Re: [vpp-dev] #vpp CGNAT implementation in VPP

Mon, 16 Apr 2018 03:18:07 -0700 

Currently I have just 1 client connected.

vpp# show nat44 sessions
NAT44 sessions:
  100.64.0.1: 100 dynamic translations, 0 static translations


Here are all of the VPP commands used (involve a few TAP and bvi
interfaces):
Is there a command history option in vpp cli?

loopback create
set int l2 bridge loop0 1 bvi
set int ip address loop0 192.168.10.1/24
set int state loop0 up

tap connect lstack address 192.168.10.2/24
set int l2 bridge tapcli-0 1
set int state tapcli-0 up

loopback create
set int l2 bridge loop1 2 bvi
set int ip address loop1 192.168.100.1/24
set int state loop1 up

tap connect lstack1 address 192.168.100.2/24
set int l2 bridge tapcli-1 2
set int state tapcli-1 up

nat44 add interface address loop0
set interface nat44 in loop1 out loop0
nat44 add address 192.168.10.20 - 192.168.10.30

set int l2 bridge GigabitEthernet0/3/0 1
set int state GigabitEthernet0/3/0 up

ip route add 100.64.0.0/24 via 192.168.100.2
ip route add 0.0.0.0/0 via 192.168.10.3

set ipfix exporter collector 192.168.4.3 port 2055 src 192.168.10.1
nat ipfix logging


On Mon, Apr 16, 2018 at 3:07 PM, Matus Fabian -X (matfabia - PANTHEON
TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:

> How many NAT session client create? IPfix should send at least templates
> each 20 seconds if there is no data. You can manually send cached IPfix
> data and templates by “ipfix flush”. Could you please provide your VPP
> config (all used CLI config commands)? There are couple of NAT IPfix tests
> and all pass.
>
>
>
> Matus
>
>
>
>
>
> *From:* Hamid Rasool <hamidras...@gmail.com>
> *Sent:* Monday, April 16, 2018 11:09 AM
>
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
> *Cc:* vpp-dev <vpp-dev@lists.fd.io>
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> I have not made any changes to the default startup config, i.e. there is
> no 'nat { }' present in the config and the plugins and dpdk sections
> commented out.
>
>
>
> I want these templates for NAT44 Session create and NAT44 Session delete
> events:
>
> observationTimeMilliseconds
>
> 64
>
> natEvent
>
> 8
>
> sourceIPv4Address
>
> 32
>
> postNATSourceIPv4Address
>
> 32
>
> protocolIdentifier
>
> 8
>
> sourceTransportPort
>
> 16
>
> postNAPTSourceTransportPort
>
> 16
>
> I have also moved to the master since last week (and have noticed some
> details added to show nat44 commands), my version is now:
> vpp v18.07-rc0~26-ge150238
>
>
>
> Thanks.
>
>
>
> On Mon, Apr 16, 2018 at 12:50 PM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>
> Hi,
>
>
>
> What is your NAT plugin config and what NAT IPfix event do you want
> trigger?
>
>
>
> Matus
>
>
>
>
>
> *From:* Hamid Rasool <hamidras...@gmail.com>
> *Sent:* Monday, April 16, 2018 9:12 AM
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
> *Cc:* vpp-dev <vpp-dev@lists.fd.io>
>
>
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Hi Matus,
>
>
>
> I have tried setting up NFSen and NFDump setup on a logically connected VM
> with my VPP instance. I have then used the 2 commands that you added in the
> Wiki:
>
>
>
> vpp# set ipfix exporter collector 192.168.4.3 port 2055(listening port)
> src 192.168.10.1(outbound interface IP)
>
> vpp# nat ipfix logging
>
>
>
> The graphs did not show anything after I passed iperf and ping traffic
> from the CG-NAT host clients, and did not even observe any traffic in
> tcpdump at the collector machine. I have verified ping connectivity from
> VPP machine to the collector machine and conf files + netstat to verify the
> listening port.
>
>
>
> Does VPP maintain any local logs for the ipfix exports?
>
>
>
> Regards.
>
>
>
>
>
> On Mon, Apr 9, 2018 at 11:39 AM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>
> Only CLI commands, no startup config changes required
>
>
>
> Matus
>
>
>
> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
> *Sent:* Monday, April 9, 2018 8:06 AM
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>; vpp-dev <vpp-dev@lists.fd.io>
>
>
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Thanks again Matus. Specially for updating the Wiki!
>
>
>
> Do I need to change anything in the startup config to enable ipfix in NAT
> or do the CLI commands in the example config work as standard?
>
>
>
> On Mon, Apr 9, 2018 at 10:20 AM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>
> Supported templates for deterministic NAT https://wiki.fd.io/view/VPP/
> NAT#IPFIX_templates
>
> Supported templates for standard NAT https://wiki.fd.io/view/VPP/
> NAT#NAT_IPFIX_logging
>
> IPFix data and template records are transmitted over UDP (
> https://tools.ietf.org/html/rfc7011, https://tools.ietf.org/html/rfc8158)
>
> IPFix example configuration https://wiki.fd.io/view/VPP/
> NAT#Enable_NAT_plugin_IPFIX_logging_example
>
>
>
> Matus
>
>
>
>
>
> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
> *Sent:* Friday, April 6, 2018 4:23 PM
>
>
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
> *Cc:* vpp-dev@lists.fd.io
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Thanks Matus for the rapid response. The del command did the trick and I
> will try to repeat the setup for 18.04-rc1 build. I also got some more info
> through the command 'show nat44 detail' which did not show up by ? in the
> CLI by default.
>
>
>
> About IPFIX logging, can you suggest an example template to perform the
> logging:
>
> e.g.
>
> nat {
>
> NAT44 Addresses exhausted
>
> NAT44 Session create
>
> NAT44 Session delete
>
> }
>
>
>
> Also, any pointers to access these IPFIX logs for nat session details
> without using deterministic NAT once the logging has been enable would also
> be very helpful.
>
>
>
> Regards,
>
> Hamid
>
>
>
> On Fri, Apr 6, 2018 at 3:42 PM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>
> “show nat44 deterministic mappings” probably doesn’t work because you use
> older version of the VPP (this was changed in 1804)
>
> To delete NAT deterministic mapping use “nat44 deterministic add in
> <addr>/<plen> out <addr>/<plen> del”
>
> Currently you can’t alocate specific number of ports of the external
> address to the internal clients. It is possible to implenet this, patches
> are welcome.
>
> NAT plugin use IPfix for logging events https://wiki.fd.io/view/VPP/
> NAT#IPFIX_templates. Deterministic NAT doesn’t log session since
> internall address is statically mapped to set of external ports of the
> address (purpose of deterministic NAT is to reduce logging
> https://tools.ietf.org/html/rfc7422).
>
>
>
> Matus
>
>
>
> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
> *Sent:* Friday, April 6, 2018 12:16 PM
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
> *Cc:* vpp-dev@lists.fd.io
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Thanks Fabian.
>
>
>
> I have configured these steps and it seems to work (although some
> variations of nat deterministic add command caused vpp to crash and reset
> configurations though). However, there is another command in the VPP/NAT
> wiki: "show nat44 deterministic mappings" which does not seem to work.
>
> The "show nat44" command only seem to work however:
>
>
>
> vpp# nat44 deterministic add in 10.10.3.0/25 out 192.168.100.64/28
>
> vpp# show nat44
>
> NAT plugin mode: deterministic mapping
>
> udp timeout: 300sec
>
> tcp-established timeout: 7440sec
>
> tcp-transitory timeout: 240sec
>
> icmp timeout: 60sec
>
> 1 deterministic mappings
>
>
>
>
>
> I want to ask how can we delete a pool mapping once we have set it or even
> change it because there seems to be no options to do that. Another query is
> about how can we allocate a specific number of ports of the external
> address to the internal clients. Lets say I want to map 8 internal
> addresses to 1 external for a pool of external addresses, which makes about
> 8000 ports (out of 65000) for each internal address. Is there any way to
> implement.
>
> Last question for now, where are the session logs stored for NAT for each
> flow of packet. Does VPP provide syslog stats or any flow records for nat
> sessions?
>
>
>
> Thanks again!
>
>
>
>
>
>
>
> [image:
> https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
>
> Virus-free. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
>
>
>
> On Mon, Mar 19, 2018 at 5:19 PM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>
> Hi,
>
>
>
> There is example of CGNAT configuration for currently supported feature
> set https://wiki.fd.io/view/VPP/NAT#Example_configuration
>
>
>
> Basically you need do following 3 steps:
>
> To enable CGNAT mode of NAT plugin add following to startup config: “nat {
> deterministic }”
>
> Set inside and outside interfaces: set interface nat44 in <intfc> out
> <intfc>
>
> Set pool address range for inside network range: nat44 deterministic add
> in <addr>/<plen> out <addr>/<plen>
>
>
>
> That is all you can currently configure.
>
>
>
> Matus
>
>
>
>
>
> *From:* vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> *On Behalf Of *Hamid
> via Lists.Fd.Io
> *Sent:* Monday, March 19, 2018 1:03 PM
> *To:* vpp-dev@lists.fd.io
> *Cc:* vpp-dev@lists.fd.io
> *Subject:* [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Hi,
>
> I have a Ubuntu server machine having 32 cores and four 1 Gigabit NICs
> with KVM hypervisor. I want to test VPP performance for CGNAT in NAT444
> mode while supporting routing protocols like BGP and IS-IS on VM topology
> setup. Kindly direct me somewhere to get me started. The usage of CGNAT
> with a pool of out address ranges and allocating port numbers is not
> directly explained in the NAT plugin Wiki page. Any info regarding how to
> generate packet traffic to check performance in terms of number of
> concurrent sessions handled by CGNAT on my hardware will also be
> appreciated.
>
> I have tried the progressive VPP tutorial but some of the switching
> related exercises are not functioning as expected and there is no similar
> tutorial or guide to apply CG-NAT along with routing as a PoC software
> router would do. Integration with FRR as per FRR wiki was also outdated and
> could not be achieved on my setup.
>
> Waiting for suggestions. Thanks!
>
> 
>
>
>
>
>
>
>
>
>
>
>
  • Re: [vpp-dev] #vp... Hamid via Lists.Fd.Io
  • Re: [vpp-dev] #vp... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)
  • Re: [vpp-dev] #vp... Hamid via Lists.Fd.Io
  • Re: [vpp-dev] #vp... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)
  • Re: [vpp-dev] #vp... Hamid via Lists.Fd.Io
  • Re: [vpp-dev] #vp... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)
  • Re: [vpp-dev] #vp... Hamid Rasool
    • Re: [vpp-dev... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)
      • Re: [vpp... Hamid Rasool
        • Re: ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)
          • ... Hamid via Lists.Fd.Io
            • ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)
            • ... Hamid via Lists.Fd.Io
            • ... Hamid via Lists.Fd.Io
            • ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)
            • ... Hamid via Lists.Fd.Io
            • ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)
            • ... Hamid via Lists.Fd.Io
            • ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)
            • ... Hamid via Lists.Fd.Io
            • ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)

Reply via email to