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] VPP classifier and session commands

2021-08-05 Thread Benoit Ganne (bganne) via lists.fd.io 
> Is it possible to classify packets and create sessions based on l4 fields?

You definitely can, for example:

classify table mask l3 ip4 dst l4 udp dst_port
classify session acl-hit-next ip4-node ip4-lookup table-index 0 match l3 ip4 
dst 10.0.0.1 l4 dst_port 1234

You might need https://gerrit.fd.io/r/c/vpp/+/33386 if you plan to use eg. 
'action'.

Best
ben

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19923): https://lists.fd.io/g/vpp-dev/message/19923
Mute This Topic: https://lists.fd.io/mt/84646508/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] MAC Learning in vpp

2021-08-05 Thread Neale Ranns 
Hi,

But do you want port-security to work for an l2 interface in a BD, or for an L3 
interface. L2 and L3 interfaces manage the ‘learned’ MAC address very 
differently, therefore it would be a different mechanism to 
monitor/filter/munge/etc.

/neale


From: Mohsen Meamarian 
Date: Thursday, 5 August 2021 at 11:13
To: Neale Ranns 
Cc: vpp-dev@lists.fd.io 
Subject: Re: [vpp-dev] MAC Learning in vpp
Hi ,
we want to write a port security script. In the first router work normally , 
all interfaces have ip addresses . then the user wants to set port security on 
an interface. and here we must enable learning mac features on that interface. 
For this requirement , we searched and found that when an interface is added to 
a bridge , a history of connected device mac addresses is formed that can be 
seen by running "sh l2fib all" command. we can set a limit on the learned mac 
address on that table too . The interface , GigabitEthernet2/6/0 , has its 
previous ip address . cisco can ping it well . but when we added 
GigabitEthernet2/6/0 to a bridge-domain it kept his ip address but Cisco cannot 
ping that.we don't want to create a multi-interface bridge-domain and use 
l2-forwarding.it's just a tool for make a memory of 
connected device's mac address .

On Thu, Aug 5, 2021 at 12:46 PM Neale Ranns 
mailto:ne...@graphiant.com>> wrote:

HI Mohsen,

From: Mohsen Meamarian 
mailto:meamarian.moh...@gmail.com>>
Date: Thursday, 5 August 2021 at 08:24
To: Neale Ranns mailto:ne...@graphiant.com>>
Cc: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] MAC Learning in vpp
Hi Neale,
Thanks , I’m looking for another way because I have a problem with the bridge.

Another way to do what? Do you want to do l2 forwarding or not?

I have made a bridge with 2 interfaces, one as BVI and from loopback type and 
the other is GigabitEthernet2/0/6. I send a ping packet to the 
GigabitEthernet2/6/0 interface of my system via a Cisco router, although the 
destination MAC address that vpp detects in the trace is its own MAC address, 
but it doesn't pick up the packet.

The trace file you sent shows VPP’s address as the source MAC of the received 
packet. The destination MAC is not in the l2fib, hence the drop.
But that aside, you can’t ping an interface that does not have an IP address. 
It’s the BVI that has the IP address – it is the L3 interface here.

/neale

I attached my trace and bridge configuration. Also I got another error when 
uu-flood and flood of bridge-domain is enabled: l2 replication drop.I have 
tried both modes with BVI interface and without BVI interface.

On Wed, Aug 4, 2021 at 4:29 PM Neale Ranns 
mailto:ne...@graphiant.com>> wrote:
Hi Mohsen,

Perhaps I misunderstood your intentions. MAC learning I was talking about is 
what a switch/bridge domain does to populate its forwarding tables to perform 
l2 forwarding. My old and limited experience with port-security was as a 
feature on l2 interface in a BD.
If what you wanted was ARP for L3 interfaces, then we’re talking about IP 
neighbours. The size of the ip-neighbour DB (which is shared between ARP and ND 
entries) has only a global not a per-interface limit.
DBGvpp# set ip neighbor-config ?
  set ip neighbor-config   set ip neighbor-config ip4|ip6 
[limit ] [age ] [recycle|norecycle]
there are no other means to control what IP neighbours are or aren’t learned.

/neale


From: Mohsen Meamarian 
mailto:meamarian.moh...@gmail.com>>
Date: Wednesday, 4 August 2021 at 07:26
To: Neale Ranns mailto:ne...@graphiant.com>>
Cc: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] MAC Learning in vpp
Hi Neal,
Thanks, Is there a way to view and limit learned MAC addresses for an interface 
without adding an interface to a bridge-domain?

On Tue, Aug 3, 2021 at 12:15 PM Neale Ranns 
mailto:ne...@graphiant.com>> wrote:
HI Mohsen,

Learning in a BD is enabled by default – your trace shows learning on. You can 
turn in on or off through configuration on the BD or on the input interface.
DBGvpp# set bridge-domain ?
  set bridge-domain learn  set bridge-domain learn 
 [disable]
  set bridge-domain learn-limitset bridge-domain learn-limit 
 

or

DBGvpp# set interface l2 ?
  set interface l2 learn   set interface l2 learn  
[disable]

Ping and ARP work with learning on.

Note also in the commands above, there is a mechanism to limit the number of 
MACs that can be learnt in each BD.

/neale


From: Mohsen Meamarian 
mailto:meamarian.moh...@gmail.com>>
Date: Tuesday, 3 August 2021 at 06:37
To: Neale Ranns mailto:ne...@graphiant.com>>
Cc: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] MAC Learning in vpp
Thanks neale,
What is the easiest way to enable learning on an interface while other 
functionality , including passing the ping and arp packets , work nor

Re: [vpp-dev] MAC Learning in vpp

2021-08-05 Thread Mohsen Meamarian 
Hi ,
we want to write a port security script. In the first router work normally
, all interfaces have ip addresses . then the user wants to set port
security on an interface. and here we must enable learning mac features on
that interface. For this requirement , we searched and found that when an
interface is added to a bridge , a history of connected device mac
addresses is formed that can be seen by running "sh l2fib all" command. we
can set a limit on the learned mac address on that table too . The
interface , GigabitEthernet2/6/0 , has its previous ip address . cisco can
ping it well . but when we added GigabitEthernet2/6/0 to a bridge-domain it
kept his ip address but Cisco cannot ping that.we don't want to create a
multi-interface bridge-domain and use l2-forwarding.it's just a tool for
make a memory of connected device's mac address .

On Thu, Aug 5, 2021 at 12:46 PM Neale Ranns  wrote:

>
>
> HI Mohsen,
>
>
>
> *From: *Mohsen Meamarian 
> *Date: *Thursday, 5 August 2021 at 08:24
> *To: *Neale Ranns 
> *Cc: *vpp-dev@lists.fd.io 
> *Subject: *Re: [vpp-dev] MAC Learning in vpp
>
> Hi Neale,
>
> Thanks , I’m looking for another way because I have a problem with the
> bridge.
>
>
>
> Another way to do what? Do you want to do l2 forwarding or not?
>
>
>
> I have made a bridge with 2 interfaces, one as BVI and from loopback type
> and the other is GigabitEthernet2/0/6. I send a ping packet to the
> GigabitEthernet2/6/0 interface of my system via a Cisco router, although
> the destination MAC address that vpp detects in the trace is its own MAC
> address, but it doesn't pick up the packet.
>
>
>
> The trace file you sent shows VPP’s address as the source MAC of the
> received packet. The destination MAC is not in the l2fib, hence the drop.
>
> But that aside, you can’t ping an interface that does not have an IP
> address. It’s the BVI that has the IP address – it is the L3 interface here.
>
>
>
> /neale
>
>
>
> I attached my trace and bridge configuration. Also I got another error
> when uu-flood and flood of bridge-domain is enabled: l2 replication drop.I
> have tried both modes with BVI interface and without BVI interface.
>
>
>
> On Wed, Aug 4, 2021 at 4:29 PM Neale Ranns  wrote:
>
> Hi Mohsen,
>
>
>
> Perhaps I misunderstood your intentions. MAC learning I was talking about
> is what a switch/bridge domain does to populate its forwarding tables to
> perform l2 forwarding. My old and limited experience with port-security was
> as a feature on l2 interface in a BD.
>
> If what you wanted was ARP for L3 interfaces, then we’re talking about IP
> neighbours. The size of the ip-neighbour DB (which is shared between ARP
> and ND entries) has only a global not a per-interface limit.
>
> DBGvpp# set ip neighbor-config ?
>
>   set ip neighbor-config   set ip neighbor-config ip4|ip6
> [limit ] [age ] [recycle|norecycle]
>
> there are no other means to control what IP neighbours are or aren’t
> learned.
>
>
>
> /neale
>
>
>
>
>
> *From: *Mohsen Meamarian 
> *Date: *Wednesday, 4 August 2021 at 07:26
> *To: *Neale Ranns 
> *Cc: *vpp-dev@lists.fd.io 
> *Subject: *Re: [vpp-dev] MAC Learning in vpp
>
> Hi Neal,
>
> Thanks, Is there a way to view and limit learned MAC addresses for an
> interface without adding an interface to a bridge-domain?
>
>
>
> On Tue, Aug 3, 2021 at 12:15 PM Neale Ranns  wrote:
>
> HI Mohsen,
>
>
>
> Learning in a BD is enabled by default – your trace shows learning on. You
> can turn in on or off through configuration on the BD or on the input
> interface.
>
> DBGvpp# set bridge-domain ?
>
>   set bridge-domain learn  set bridge-domain learn
>  [disable]
>
>   set bridge-domain learn-limitset bridge-domain learn-limit
>  
>
>
>
> or
>
>
>
> DBGvpp# set interface l2 ?
>
>   set interface l2 learn   set interface l2 learn
>  [disable]
>
>
>
> Ping and ARP work with learning on.
>
>
>
> Note also in the commands above, there is a mechanism to limit the number
> of MACs that can be learnt in each BD.
>
>
>
> /neale
>
>
>
>
>
> *From: *Mohsen Meamarian 
> *Date: *Tuesday, 3 August 2021 at 06:37
> *To: *Neale Ranns 
> *Cc: *vpp-dev@lists.fd.io 
> *Subject: *Re: [vpp-dev] MAC Learning in vpp
>
> Thanks neale,
>
> What is the easiest way to enable learning on an interface while other
> functionality , including passing the ping and arp packets , work normally?
>
>
>
> I want l2_learn_process run for that interface so that I can write a
> function to do something like put a limiting on maximum connected devices
> with it's help.
>
>
>
>
>
> On Mon, Aug 2, 2021, 23:38 Neale Ranns  wrote:
>
>
>
> HI Moshen,
>
>
>
> *From: *vpp-dev@lists.fd.io  on behalf of Mohsen
> Meamarian via lists.fd.io 
> *Date: *Monday, 2 August 2021 at 18:45
> *To: *vpp-dev@lists.fd.io 
> *Subject: *[vpp-dev] MAC Learning in vpp
>
> Hi friends,
>
> I want to implement port security in vpp. I assume that the
> l2learn_process function in l2_learn.c runs periodically when vp

Re: [vpp-dev] MAC Learning in vpp

2021-08-05 Thread Neale Ranns 

HI Mohsen,

From: Mohsen Meamarian 
Date: Thursday, 5 August 2021 at 08:24
To: Neale Ranns 
Cc: vpp-dev@lists.fd.io 
Subject: Re: [vpp-dev] MAC Learning in vpp
Hi Neale,
Thanks , I’m looking for another way because I have a problem with the bridge.

Another way to do what? Do you want to do l2 forwarding or not?

I have made a bridge with 2 interfaces, one as BVI and from loopback type and 
the other is GigabitEthernet2/0/6. I send a ping packet to the 
GigabitEthernet2/6/0 interface of my system via a Cisco router, although the 
destination MAC address that vpp detects in the trace is its own MAC address, 
but it doesn't pick up the packet.

The trace file you sent shows VPP’s address as the source MAC of the received 
packet. The destination MAC is not in the l2fib, hence the drop.
But that aside, you can’t ping an interface that does not have an IP address. 
It’s the BVI that has the IP address – it is the L3 interface here.

/neale

I attached my trace and bridge configuration. Also I got another error when 
uu-flood and flood of bridge-domain is enabled: l2 replication drop.I have 
tried both modes with BVI interface and without BVI interface.

On Wed, Aug 4, 2021 at 4:29 PM Neale Ranns 
mailto:ne...@graphiant.com>> wrote:
Hi Mohsen,

Perhaps I misunderstood your intentions. MAC learning I was talking about is 
what a switch/bridge domain does to populate its forwarding tables to perform 
l2 forwarding. My old and limited experience with port-security was as a 
feature on l2 interface in a BD.
If what you wanted was ARP for L3 interfaces, then we’re talking about IP 
neighbours. The size of the ip-neighbour DB (which is shared between ARP and ND 
entries) has only a global not a per-interface limit.
DBGvpp# set ip neighbor-config ?
  set ip neighbor-config   set ip neighbor-config ip4|ip6 
[limit ] [age ] [recycle|norecycle]
there are no other means to control what IP neighbours are or aren’t learned.

/neale


From: Mohsen Meamarian 
mailto:meamarian.moh...@gmail.com>>
Date: Wednesday, 4 August 2021 at 07:26
To: Neale Ranns mailto:ne...@graphiant.com>>
Cc: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] MAC Learning in vpp
Hi Neal,
Thanks, Is there a way to view and limit learned MAC addresses for an interface 
without adding an interface to a bridge-domain?

On Tue, Aug 3, 2021 at 12:15 PM Neale Ranns 
mailto:ne...@graphiant.com>> wrote:
HI Mohsen,

Learning in a BD is enabled by default – your trace shows learning on. You can 
turn in on or off through configuration on the BD or on the input interface.
DBGvpp# set bridge-domain ?
  set bridge-domain learn  set bridge-domain learn 
 [disable]
  set bridge-domain learn-limitset bridge-domain learn-limit 
 

or

DBGvpp# set interface l2 ?
  set interface l2 learn   set interface l2 learn  
[disable]

Ping and ARP work with learning on.

Note also in the commands above, there is a mechanism to limit the number of 
MACs that can be learnt in each BD.

/neale


From: Mohsen Meamarian 
mailto:meamarian.moh...@gmail.com>>
Date: Tuesday, 3 August 2021 at 06:37
To: Neale Ranns mailto:ne...@graphiant.com>>
Cc: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] MAC Learning in vpp
Thanks neale,
What is the easiest way to enable learning on an interface while other 
functionality , including passing the ping and arp packets , work normally?

I want l2_learn_process run for that interface so that I can write a function 
to do something like put a limiting on maximum connected devices with it's help.


On Mon, Aug 2, 2021, 23:38 Neale Ranns 
mailto:ne...@graphiant.com>> wrote:

HI Moshen,

From: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>> on behalf of Mohsen Meamarian 
via lists.fd.io 
mailto:gmail@lists.fd.io>>
Date: Monday, 2 August 2021 at 18:45
To: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>>
Subject: [vpp-dev] MAC Learning in vpp
Hi friends,
I want to implement port security in vpp. I assume that the l2learn_process 
function in l2_learn.c runs periodically when vpp is active and When a device 
is connected to my system , this function helps to learn it's mac. Is this 
assumption true ?

No. l2_learn runs for all packets that are received on a link on which learning 
is enabled. You can see it in the trace you provided. It is learning in this 
VLIB node that will populated the l2fib.

because when I run the sh l2fib command , it returns nothing. but when I set an 
interface as a bridge , the sh l2fib command returns something. my commands :

create bridge-domain 2 arp-term 1
create loopback interface
set int l2 bridge loop0 2 bvi
set interface state loop0 up
set interface l2 bridge GigabitEthernet0/8/0 2

show bridge-domain 2 detail
show l2fib all

but i have a problem here. vpp drop ping packet.Where can th

Re: [vpp-dev] MAC Learning in vpp

2021-08-05 Thread Benoit Ganne (bganne) via lists.fd.io 
I guess you mean 00:0c:29:91:93:e0 is the mac address of GigabitEthernet2/0/6 ?
I think the issue is that ICMP being L3 it must be switched to the BVI. For 
that, the destination MAC must be the one of the BVI (loop1) which is 
de:ad:00:00:00:01 in your case, not the one of GigabitEthernet2/0/6.
Now, how the sender learnt 00:0c:29:91:93:e0 instead of de:ad:00:00:00:01, I do 
not know.

Best
ben

> -Original Message-
> From: vpp-dev@lists.fd.io  On Behalf Of Mohsen
> Meamarian
> Sent: jeudi 5 août 2021 08:25
> To: Neale Ranns 
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] MAC Learning in vpp
> 
> Hi Neale,
> Thanks , I'm looking for another way because I have a problem with the
> bridge. I have made a bridge with 2 interfaces, one as BVI and from
> loopback type and the other is GigabitEthernet2/0/6. I send a ping packet
> to the GigabitEthernet2/6/0 interface of my system via a Cisco router,
> although the destination MAC address that vpp detects in the trace is its
> own MAC address, but it doesn't pick up the packet.
> 
> I attached my trace and bridge configuration. Also I got another error
> when uu-flood and flood of bridge-domain is enabled: l2 replication drop.I
> have tried both modes with BVI interface and without BVI interface.
> 
> On Wed, Aug 4, 2021 at 4:29 PM Neale Ranns   > wrote:
> 
> 
>   Hi Mohsen,
> 
> 
> 
>   Perhaps I misunderstood your intentions. MAC learning I was talking
> about is what a switch/bridge domain does to populate its forwarding
> tables to perform l2 forwarding. My old and limited experience with port-
> security was as a feature on l2 interface in a BD.
> 
>   If what you wanted was ARP for L3 interfaces, then we’re talking
> about IP neighbours. The size of the ip-neighbour DB (which is shared
> between ARP and ND entries) has only a global not a per-interface limit.
> 
>   DBGvpp# set ip neighbor-config ?
> 
> set ip neighbor-config   set ip neighbor-config
> ip4|ip6 [limit ] [age ] [recycle|norecycle]
> 
>   there are no other means to control what IP neighbours are or aren’t
> learned.
> 
> 
> 
>   /neale
> 
> 
> 
> 
> 
>   From: Mohsen Meamarian   >
>   Date: Wednesday, 4 August 2021 at 07:26
>   To: Neale Ranns mailto:ne...@graphiant.com> >
>   Cc: vpp-dev@lists.fd.io    d...@lists.fd.io  >
>   Subject: Re: [vpp-dev] MAC Learning in vpp
> 
>   Hi Neal,
> 
>   Thanks, Is there a way to view and limit learned MAC addresses for
> an interface without adding an interface to a bridge-domain?
> 
> 
> 
>   On Tue, Aug 3, 2021 at 12:15 PM Neale Ranns   > wrote:
> 
>   HI Mohsen,
> 
> 
> 
>   Learning in a BD is enabled by default – your trace shows
> learning on. You can turn in on or off through configuration on the BD or
> on the input interface.
> 
>   DBGvpp# set bridge-domain ?
> 
> set bridge-domain learn  set bridge-domain
> learn  [disable]
> 
> set bridge-domain learn-limitset bridge-domain
> learn-limit  
> 
> 
> 
>   or
> 
> 
> 
>   DBGvpp# set interface l2 ?
> 
> set interface l2 learn   set interface l2
> learn  [disable]
> 
> 
> 
>   Ping and ARP work with learning on.
> 
> 
> 
>   Note also in the commands above, there is a mechanism to limit
> the number of MACs that can be learnt in each BD.
> 
> 
> 
>   /neale
> 
> 
> 
> 
> 
>   From: Mohsen Meamarian   >
>   Date: Tuesday, 3 August 2021 at 06:37
>   To: Neale Ranns   >
>   Cc: vpp-dev@lists.fd.io    d...@lists.fd.io  >
>   Subject: Re: [vpp-dev] MAC Learning in vpp
> 
>   Thanks neale,
> 
>   What is the easiest way to enable learning on an interface
> while other functionality , including passing the ping and arp packets ,
> work normally?
> 
> 
> 
>   I want l2_learn_process run for that interface so that I can
> write a function to do something like put a limiting on maximum connected
> devices with it's help.
> 
> 
> 
> 
> 
>   On Mon, Aug 2, 2021, 23:38 Neale Ranns   > wrote:
> 
> 
> 
>   HI Moshen,
> 
> 
> 
>   From: vpp-dev@lists.fd.io 
> mailto:vpp-dev@lists.fd.io> > on behalf of Mohsen
> Meamarian via lists.fd.io 
> mailto:gmail@lists.fd.io> >
>   Date: Monday, 2 August 2021 at 18:45
>   To: vpp-dev@lists.fd.io 
> mailto:vpp-dev@lists.fd.io> >
>