Re: [vpp-dev] error: static mapping: Mapping already exist

Commands looks good to me, please provide us more details (another CLI commands used, nat startup configuration, …) Matus From: vpp-dev@lists.fd.io On Behalf Of Shahid Khan Sent: Wednesday, February 20, 2019 4:54 PM To: Ole Troan Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] error: static

Re: [vpp-dev] error: static mapping: Mapping already exist

Hi, I try something similar with 19.01 release and no error. Matus From: vpp-dev@lists.fd.io On Behalf Of Shahid Khan Sent: Wednesday, February 20, 2019 8:58 AM To: vpp-dev@lists.fd.io Subject: [vpp-dev] error: static mapping: Mapping already exist I'm new to VPP and just pulled 19.01

Re: [vpp-dev] [NAT] Assign same external IP

Hi, There is no plan to implement PAP. There is one solution in my mind “port block allocation”. When creating user (first session), instead of allocating single port multiple ports of single IP address are allocated for given user. Block size should be configurable and will be free when

Re: [vpp-dev] [NAT] Assign same external IP

Hi, There is no guarantee that user always get same external address if you have multiple external addresses. What you are referring to mean standard/vanilla NAT use endpoint-independent mapping (RFC4787 section 4.1.) and filtering (RFC4787 section 5.), something different. What you want is

Re: [vpp-dev] [NAT] Assign same external IP

Hi, Default assignment algorithm support address per fib (tenant) https://wiki.fd.io/view/VPP/NAT#NAT44_add_pool_address_for_specific_tenant It just pick random port (per protocol) from first address with some available ports. In case of multithread ports a divided between worker threads.

Re: [vpp-dev] Configuring NAT and Policing together

Hi, You need to update next_nodes in VLIB_REGISTER_NODE (snat_out2in_node) too Matus -Original Message- From: vpp-dev@lists.fd.io On Behalf Of Raj Sent: Tuesday, February 5, 2019 4:02 PM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Configuring NAT and Policing together Hello all, I

Re: [vpp-dev] Configuring NAT and Policing together

Hi, You should go from nat44-out2in to ip4-policer-classify only if it is configured on given interface (check if sw_if_index0 in nat44-out2in has configured/enabled policer), I think this may be reason of ASSERT. Matus -Original Message- From: vpp-dev@lists.fd.io On Behalf Of Raj

Re: [vpp-dev] Configuring NAT and Policing together

nat44-out2in node: u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP; <...> vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, bi0, next0); whatever you specify in VNET_FEATURE_INIT runs_before is ignored for nat44-out2in, normally when you want continue to nex node in feature

Re: [vpp-dev] Configuring NAT and Policing together

Hi, I don't think it is working way you wanted since nat44-out2in goes directly to ip4-lookup instead of continue in feature arc to ip4-policer-classify. Matus -Original Message- From: Raj Sent: Tuesday, January 22, 2019 3:00 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES

Re: [vpp-dev] Configuring NAT and Policing together

comments inline Matus -Original Message- From: vpp-dev@lists.fd.io On Behalf Of Raj Sent: Tuesday, January 22, 2019 1:06 PM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Configuring NAT and Policing together Hi Matus, We were looking to modify the flow so that the south->north path

Re: [vpp-dev] Configuring NAT and Policing together

Hi, You can use ip4-policer-classify before NAT node. Add nat44-in2out or nat44-out2in to ip4_policer_classify runs_before list VNET_FEATURE_INIT (ip4_policer_classify, static) = { .arc_name = "ip4-unicast", .node_name = "ip4-policer-classify", .runs_before = VNET_FEATURES

Re: [vpp-dev] nat: create NAT session failed

Hi, For endpoint dependent NAT oldest session per user is recycled only when expired (classic/vanilla NAT recycle always). Matus From: vpp-dev@lists.fd.io On Behalf Of carlito nueno Sent: Friday, January 18, 2019 7:45 AM To: vpp-dev@lists.fd.io Subject: [vpp-dev] nat: create NAT session

Re: [vpp-dev] nat44:twice nat

this feature? saint_sun From: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io<mailto:matfabia=cisco@lists.fd.io> Date: 2019-01-15 18:00 To: saint_...@aliyun.com<mailto:saint_...@aliyun.com>; vpp-dev<mailto:vpp-dev@lists.fd.

Re: [vpp-dev] nat44:twice nat

Hi, twice NAT is currently supported only for TCP and UDP Matus From: vpp-dev@lists.fd.io On Behalf Of saint_sun ? via Lists.Fd.Io Sent: Tuesday, January 15, 2019 10:47 AM To: vpp-dev Cc: vpp-dev@lists.fd.io Subject: [vpp-dev] nat44:twice nat hi all, I want to use twice-nat，but when I send

Re: [SUSPECTED SPAM] [vpp-dev] IPFIX Nat Logging

Hi, VPP configuration look good to me, I am not sure what is wrong. Maybe try to check “show interface” output, IPfix should add 9 additional tx packets for GigabitEthernet3/0/0 after ping and “ipfix flush” command. Matus From: vpp-dev@lists.fd.io On Behalf Of emma sdi Sent: Wednesday,

Re: [SUSPECTED SPAM] [vpp-dev] IPFIX Nat Logging

https://wiki.fd.io/view/VPP/NAT#Enable_NAT_plugin_IPFIX_logging_example You can also take a look at NAT plugin test https://gerrit.fd.io/r/gitweb?p=vpp.git;a=blob;f=test/test_nat.py;h=c64359a4db743ebf187c4198a12b2e3c80f5433d;hb=HEAD#l2646 Matus From: khers Sent: Wednesday, January 9, 2019

Re: [vpp-dev] nat: specify a pool for an outgoing interface

Address and port allocation function example https://gerrit.fd.io/r/#/c/14643/ Matus From: khers Sent: Monday, January 7, 2019 4:13 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev Subject: Re: [vpp-dev] nat: specify a pool for an outgoing interface Dear

Re: [SUSPECTED SPAM] [vpp-dev] IPFIX Nat Logging

Hi, Do you receive at least IPfix templates on collector? Matus From: khers Sent: Sunday, January 6, 2019 8:58 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev Subject: Re: [SUSPECTED SPAM] [vpp-dev] IPFIX Nat Logging Hi, I tried that but I didn't get any log

Re: [vpp-dev] Question regarding captive portal

Hi, Could you please provide packet trace? Matus -Original Message- From: Carlito Nueno Sent: Friday, January 4, 2019 10:34 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Question regarding captive portal Hi Matus,

Re: [vpp-dev] nat: specify a pool for an outgoing interface

Hi, Your requirement is not supported currently. Maybe you can implement it using NAT as output feature and write your own address and port allocation function. Matus From: khers Sent: Sunday, January 6, 2019 3:35 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc:

Re: [vpp-dev] nat: specify a pool for an outgoing interface

Hi, You can translate to different addresses only packets from different VRF https://wiki.fd.io/view/VPP/NAT#NAT44_add_pool_address_for_specific_tenant Matus From: vpp-dev@lists.fd.io On Behalf Of emma sdi Sent: Tuesday, January 1, 2019 9:10 AM To: vpp-dev Subject: [vpp-dev] nat: specify a

Re: [vpp-dev] Question regarding captive portal

Hi, Run NAT plugin in endpoint-dependent mode (add following to startup config “nat { endpoint-dependent }”), enable NAT feature “set interface nat44 in tap3 out GigabitEthernet4/0/0” and create static mapping “nat44 add static mapping tcp local 192.168.1.2 80 external GigabitEthernet4/0/0 80

Re: [SUSPECTED SPAM] [vpp-dev] IPFIX Nat Logging

Hi, IPfix events are aggregated, to send it immediately use “ipfix flush" Matus From: vpp-dev@lists.fd.io On Behalf Of emma sdi Sent: Tuesday, December 25, 2018 1:49 PM To: vpp-dev Subject: [SUSPECTED SPAM] [vpp-dev] IPFIX Nat Logging Dear Vpp, I'd just configured a simple snat to check

Re: [vpp-dev] NAT workers above 4 completely tanks performance

Is worker distribution same in case of multiple clients (you ca see this with same “show run” exercise, take a look at number of interface and nat44-in2out calls for each core)? Maybe you should try to play with interface rx queue placement (you can see it in “show interface rx-placement”

Re: [vpp-dev] NAT workers above 4 completely tanks performance

Hi, in your case most of NAT translations are done in one core. With 4 cores you are lucky and flows arrive at same core where translations are processing (no worker handoff) and with 10 cores there is worker handoff between two workers and it is reason of performance drop. Basically your

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

? John Sent from my phone On Tue, Dec 18, 2018 at 10:28 AM +, "Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io" mailto:matfabia=cisco@lists.fd.io>> wrote: Session/mapping key is 4-tuple (client address, port, fib index and protocol), internal

Re: [vpp-dev] Worker Thread Dead Lock on NAT44 IPFIX

Hi, NAT code should be rewritten Matus From: vpp-dev@lists.fd.io On Behalf Of david.leitch@gmail.com Sent: Wednesday, December 19, 2018 4:56 PM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Worker Thread Dead Lock on NAT44 IPFIX hi Matus Thanks for your answer, can you explain more

Re: [vpp-dev] Worker Thread Dead Lock on NAT44 IPFIX

Hi, NAT process all ipfix events in main thread. I think this should be reworked to per worker thread processing like flowprobe plugin Matus From: vpp-dev@lists.fd.io On Behalf Of david.leitch@gmail.com Sent: Wednesday, December 19, 2018 8:29 AM To: vpp-dev@lists.fd.io Subject: Re:

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

different external IPs to an endpoint if the client opens two separate sessions over two different ports? John Sent from my phone On Tue, Dec 18, 2018 at 10:28 AM +, "Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io" mailto:matfabia=cisco@lists.fd.

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

Session/mapping key is 4-tuple (client address, port, fib index and protocol), internal address and port is mapped always to same external address and port no matter what is the endpoint

Re: [vpp-dev] Config NAT plugin for with dynamic translations

I think this is issue when handoff queue is congested (multiple workers), this was fixed in 18.10 Matus From: vpp-dev@lists.fd.io On Behalf Of david.leitch@gmail.com Sent: Tuesday, December 18, 2018 10:36 AM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Config NAT plugin for with

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

Endpoint independent mapping is default behaviour Matus From: John Biscevic Sent: Tuesday, December 18, 2018 10:03 AM To: Ole Troan ; Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping Hi

Re: [vpp-dev] Config NAT plugin for with dynamic translations

Please try to use 18.10 Matus From: vpp-dev@lists.fd.io On Behalf Of david.leitch@gmail.com Sent: Tuesday, December 18, 2018 9:43 AM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Config NAT plugin for with dynamic translations I used VPP18.04 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive

Re: [vpp-dev] Config NAT plugin for with dynamic translations

What is your VPP version? Matus From: vpp-dev@lists.fd.io On Behalf Of david.leitch@gmail.com Sent: Tuesday, December 18, 2018 9:26 AM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Config NAT plugin for with dynamic translations vpp# show interface rx-placement Thread 1 (vpp_wk_0):

Re: [vpp-dev] Config NAT plugin for with dynamic translations

And no tx packets form the beginning? Matus From: vpp-dev@lists.fd.io On Behalf Of david.leitch@gmail.com Sent: Tuesday, December 18, 2018 8:57 AM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Config NAT plugin for with dynamic translations yes, When ipfix disabled i have rx-miss

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

Hi, Endpoint-dependent NAT is not default behaviour, when you want to use endpoint-dependent NAT you need to adjust startup config https://wiki.fd.io/view/VPP/NAT#NAT44 Matus -Original Message- From: vpp-dev@lists.fd.io On Behalf Of JB Sent: Tuesday, December 18, 2018 12:02 AM To:

Re: [vpp-dev] Config NAT plugin for with dynamic translations

even without ipfix enabled? Matus From: vpp-dev@lists.fd.io On Behalf Of david.leitch@gmail.com Sent: Tuesday, December 18, 2018 8:47 AM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Config NAT plugin for with dynamic translations if I config vpp without NAT (just routing) it works ,

Re: [vpp-dev] Config NAT plugin for with dynamic translations

Hi, NAT plugin configuration look good for me. Matus From: vpp-dev@lists.fd.io On Behalf Of david.leitch@gmail.com Sent: Tuesday, December 18, 2018 8:27 AM To: vpp-dev@lists.fd.io Subject: [vpp-dev] Config NAT plugin for with dynamic translations [Edited Message Follows] Hi, I want to

Re: [vpp-dev] Packet error-drop with fragmented packets through NAT #vpp_stability

Hi, It is yet-to-be-implemented feature, deterministic mode is PoC code, it has only some basic functionality Matus From: John Biscevic Sent: Monday, December 10, 2018 12:40 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) ; vpp-dev@lists.fd.io Subject: Re: [vpp-dev]

Re: [vpp-dev] Packet error-drop with fragmented packets through NAT #vpp_stability

Hi, Deterministic mode doesn’t support fragments. Matus From: John Biscevic Sent: Monday, December 10, 2018 10:36 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) ; vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Packet error-drop with fragmented packets through NAT

Re: [vpp-dev] Lookup in VPP NAT

Hi, https://wiki.fd.io/view/VPP/NAT NAT44 (vanilla/simple and endpoint-dependent mode) lazily delete expired sessions. When inserting to session lookup hash and bucket is full, expired session is overwritten. Matus -Original Message- From: vpp-dev@lists.fd.io On Behalf Of Yuan Fan

Re: [vpp-dev] NAT44 && VXLAN tunnel && ip reassembly && ip frag can not work correctly at vpp stable/1810

https://gerrit.fd.io/r/#/c/16048/ Matus From: 王传国 Sent: Tuesday, November 20, 2018 9:41 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) ; vpp-dev Subject: 回复: RE: [vpp-dev] NAT44 && VXLAN tunnel && ip reassembly && ip frag can not work correctly at vpp stable/1810 I am

Re: [vpp-dev] NAT44 && VXLAN tunnel && ip reassembly && ip frag can not work correctly at vpp stable/1810

Hi, There is bug in NAT fragment processing code when “nat44 forwarding enable” is used. I will fix it. Matus From: vpp-dev@lists.fd.io On Behalf Of ??? Sent: Tuesday, November 20, 2018 3:43 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) ; vpp-dev Subject: 回复: RE:

Re: [vpp-dev] NAT44 && VXLAN tunnel && ip reassembly && ip frag can not work correctly at vpp stable/1810

Hi, In packet trace is missing second fragment for “Packet 2” fragment id 0x047f (VXLAN packet fragment), probably “Packet 3”. “Packet 4” contain second fragment of ICMP packet. First ICMP fragment is encapsulated but VXLAN packet is too big and is fragmented too. Matus From: 王传国 Sent:

Re: [vpp-dev] About Strongswan on VPP

probably some API changes, maybe add NAT traversal support, there are some ugly hacks in code and so on... Matus From: tianye@sina Sent: Tuesday, November 6, 2018 10:38 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) ; vpp-dev@lists.fd.io Subject: RE: About Strongswan on

Re: [vpp-dev] About Strongswan on VPP

Hi, Currently I don't have any plan to upstream my strongswan patches. I guess code is little bit outdated now since I tested it with VPP 18.04 and keep in mind that code is PoC quality. There are two plugins for VPP in strongswan kernel_vpp (IPSec and networking backend for VPP) and

Re: [vpp-dev] Memory Performance issue #vpp

Hi, Deterministic NAT preallocate vector with 1000 session slots for each host from inside network range, so it will take some time https://wiki.fd.io/view/VPP/NAT#Memory_requirements Matus From: vpp-dev@lists.fd.io On Behalf Of david.leitch@gmail.com Sent: Wednesday, October 24, 2018

Re: [vpp-dev] Packet error-drop with fragmented packets through NAT #vpp_stability

Hi John, Fix in master and stable/1810 branch Matus From: vpp-dev@lists.fd.io On Behalf Of JB Sent: Friday, October 19, 2018 9:14 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) ; vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Packet error-drop with fragmented packets through

Re: [vpp-dev] Packet error-drop with fragmented packets through NAT #vpp_stability

Hi John, There is bug in NAT code for ICMP fragments. I will fix it as soon as possible. Thanks, Matus From: vpp-dev@lists.fd.io On Behalf Of JB Sent: Thursday, October 18, 2018 12:48 PM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Packet error-drop with fragmented packets through NAT

Re: [vpp-dev] DSCP support in VPP

Hi Martin, DSCP value is currently copied to outer IP header https://gerrit.fd.io/r/gitweb?p=vpp.git;a=blob;f=src/vnet/ipsec/esp_encrypt.c;h=4291e946b3644f9d85a0998359799103d25a52f2;hb=HEAD#l253 Based on RFC4301 (section 4.1) DSCP is not traffic selector parameter of SPD entry/policy and

Re: [vpp-dev] ipsec vpn(site to site)

Hi, Actually VPP can be IKE initiator, wiki is little bit outdated, see https://gerrit.fd.io/r/#/c/5401/ Matus From: vpp-dev@lists.fd.io On Behalf Of xulang Sent: Wednesday, August 29, 2018 8:45 AM To: vpp-dev@lists.fd.io Subject: [vpp-dev] ipsec vpn(site to site) Hi all, I'd like to build

Re: [vpp-dev] Endless NAT Questions

Hi Jon, I’ve updated nat_show_config_reply https://gerrit.fd.io/r/#/c/14411/, hope it is all here now Matus From: vpp-dev@lists.fd.io On Behalf Of Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io Sent: Thursday, August 16, 2018 7:45 AM To: Jon Loeliger ; vpp-dev Cc

Re: [vpp-dev] Endless NAT Questions

I think nat_show_config_reply should be augmented with some fields reflecting newer features. You are correct deterministic and endpoint-dependent are mutually exclusive. Matus From: vpp-dev@lists.fd.io On Behalf Of Jon Loeliger Sent: Wednesday, August 15, 2018 10:39 PM To: vpp-dev Subject:

Re: [vpp-dev] NAT Fragment Reassembly

Max_frag value is applied when fragments arrived out of order (non-initial fragments arrive before first fragment which contains L4 header), fragments are stored and waiting for first fragment (max_frag is limit for number of stored fragments). Fragments are dropped in nat44-in2out-reass or

Re: [vpp-dev] NAT Fragment Reassembly

Hi Jon, NAT plugin does virtual fragment reassembly – it enables to translate non-initial fragments without L4 header otherwise NAT is unable to gather port information from the non-initial fragment, packet is still broken into several fragments after NAT translation. Matus From:

Re: [vpp-dev] NAT64 TCP Session never expire

Hi, Fix for TCP expire issue https://gerrit.fd.io/r/#/c/14207/ Matus From: vpp-dev@lists.fd.io On Behalf Of xuliang Sent: Monday, August 13, 2018 6:32 AM To: vpp-dev@lists.fd.io Cc: mocan ; wenxu ; 'houzhiyuan' Subject: [vpp-dev] NAT64 TCP Session never expire Hi Dear VPP， I did some

Re: [vpp-dev] NAT64 TCP Session never expire

Hi, You are right there is bug. For multiple thread there is handoff node which send packet to correct thread. Matus From: vpp-dev@lists.fd.io On Behalf Of xuliang Sent: Monday, August 13, 2018 6:32 AM To: vpp-dev@lists.fd.io Cc: mocan ; wenxu ; 'houzhiyuan' Subject: [vpp-dev] NAT64 TCP

Re: [vpp-dev] syslog in snat

elf to no avail. Thanks. On Sun, Apr 8, 2018 at 11:44 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) mailto:matfa...@cisco.com>> wrote: Deterministic NAT is dedicated to CGN so no logging of sessions planed. Syslog is still in todo list, but contribution of patch is

Re: [vpp-dev] [Bug] VPP crashes using deterministic CGN

sh when VM connects with VPP in deterministic mode. Kindly, provide an explanation for the crash or a workaround for this. From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> [mailto:vpp-dev@lists.fd.io] On Behalf Of Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.I

Re: [vpp-dev] [Bug] VPP crashes using deterministic CGN

There is fix https://gerrit.fd.io/r/#/c/14106/ Matus From: vpp-dev@lists.fd.io On Behalf Of Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io Sent: Thursday, August 9, 2018 1:51 PM To: arsalan.sag...@xflowresearch.com; vpp-dev@lists.fd.io Cc: vpp-dev@lists.fd.io Subject

Re: [vpp-dev] [Bug] VPP crashes using deterministic CGN

Hi, There is bug in snat_interface_add_del, it should not enable nat44-hairpinning node, I will fix it Matus From: vpp-dev@lists.fd.io On Behalf Of arsalan.sag...@xflowresearch.com Sent: Thursday, August 9, 2018 1:16 PM To: vpp-dev@lists.fd.io Cc: 'Fazal-e-Rehman Khan' Subject: [vpp-dev]

Re: [vpp-dev] syslog in snat

Subject: Re: [vpp-dev] syslog in snat Hi all, I'm just checking in to see if anyone made progress on syslog? I've tried to look at the code and submit a patch myself to no avail. Thanks. On Sun, Apr 8, 2018 at 11:44 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) mailto:matfa

Re: [vpp-dev] NAT output-feature

Hi, Only difference is that nat44-in2out-output send packet to interface-output instead of ip4-lookup Instead of "set interface nat44 in GigabitEthernet0/8/0 out GigabitEthernet0/a/0" use "set interface nat44 out GigabitEthernet0/a/0 output-feature" and if you need hairpining use "set

Re: [vpp-dev] Figure out u16 mapping in NAT API output

https://gerrit.fd.io/r/#/c/12309/ Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk> Sent: Wednesday, May 2, 2018 7:24 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Figure out u16 mapping in NAT API

Re: [vpp-dev] Figure out u16 mapping in NAT API output

There is bug, fields are decoded wrong way in vl_api_nat44_user_session_details_t_handler (nat_test.c) Just note, nat44_user_session_dump works only with non-deterministic NAT. Matus From: vpp-dev@lists.fd.io On Behalf Of Hamid via Lists.Fd.Io Sent: Wednesday, May 2,

Re: [vpp-dev] #vpp CGNAT implementation in VPP

You can use vat console Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk> Sent: Tuesday, April 24, 2018 12:52 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Thanks. I

Re: [vpp-dev] #vpp CGNAT implementation in VPP

Hi, You can’t use deterministic and non-deterministic NAT commands at same time. When you want to store active deterministic sessions somewhere you can use API nat_det_session_dump (https://wiki.fd.io/view/VPP/NAT#API_2), just call this API periodically. Matus From: Hamid Rasool

Re: [vpp-dev] #vpp CGNAT implementation in VPP

Hi, Are internal addresses you used sequence or are randomly selected from internal network range? Deterministic NAT use sequential outside address and port range assignment (first block of external address goes to first address from inside network range, second block of external address goes

Re: [vpp-dev] #vpp CGNAT implementation in VPP

Src address is mandatory parameter Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk> Sent: Monday, April 23, 2018 7:31 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Is

Re: [vpp-dev] #vpp CGNAT implementation in VPP

This should send some IPfix NAT44 session create events. Do you observe any traffic in tcpdump at the collector machine when use “ipfix flush”? This command should at least send IPfix templates. Matus From: vpp-dev@lists.fd.io On Behalf Of Hamid via Lists.Fd.Io Sent:

Re: [vpp-dev] #vpp CGNAT implementation in VPP

How many NAT session client create? IPfix should send at least templates each 20 seconds if there is no data. You can manually send cached IPfix data and templates by “ipfix flush”. Could you please provide your VPP config (all used CLI config commands)? There are couple of NAT IPfix tests and

Re: [vpp-dev] #vpp CGNAT implementation in VPP

Hi, What is your NAT plugin config and what NAT IPfix event do you want trigger? Matus From: Hamid Rasool Sent: Monday, April 16, 2018 9:12 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev

Re: [vpp-dev] VPP crash bug in CGNAT module

Hi, When NAT plugin is running in deterministic mode you should use only CLI commands from list here https://wiki.fd.io/view/VPP/NAT#CLI_2 (for 1801 works only “show nat44” instead of all “show nat44 deterministic …” commands”) You should not use “nat44 add interface address” or “nat44 add

Re: [vpp-dev] syslog in snat

Deterministic NAT is dedicated to CGN so no logging of sessions planed. Syslog is still in todo list, but contribution of patch is welcome. Matus From: vpp-dev@lists.fd.io On Behalf Of Hamid via Lists.Fd.Io Sent: Monday, April 9, 2018 7:53 AM To: vpp-dev@lists.fd.io Cc:

Re: [vpp-dev] #vpp CGNAT implementation in VPP

Only CLI commands, no startup config changes required Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk> Sent: Monday, April 9, 2018 8:06 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) ; vpp-dev Subject: Re: [vpp-dev] #vpp CGNAT

Re: [vpp-dev] IPSEC VPN

Hi, Protected is only traffic which match SPD entry with action protect, action bypass skip IPsec encapsulation https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#SPD_entry_creation You can specify traffic selectors parameters and priority of entry Matus From: vpp-dev@lists.fd.io

Re: [vpp-dev] #vpp CGNAT implementation in VPP

Supported templates for deterministic NAT https://wiki.fd.io/view/VPP/NAT#IPFIX_templates Supported templates for standard NAT https://wiki.fd.io/view/VPP/NAT#NAT_IPFIX_logging IPFix data and template records are transmitted over UDP (https://tools.ietf.org/html/rfc7011,

Re: [vpp-dev] #vpp CGNAT implementation in VPP

“show nat44 deterministic mappings” probably doesn’t work because you use older version of the VPP (this was changed in 1804) To delete NAT deterministic mapping use “nat44 deterministic add in / out / del” Currently you can’t alocate specific number of ports of the external address to the

Re: [vpp-dev] Multiple Static Mappings

lists.fd.io> Cc: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] Multiple Static Mappings On Wed, Apr 4, 2018 at 11:24 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote:

Re: [vpp-dev] Multiple Static Mappings

Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: When using static mapping with port number external address/interface must be added to NAT pool otherwise static mapping won’t be resolved when interface obtain IP addre

Re: [vpp-dev] Multiple Static Mappings

com> Sent: Wednesday, April 4, 2018 5:41 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com> Cc: vpp-dev <vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] Multiple Static Mappings On Wed, Apr 4, 2018 at 5:34 AM, Matus Fabian -X (matfabia - PANTHEON

Re: [vpp-dev] Multiple Static Mappings

Fixed https://gerrit.fd.io/r/#/c/11505/ Matus From: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Sent: Wednesday, April 4, 2018 7:29 AM To: 'Jon Loeliger' ; vpp-dev Subject: RE: Multiple Static Mappings Hi Jon, This does not work properly,

Re: [vpp-dev] Removing a NAT static mapping

Hi Jon, My bad I use wrong interface, so issue is something different. Issue fixed https://gerrit.fd.io/r/#/c/11503/ DBGvpp# show interface GigabitEthernet0/8/0 addr GigabitEthernet0/8/0 (dn): L3 172.16.2.1/24 DBGvpp# show nat44 static mappings NAT44 static mappings: DBGvpp# nat44 add static

Re: [vpp-dev] Multiple Static Mappings

Hi Jon, This does not work properly, should be prohibited. I will fix issue. Thanks, Matus From: Jon Loeliger Sent: Tuesday, April 3, 2018 6:52 PM To: vpp-dev ; Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Subject:

Re: [vpp-dev] Removing a NAT static mapping

Hi Jon, For static mapping without port(icmp id) protocol should be ignored, but looks like there is some bug. I will fix issue. When I don’t specify protocol it works: DBGvpp# sh interface GigabitEthernet0/8/0 addr GigabitEthernet0/8/0 (dn): L3 10.0.0.1/24 DBGvpp# sh nat44 static mappings

Re: [vpp-dev] Some DS Lite Questions

This will not work properly Matus From: vpp-dev@lists.fd.io On Behalf Of Jon Loeliger Sent: Friday, March 30, 2018 3:08 PM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Some DS Lite Questions On Thu, Mar 29, 2018 at 2:58 PM, Jon Loeliger

Re: [vpp-dev] Some DS Lite Questions

Hi Jon, Currently there is no way to remove B4/AFTR tunnel endpoint address. You are right ip4_addr fields are not used now, for example this can be used to report ICMP problems in future. There is no plan to make any of the NAT startup config parameters available via API now, patches are

Re: [vpp-dev] Power-cycle vpp home-gateway: nat44 static mapping vanishes

Hi Dave, Static mapping entry is deleted from resolution vector after address is set on interface snat_ip4_add_del_interface_address_cb: /* If we resolved any of the outstanding static mappings */ if (vec_len(indices_to_delete)) { /* Delete them */ for (j

Re: [vpp-dev] issues with opensuse and centos verify job for stable/1801

https://jenkins.fd.io/job/vpp-verify-1801-opensuse/166/console 05:49:33 make[2]: Leaving directory '/w/workspace/vpp-verify-1801-opensuse/dpdk' 05:49:33 sudo rpm -Uih vpp-dpdk-devel-17.11-vpp1.x86_64.rpm 05:49:33 05:49:34 package

Re: [vpp-dev] issues with opensuse and centos verify job for stable/1801

Hi Ed, Works fine for centos now. Remove of dpdk packages for opensuse is missing in patch. Thanks, Matus From: Ed Kern (ejk) Sent: Tuesday, March 13, 2018 7:00 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re:

[vpp-dev] issues with opensuse and centos verify job for stable/1801

Hi, I see issues with opensuse and centos verify jobs for stable/1801 branch. The error is same for both jobs: 11:39:26 11:39:27 package vpp-dpdk-devel-18.02-vpp1.x86_64 (which is newer than vpp-dpdk-devel-17.11-vpp1.x86_64) is already installed