subject:"\[vpp\-dev\] VLAN to VLAN"

Re: [vpp-dev] VLAN to VLAN

2018-05-10 Thread Andrew Yourtchenko

See if “git clean -fdx” before building might help, I think I have seen 
something similar when moving between the far apart versions. 

--a

> On 10 May 2018, at 02:17, carlito nueno  wrote:
> 
> First Question:
> Tried to do “make test TEST=acl_plugin_macip”, but I got this error:
> 
> Using /vpp/build-root/python/virtualenv/lib/python2.7/site-packages
> Finished processing dependencies for vpp-papi==1.4
> make -C ext
> make[1]: Entering directory '/vpp/test/ext'
> make[1]: *** No rule to make target 
> '/vpp/vpp-api/vapi/.libs/libvapiclient.so', needed by 
> '/vapi_test/vapi_c_test'.  Stop.
> make[1]: Leaving directory '/vpp/test/ext'
> Makefile:129: recipe for target 'ext' failed
> make: *** [ext] Error 2
> 
> ubuntu 16.04
> python2.7
> downloaded vpp src to /vpp
> export VPP_PYTHON_PREFIX=/vpp/build-root/python
> export WS_ROOT=/vpp
> Second question:
> When using govpp to load acl, how to maintain persistence when vpp is 
> restarted?
> - does the go app need to be re-run?
> 
> Thanks
>

Re: [vpp-dev] VLAN to VLAN

2018-05-09 Thread carlito nueno

forget to mention, upgraded to vpp v18.04-rc2~26-gac2b736~b45

Current setup:
GigabitEthernet0/14/0.1, Idx 9, ip 192.168.0.0/24, vlan 1
GigabitEthernet0/14/0.2, Idx 12, ip 192.168.2.0/24, vlan 2

I don't want devices on vlan1 and vlan2 to communicate with each other.
I tried to use macip via VAT

vat# macip_acl_add ipv4 deny ip 192.168.2.0/24
vat# macip_acl_interface_add_del sw_if_index 9 add acl 0

But, devices under 192.168.0.0/24 can't communicate with each other.

Thanks

Re: [vpp-dev] VLAN to VLAN

2018-05-09 Thread carlito nueno

First Question:
Tried to do “make test TEST=acl_plugin_macip”, but I got this error:

Using /vpp/build-root/python/virtualenv/lib/python2.7/site-packages
Finished processing dependencies for vpp-papi==1.4
make -C ext
make[1]: Entering directory '/vpp/test/ext'
make[1]: *** No rule to make target '/vpp/vpp-api/vapi/.libs/libvapiclient.so', 
needed by '/vapi_test/vapi_c_test'.  Stop.
make[1]: Leaving directory '/vpp/test/ext'
Makefile:129: recipe for target 'ext' failed
make: *** [ext] Error 2

ubuntu 16.04
python2.7
downloaded vpp src to /vpp
export VPP_PYTHON_PREFIX=/vpp/build-root/python
export WS_ROOT=/vpp
Second question:
When using govpp to load acl, how to maintain persistence when vpp is restarted?
- does the go app need to be re-run?

Thanks

Re: [vpp-dev] VLAN to VLAN

2018-04-24 Thread Andrew Yourtchenko

Carlito,

Seems like my mail didn’t make it to the list...

Your release doesn’t have yet the support for subinterfaces.

Do “make test TEST=acl_plugin_macip” and the very scenario you are setting up 
is the first unit test in the supported version, so you can compare the logs.

I suggest giving a whirl to a 18.04rc2, since the release will be out in just a 
couple of days.

--a

> On 24 Apr 2018, at 04:02, carlito nueno  wrote:
> 
> any suggestions?
> 
> Thanks
>

Re: [vpp-dev] VLAN to VLAN

2018-04-23 Thread carlito nueno

any suggestions?

Thanks

Re: [vpp-dev] VLAN to VLAN

2018-04-20 Thread carlito nueno

index 14 dst ff:ff:ff:ff:ff:ff src 74:da:38:0d:43:59
bd_index 3
18:47:56:729556: l2-flood
  l2-flood: sw_if_index 14 dst ff:ff:ff:ff:ff:ff src 74:da:38:0d:43:59
bd_index 3
18:47:56:729557: l2-output
  l2-output: sw_if_index 15 dst ff:ff:ff:ff:ff:ff src
74:da:38:0d:43:59 data 08 00 45 00 01 38 4b 0b 00 00 40 11
18:47:56:729557: tap-2-output
  tap-2
  IP4: 74:da:38:0d:43:59 -> ff:ff:ff:ff:ff:ff
  UDP: 192.168.3.16 -> 192.168.3.255
tos 0x00, ttl 64, length 312, checksum 0xa64a
fragment id 0x4b0b
  UDP: 17500 -> 17500
length 292, checksum 0x5510
18:47:56:729581: l2-flood
  l2-flood: sw_if_index 14 dst 45:00:01:38:4b:0b src 00:00:40:11:a6:4a
bd_index 3
18:47:56:729582: ip4-input
  UDP: 192.168.3.16 -> 192.168.3.255
tos 0x00, ttl 64, length 312, checksum 0xa64a
fragment id 0x4b0b
  UDP: 17500 -> 17500
length 292, checksum 0x5510
18:47:56:729583: nat44-in2out
  NAT44_IN2OUT_FAST_PATH: sw_if_index 13, next index 3, session -1
18:47:56:729584: nat44-in2out-slowpath
  NAT44_IN2OUT_SLOW_PATH: sw_if_index 13, next index 0, session -1
18:47:56:729586: ip4-lookup
  fib 0 dpo-idx 0 flow hash: 0x
  UDP: 192.168.3.16 -> 192.168.3.255
tos 0x00, ttl 64, length 312, checksum 0xa64a
fragment id 0x4b0b
  UDP: 17500 -> 17500
length 292, checksum 0x5510
18:47:56:729587: ip4-drop
UDP: 192.168.3.16 -> 192.168.3.255
  tos 0x00, ttl 64, length 312, checksum 0xa64a
  fragment id 0x4b0b
UDP: 17500 -> 17500
  length 292, checksum 0x5510
18:47:56:729588: error-drop
  ip4-input: ip4 adjacency drop

On Thu, Apr 19, 2018 at 11:47 PM, Andrew Yourtchenko <ayour...@gmail.com> wrote:
> Hi Carlito,
>
> What does the packet trace (as per
> https://wiki.fd.io/view/VPP/How_To_Use_The_Packet_Generator_and_Packet_Tracer)
> look like and which version of VPP are you running ?
>
> --a
>
> On 20 Apr 2018, at 05:00, Carlito Nueno <carlitonu...@gmail.com> wrote:
>
> Thanks John.
>
> Routing between VLANs is working. But I can't get the ACLs quite
> right. I am trying to block all communication between device A
> (192.168.3.16) on VLAN 3 and device B (192.168.2.181) on VLAN 2.
>
> vat# acl_add_replace ipv4 deny src 192.168.3.16/32 dst 192.168.2.181/32
> vat# acl_dump
> vl_api_acl_details_t_handler:194: acl_index: 1, count: 1
>   tag {}
>   ipv4 action 0 src 192.168.3.16/32 dst 192.168.2.181/32 proto 0
> sport 0-65535 dport 0-65535 tcpflags 0 mask 0
>
> # VLAN on subinterface GigabitEthernet0/14/0.2
> vat# acl_interface_set_acl_list sw_if_index 11 input 1 output 1
>
> # VLAN on subinterface GigabitEthernet0/14/0.3
> vat# acl_interface_set_acl_list sw_if_index 14 input 1 output 1
>
> vat# acl_interface_list_dump
> vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 11,
> count: 2, n_input: 1
>   input 1
>  output 1
> vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 14,
> count: 2, n_input: 1
>   input 1
>  output 1
>
> I am still able to ping from 192.168.3.16 to 192.168.2.181 after above
> commands.
>
> Thanks
>
> On Thu, Apr 19, 2018 at 3:55 PM, John Lo (loj) <l...@cisco.com> wrote:
>
> One more comment - unless there are more VLAN 1 and VLAN 2 sub-interfaces
> you need to put into BDs 1 and 2, then you may just configure IP addresses
> on the sub-interfaces to route directly, as suggested by Andrew. It would be
> a lot more efficient than going through two BDs and route via BVIs.  -John
>
>
> -Original Message-
>
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of John Lo (loj)
>
> Sent: Thursday, April 19, 2018 4:48 PM
>
> To: carlito nueno <carlitonu...@gmail.com>; Andrew Yourtchenko
> <ayour...@gmail.com>
>
> Cc: vpp-dev@lists.fd.io
>
> Subject: Re: [vpp-dev] VLAN to VLAN
>
>
> The config looks correct and should work, assuming the following:
>
> 1. The devices connected to GigabitEthernet0/14/0.2 have IP addresses in the
> 192.168.2.1/24 subnet with default gateway set to that of the BVI IP address
> of 192.168.2.1.
>
> 2. The devices connected to GigabitEthernet0/14/0.3 have IP addresses in the
> 192.168.3.1/24 subnet with default gateway set to that of the BVI IP address
> of 192.168.3.1.
>
>
> One improvement is to put the BVI interfaces into their own VRF by setting
> loop0 and loop1 into a specific ip table to not use the global routing
> table.  For example, set the following before assigning IP address to loop0
> and loop1:
>
>   set int ip table loop0 4
>
>   set int ip table loop1 4
>
> This will make the routing between BD-VLANs 2 and 3 private and more secure.
>
>
> Regards,
>
> John
>
>
> -Original Message-
>
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of ca

Re: [vpp-dev] VLAN to VLAN

2018-04-20 Thread Andrew Yourtchenko

Hi Carlito,

What does the packet trace (as per 
https://wiki.fd.io/view/VPP/How_To_Use_The_Packet_Generator_and_Packet_Tracer) 
look like and which version of VPP are you running ?

--a

> On 20 Apr 2018, at 05:00, Carlito Nueno <carlitonu...@gmail.com> wrote:
> 
> Thanks John.
> 
> Routing between VLANs is working. But I can't get the ACLs quite
> right. I am trying to block all communication between device A
> (192.168.3.16) on VLAN 3 and device B (192.168.2.181) on VLAN 2.
> 
> vat# acl_add_replace ipv4 deny src 192.168.3.16/32 dst 192.168.2.181/32
> vat# acl_dump
> vl_api_acl_details_t_handler:194: acl_index: 1, count: 1
>   tag {}
>   ipv4 action 0 src 192.168.3.16/32 dst 192.168.2.181/32 proto 0
> sport 0-65535 dport 0-65535 tcpflags 0 mask 0
> 
> # VLAN on subinterface GigabitEthernet0/14/0.2
> vat# acl_interface_set_acl_list sw_if_index 11 input 1 output 1
> 
> # VLAN on subinterface GigabitEthernet0/14/0.3
> vat# acl_interface_set_acl_list sw_if_index 14 input 1 output 1
> 
> vat# acl_interface_list_dump
> vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 11,
> count: 2, n_input: 1
>   input 1
>  output 1
> vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 14,
> count: 2, n_input: 1
>   input 1
>  output 1
> 
> I am still able to ping from 192.168.3.16 to 192.168.2.181 after above 
> commands.
> 
> Thanks
> 
>> On Thu, Apr 19, 2018 at 3:55 PM, John Lo (loj) <l...@cisco.com> wrote:
>> One more comment - unless there are more VLAN 1 and VLAN 2 sub-interfaces 
>> you need to put into BDs 1 and 2, then you may just configure IP addresses 
>> on the sub-interfaces to route directly, as suggested by Andrew. It would be 
>> a lot more efficient than going through two BDs and route via BVIs.  -John
>> 
>> -Original Message-
>> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of John Lo (loj)
>> Sent: Thursday, April 19, 2018 4:48 PM
>> To: carlito nueno <carlitonu...@gmail.com>; Andrew Yourtchenko 
>> <ayour...@gmail.com>
>> Cc: vpp-dev@lists.fd.io
>> Subject: Re: [vpp-dev] VLAN to VLAN
>> 
>> The config looks correct and should work, assuming the following:
>> 1. The devices connected to GigabitEthernet0/14/0.2 have IP addresses in the 
>> 192.168.2.1/24 subnet with default gateway set to that of the BVI IP address 
>> of 192.168.2.1.
>> 2. The devices connected to GigabitEthernet0/14/0.3 have IP addresses in the 
>> 192.168.3.1/24 subnet with default gateway set to that of the BVI IP address 
>> of 192.168.3.1.
>> 
>> One improvement is to put the BVI interfaces into their own VRF by setting 
>> loop0 and loop1 into a specific ip table to not use the global routing 
>> table.  For example, set the following before assigning IP address to loop0 
>> and loop1:
>>   set int ip table loop0 4
>>   set int ip table loop1 4
>> This will make the routing between BD-VLANs 2 and 3 private and more secure.
>> 
>> Regards,
>> John
>> 
>> -Original Message-
>> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of carlito nueno
>> Sent: Thursday, April 19, 2018 4:15 PM
>> To: Andrew Yourtchenko <ayour...@gmail.com>
>> Cc: vpp-dev@lists.fd.io
>> Subject: Re: [vpp-dev] VLAN to VLAN
>> 
>> My current VLAN config:
>> 
>> loopback create
>> set int l2 bridge loop1 2 bvi
>> set int ip address loop1 192.168.2.1/24
>> set int state loop1 up
>> 
>> create sub GigabitEthernet0/14/0 2
>> set int l2 bridge GigabitEthernet0/14/0.2 2 set int l2 tag-rewrite 
>> GigabitEthernet0/14/0.2 pop 1 set int state GigabitEthernet0/14/0.2 up
>> 
>> 
>> loopback create
>> set int l2 bridge loop2 3 bvi
>> set int ip address loop2 192.168.3.1/24
>> set int state loop2 up
>> 
>> create sub GigabitEthernet0/14/0 3
>> set int l2 bridge GigabitEthernet0/14/0.3 3 set int l2 tag-rewrite 
>> GigabitEthernet0/14/0.3 pop 1 set int state GigabitEthernet0/14/0.3 up
>> 
>> 
>> So this should route traffic between VLAN 2 and VLAN 3, correct?
>> 
>> Thanks
>> 
>>> On Thu, Apr 19, 2018 at 12:52 PM, Andrew Yourtchenko <ayour...@gmail.com> 
>>> wrote:
>>> 
>>> hi Carlito,
>>> 
>>> you can configure subinterfaces with tags and assign the ip addresses
>>> so the VPP does routing and then either use vnet ACLs or acl plugin to
>>> restrict the traffic.
>>> 
>>> —a
>>> 
>>> On 19 Apr 2018, at 21:07, Dave Barach <dbar...@cisco.com> wrote:
>>> 
>>> Begin forwarded message:
>>> 
>>> From: Carlito Nueno <carlitonu...@gmail.com>
>>> Date: April 19, 2018 at 9:03:51 AM HST
>>> To: dbar...@cisco.com
>>> Subject: VLAN to VLAN
>>> 
>>> Hi Dave,
>>> 
>>> How can I enable VLAN to VLAN communication? I want to have devices on
>>> one VLAN talk to devices on another VLAN, if possible constrain the
>>> devices by MAC or IP address.
>>> 
>>> For example, only device with MAC (aa:aa:bb:80:90) or IP address
>>> (192.168.2.20) on VLAN 100 can talk to devices on VLAN 200
>>> (192.168.3.0/24).
>>> 
>>> Thanks
>>> 
>>> 
>> 
>> 
>> 
>> 
>> 
>>

Re: [vpp-dev] VLAN to VLAN

2018-04-19 Thread carlito nueno

Thanks John.

Routing between VLANs is working. But I can't get the ACLs quite
right. I am trying to block all communication between device A
(192.168.3.16) on VLAN 3 and device B (192.168.2.181) on VLAN 2.

vat# acl_add_replace ipv4 deny src 192.168.3.16/32 dst 192.168.2.181/32
vat# acl_dump
vl_api_acl_details_t_handler:194: acl_index: 1, count: 1
   tag {}
   ipv4 action 0 src 192.168.3.16/32 dst 192.168.2.181/32 proto 0
sport 0-65535 dport 0-65535 tcpflags 0 mask 0

# VLAN on subinterface GigabitEthernet0/14/0.2
vat# acl_interface_set_acl_list sw_if_index 11 input 1 output 1

# VLAN on subinterface GigabitEthernet0/14/0.3
vat# acl_interface_set_acl_list sw_if_index 14 input 1 output 1

vat# acl_interface_list_dump
vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 11,
count: 2, n_input: 1
   input 1
  output 1
vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 14,
count: 2, n_input: 1
   input 1
  output 1

I am still able to ping from 192.168.3.16 to 192.168.2.181 after above commands.

Thanks

On Thu, Apr 19, 2018 at 3:55 PM, John Lo (loj) <l...@cisco.com> wrote:
> One more comment - unless there are more VLAN 1 and VLAN 2 sub-interfaces you 
> need to put into BDs 1 and 2, then you may just configure IP addresses on the 
> sub-interfaces to route directly, as suggested by Andrew. It would be a lot 
> more efficient than going through two BDs and route via BVIs.  -John
>
> -Original Message-
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of John Lo (loj)
> Sent: Thursday, April 19, 2018 4:48 PM
> To: carlito nueno <carlitonu...@gmail.com>; Andrew Yourtchenko 
> <ayour...@gmail.com>
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] VLAN to VLAN
>
> The config looks correct and should work, assuming the following:
> 1. The devices connected to GigabitEthernet0/14/0.2 have IP addresses in the 
> 192.168.2.1/24 subnet with default gateway set to that of the BVI IP address 
> of 192.168.2.1.
> 2. The devices connected to GigabitEthernet0/14/0.3 have IP addresses in the 
> 192.168.3.1/24 subnet with default gateway set to that of the BVI IP address 
> of 192.168.3.1.
>
> One improvement is to put the BVI interfaces into their own VRF by setting 
> loop0 and loop1 into a specific ip table to not use the global routing table. 
>  For example, set the following before assigning IP address to loop0 and 
> loop1:
>set int ip table loop0 4
>set int ip table loop1 4
> This will make the routing between BD-VLANs 2 and 3 private and more secure.
>
> Regards,
> John
>
> -Original Message-
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of carlito nueno
> Sent: Thursday, April 19, 2018 4:15 PM
> To: Andrew Yourtchenko <ayour...@gmail.com>
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] VLAN to VLAN
>
> My current VLAN config:
>
> loopback create
> set int l2 bridge loop1 2 bvi
> set int ip address loop1 192.168.2.1/24
> set int state loop1 up
>
> create sub GigabitEthernet0/14/0 2
> set int l2 bridge GigabitEthernet0/14/0.2 2 set int l2 tag-rewrite 
> GigabitEthernet0/14/0.2 pop 1 set int state GigabitEthernet0/14/0.2 up
>
>
> loopback create
> set int l2 bridge loop2 3 bvi
> set int ip address loop2 192.168.3.1/24
> set int state loop2 up
>
> create sub GigabitEthernet0/14/0 3
> set int l2 bridge GigabitEthernet0/14/0.3 3 set int l2 tag-rewrite 
> GigabitEthernet0/14/0.3 pop 1 set int state GigabitEthernet0/14/0.3 up
>
>
> So this should route traffic between VLAN 2 and VLAN 3, correct?
>
> Thanks
>
> On Thu, Apr 19, 2018 at 12:52 PM, Andrew Yourtchenko <ayour...@gmail.com> 
> wrote:
>>
>> hi Carlito,
>>
>> you can configure subinterfaces with tags and assign the ip addresses
>> so the VPP does routing and then either use vnet ACLs or acl plugin to
>> restrict the traffic.
>>
>> —a
>>
>> On 19 Apr 2018, at 21:07, Dave Barach <dbar...@cisco.com> wrote:
>>
>> Begin forwarded message:
>>
>> From: Carlito Nueno <carlitonu...@gmail.com>
>> Date: April 19, 2018 at 9:03:51 AM HST
>> To: dbar...@cisco.com
>> Subject: VLAN to VLAN
>>
>> Hi Dave,
>>
>> How can I enable VLAN to VLAN communication? I want to have devices on
>> one VLAN talk to devices on another VLAN, if possible constrain the
>> devices by MAC or IP address.
>>
>> For example, only device with MAC (aa:aa:bb:80:90) or IP address
>> (192.168.2.20) on VLAN 100 can talk to devices on VLAN 200
>> (192.168.3.0/24).
>>
>> Thanks
>>
>>
>
>
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links:

You receive all messages sent to this group.

View/Reply Onlin

Re: [vpp-dev] VLAN to VLAN

2018-04-19 Thread John Lo (loj)

One more comment - unless there are more VLAN 1 and VLAN 2 sub-interfaces you 
need to put into BDs 1 and 2, then you may just configure IP addresses on the 
sub-interfaces to route directly, as suggested by Andrew. It would be a lot 
more efficient than going through two BDs and route via BVIs.  -John

-Original Message-
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of John Lo (loj)
Sent: Thursday, April 19, 2018 4:48 PM
To: carlito nueno <carlitonu...@gmail.com>; Andrew Yourtchenko 
<ayour...@gmail.com>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] VLAN to VLAN

The config looks correct and should work, assuming the following:
1. The devices connected to GigabitEthernet0/14/0.2 have IP addresses in the 
192.168.2.1/24 subnet with default gateway set to that of the BVI IP address of 
192.168.2.1.
2. The devices connected to GigabitEthernet0/14/0.3 have IP addresses in the 
192.168.3.1/24 subnet with default gateway set to that of the BVI IP address of 
192.168.3.1.

One improvement is to put the BVI interfaces into their own VRF by setting 
loop0 and loop1 into a specific ip table to not use the global routing table.  
For example, set the following before assigning IP address to loop0 and loop1:
   set int ip table loop0 4
   set int ip table loop1 4
This will make the routing between BD-VLANs 2 and 3 private and more secure.

Regards,
John

-Original Message-
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of carlito nueno
Sent: Thursday, April 19, 2018 4:15 PM
To: Andrew Yourtchenko <ayour...@gmail.com>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] VLAN to VLAN

My current VLAN config:

loopback create
set int l2 bridge loop1 2 bvi
set int ip address loop1 192.168.2.1/24
set int state loop1 up

create sub GigabitEthernet0/14/0 2
set int l2 bridge GigabitEthernet0/14/0.2 2 set int l2 tag-rewrite 
GigabitEthernet0/14/0.2 pop 1 set int state GigabitEthernet0/14/0.2 up

loopback create
set int l2 bridge loop2 3 bvi
set int ip address loop2 192.168.3.1/24
set int state loop2 up

create sub GigabitEthernet0/14/0 3
set int l2 bridge GigabitEthernet0/14/0.3 3 set int l2 tag-rewrite 
GigabitEthernet0/14/0.3 pop 1 set int state GigabitEthernet0/14/0.3 up

So this should route traffic between VLAN 2 and VLAN 3, correct?

Thanks

On Thu, Apr 19, 2018 at 12:52 PM, Andrew Yourtchenko <ayour...@gmail.com> wrote:
>
> hi Carlito,
>
> you can configure subinterfaces with tags and assign the ip addresses 
> so the VPP does routing and then either use vnet ACLs or acl plugin to 
> restrict the traffic.
>
> —a
>
> On 19 Apr 2018, at 21:07, Dave Barach <dbar...@cisco.com> wrote:
>
> Begin forwarded message:
>
> From: Carlito Nueno <carlitonu...@gmail.com>
> Date: April 19, 2018 at 9:03:51 AM HST
> To: dbar...@cisco.com
> Subject: VLAN to VLAN
>
> Hi Dave,
>
> How can I enable VLAN to VLAN communication? I want to have devices on 
> one VLAN talk to devices on another VLAN, if possible constrain the 
> devices by MAC or IP address.
>
> For example, only device with MAC (aa:aa:bb:80:90) or IP address
> (192.168.2.20) on VLAN 100 can talk to devices on VLAN 200 
> (192.168.3.0/24).
>
> Thanks
>
> 

-=-=-=-=-=-=-=-=-=-=-=-
Links:

You receive all messages sent to this group.

View/Reply Online (#9003): https://lists.fd.io/g/vpp-dev/message/9003
View All Messages In Topic (5): https://lists.fd.io/g/vpp-dev/topic/17639114
Mute This Topic: https://lists.fd.io/mt/17639114/21656
New Topic: https://lists.fd.io/g/vpp-dev/post

Change Your Subscription: https://lists.fd.io/g/vpp-dev/editsub/21656
Group Home: https://lists.fd.io/g/vpp-dev
Contact Group Owner: vpp-dev+ow...@lists.fd.io
Terms of Service: https://lists.fd.io/static/tos
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] VLAN to VLAN

2018-04-19 Thread John Lo (loj)

The config looks correct and should work, assuming the following:
1. The devices connected to GigabitEthernet0/14/0.2 have IP addresses in the 
192.168.2.1/24 subnet with default gateway set to that of the BVI IP address of 
192.168.2.1.
2. The devices connected to GigabitEthernet0/14/0.3 have IP addresses in the 
192.168.3.1/24 subnet with default gateway set to that of the BVI IP address of 
192.168.3.1.

One improvement is to put the BVI interfaces into their own VRF by setting 
loop0 and loop1 into a specific ip table to not use the global routing table.  
For example, set the following before assigning IP address to loop0 and loop1:
   set int ip table loop0 4
   set int ip table loop1 4
This will make the routing between BD-VLANs 2 and 3 private and more secure.

Regards,
John

-Original Message-
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of carlito nueno
Sent: Thursday, April 19, 2018 4:15 PM
To: Andrew Yourtchenko <ayour...@gmail.com>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] VLAN to VLAN

My current VLAN config:

loopback create
set int l2 bridge loop1 2 bvi
set int ip address loop1 192.168.2.1/24
set int state loop1 up

create sub GigabitEthernet0/14/0 2
set int l2 bridge GigabitEthernet0/14/0.2 2
set int l2 tag-rewrite GigabitEthernet0/14/0.2 pop 1
set int state GigabitEthernet0/14/0.2 up


loopback create
set int l2 bridge loop2 3 bvi
set int ip address loop2 192.168.3.1/24
set int state loop2 up

create sub GigabitEthernet0/14/0 3
set int l2 bridge GigabitEthernet0/14/0.3 3
set int l2 tag-rewrite GigabitEthernet0/14/0.3 pop 1
set int state GigabitEthernet0/14/0.3 up


So this should route traffic between VLAN 2 and VLAN 3, correct?

Thanks

On Thu, Apr 19, 2018 at 12:52 PM, Andrew Yourtchenko <ayour...@gmail.com> wrote:
>
> hi Carlito,
>
> you can configure subinterfaces with tags and assign the ip addresses so the
> VPP does routing and then either use vnet ACLs or acl plugin to restrict the
> traffic.
>
> —a
>
> On 19 Apr 2018, at 21:07, Dave Barach <dbar...@cisco.com> wrote:
>
> Begin forwarded message:
>
> From: Carlito Nueno <carlitonu...@gmail.com>
> Date: April 19, 2018 at 9:03:51 AM HST
> To: dbar...@cisco.com
> Subject: VLAN to VLAN
>
> Hi Dave,
>
> How can I enable VLAN to VLAN communication? I want to have devices on
> one VLAN talk to devices on another VLAN, if possible constrain the
> devices by MAC or IP address.
>
> For example, only device with MAC (aa:aa:bb:80:90) or IP address
> (192.168.2.20) on VLAN 100 can talk to devices on VLAN 200
> (192.168.3.0/24).
>
> Thanks
>
> 




-=-=-=-=-=-=-=-=-=-=-=-
Links:

You receive all messages sent to this group.

View/Reply Online (#9002): https://lists.fd.io/g/vpp-dev/message/9002
View All Messages In Topic (4): https://lists.fd.io/g/vpp-dev/topic/17639114
Mute This Topic: https://lists.fd.io/mt/17639114/21656
New Topic: https://lists.fd.io/g/vpp-dev/post

Change Your Subscription: https://lists.fd.io/g/vpp-dev/editsub/21656
Group Home: https://lists.fd.io/g/vpp-dev
Contact Group Owner: vpp-dev+ow...@lists.fd.io
Terms of Service: https://lists.fd.io/static/tos
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] VLAN to VLAN

2018-04-19 Thread carlito nueno

My current VLAN config:

loopback create
set int l2 bridge loop1 2 bvi
set int ip address loop1 192.168.2.1/24
set int state loop1 up

create sub GigabitEthernet0/14/0 2
set int l2 bridge GigabitEthernet0/14/0.2 2
set int l2 tag-rewrite GigabitEthernet0/14/0.2 pop 1
set int state GigabitEthernet0/14/0.2 up


loopback create
set int l2 bridge loop2 3 bvi
set int ip address loop2 192.168.3.1/24
set int state loop2 up

create sub GigabitEthernet0/14/0 3
set int l2 bridge GigabitEthernet0/14/0.3 3
set int l2 tag-rewrite GigabitEthernet0/14/0.3 pop 1
set int state GigabitEthernet0/14/0.3 up


So this should route traffic between VLAN 2 and VLAN 3, correct?

Thanks

On Thu, Apr 19, 2018 at 12:52 PM, Andrew Yourtchenko  wrote:
>
> hi Carlito,
>
> you can configure subinterfaces with tags and assign the ip addresses so the
> VPP does routing and then either use vnet ACLs or acl plugin to restrict the
> traffic.
>
> —a
>
> On 19 Apr 2018, at 21:07, Dave Barach  wrote:
>
> Begin forwarded message:
>
> From: Carlito Nueno 
> Date: April 19, 2018 at 9:03:51 AM HST
> To: dbar...@cisco.com
> Subject: VLAN to VLAN
>
> Hi Dave,
>
> How can I enable VLAN to VLAN communication? I want to have devices on
> one VLAN talk to devices on another VLAN, if possible constrain the
> devices by MAC or IP address.
>
> For example, only device with MAC (aa:aa:bb:80:90) or IP address
> (192.168.2.20) on VLAN 100 can talk to devices on VLAN 200
> (192.168.3.0/24).
>
> Thanks
>
> 

-=-=-=-=-=-=-=-=-=-=-=-
Links:

You receive all messages sent to this group.

View/Reply Online (#9000): https://lists.fd.io/g/vpp-dev/message/9000
View All Messages In Topic (3): https://lists.fd.io/g/vpp-dev/topic/17639114
Mute This Topic: https://lists.fd.io/mt/17639114/21656
New Topic: https://lists.fd.io/g/vpp-dev/post

Change Your Subscription: https://lists.fd.io/g/vpp-dev/editsub/21656
Group Home: https://lists.fd.io/g/vpp-dev
Contact Group Owner: vpp-dev+ow...@lists.fd.io
Terms of Service: https://lists.fd.io/static/tos
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] VLAN to VLAN

2018-04-19 Thread Andrew Yourtchenko


hi Carlito,

you can configure subinterfaces with tags and assign the ip addresses so the 
VPP does routing and then either use vnet ACLs or acl plugin to restrict the 
traffic.

—a

> On 19 Apr 2018, at 21:07, Dave Barach  wrote:
> 
> Begin forwarded message:
> 
>> From: Carlito Nueno 
>> Date: April 19, 2018 at 9:03:51 AM HST
>> To: dbar...@cisco.com
>> Subject: VLAN to VLAN
>> 
>> Hi Dave,
>> 
>> How can I enable VLAN to VLAN communication? I want to have devices on
>> one VLAN talk to devices on another VLAN, if possible constrain the
>> devices by MAC or IP address.
>> 
>> For example, only device with MAC (aa:aa:bb:80:90) or IP address
>> (192.168.2.20) on VLAN 100 can talk to devices on VLAN 200
>> (192.168.3.0/24).
>> 
>> Thanks
>

[vpp-dev] VLAN to VLAN

2018-04-19 Thread Dave Barach

Begin forwarded message:

> From: Carlito Nueno 
> Date: April 19, 2018 at 9:03:51 AM HST
> To: dbar...@cisco.com
> Subject: VLAN to VLAN
> 
> Hi Dave,
> 
> How can I enable VLAN to VLAN communication? I want to have devices on
> one VLAN talk to devices on another VLAN, if possible constrain the
> devices by MAC or IP address.
> 
> For example, only device with MAC (aa:aa:bb:80:90) or IP address
> (192.168.2.20) on VLAN 100 can talk to devices on VLAN 200
> (192.168.3.0/24).
> 
> Thanks


smime.p7s
Description: S/MIME cryptographic signature

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

Re: [vpp-dev] VLAN to VLAN

[vpp-dev] VLAN to VLAN

13 matches

Site Navigation

Mail list logo

Footer information