Hi, You can’t use deterministic and non-deterministic NAT commands at same time. When you want to store active deterministic sessions somewhere you can use API nat_det_session_dump (https://wiki.fd.io/view/VPP/NAT#API_2), just call this API periodically.
Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk> Sent: Tuesday, April 24, 2018 11:56 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com> Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Thanks Matus. I was using namespaces to generate internal addresses and after verifying, the address range was indeed deterministic. To partially solve my logging issue, when you add the commands for deterministic and non-deterministic at the same time (start address-end address according to the outside address pool), I get back details of the current sessions through 'show nat44 deterministic sessions' commands. This command only shows the active sessions. Is there any way to make this mapping persistent/store these results in a file/database? Regards. On Tue, Apr 24, 2018 at 1:17 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Hi, Are internal addresses you used sequence or are randomly selected from internal network range? Deterministic NAT use sequential outside address and port range assignment (first block of external address goes to first address from inside network range, second block of external address goes to second address and so on). There is also CLI where you can obtain outside address and port range for specific inside host “nat44 deterministic forward <addr>” and also CLI to obtain inside host address from specific outside address and port pair “nat44 deterministic reverse <addr>:<port>” Example: DBGvpp# nat44 deterministic add in 10.0.0.0/18<http://10.0.0.0/18> out 1.1.1.1/30<http://1.1.1.1/30> DBGvpp# nat44 deterministic forward 10.0.55.6 1.1.1.3<http://1.1.1.3>:<27994-28008> DBGvpp# nat44 deterministic forward 10.0.55.7 1.1.1.3<http://1.1.1.3>:<28009-28023> DBGvpp# nat44 deterministic forward 10.0.55.8 1.1.1.3<http://1.1.1.3>:<28024-28038> DBGvpp# nat44 deterministic reverse 1.1.1.1:1276<http://1.1.1.1:1276> 10.0.16.16 Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk<mailto:14mseesras...@seecs.edu.pk>> Sent: Tuesday, April 24, 2018 9:44 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Hi again, I have ran into some issues while performing deterministic CG-NAT. You guys told that we do not require logging in this because we are sure that clients will get deterministic outside addresses according to ratio. However, I was set mappings ratio as 16 and have created sessions using 16 different inside addresses. In case of deterministic, they should all map to a single outside address and then the 17th different inside address should be attached to a different outside address. This is not the case for me as 10 sessions are going to 1st address and other 6 are mapped to second one. There is currently no way to track this other than tcpdump. In the normal nat44, there is a show nat44 addresses which gives some idea about the mappings, but the show nat44 deterministic mappings (in stable/1804) only provides the ratio and number of ports calculated which is not too helpful. Looking for better ideas to track these addresses or make them truly deterministic. Thanks. On Mon, Apr 23, 2018 at 10:47 AM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Src address is mandatory parameter Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk<mailto:14mseesras...@seecs.edu.pk>> Sent: Monday, April 23, 2018 7:31 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Is the src <IP address> necessary in the netflow export collector command? I have ping connectivity with the collector but still I am unable to get any flows are visible. It is a bit odd because I only want to verify the inside address:inside port and outside address:outside port and for that you need an extra setup. Thanks. On Mon, Apr 16, 2018 at 6:49 PM, Hamid Rasool <14mseesras...@seecs.edu.pk<mailto:14mseesras...@seecs.edu.pk>> wrote: No luck with the tcpdump (it only shows the broadcast routing protocol messages from a virtual router interface that it is connected with;my test bed topology has multiple hosts) during ipfix flush command either. Is there any logs for ipfix / NAT translation logs stored on the local machine where vpp is running? So far the only way you can obtain the translated ports currently is by running tcpdump on the vpp machine outbound interface but they are not viable to maintain logging. I have tried running tcpdump on the vpp machine on the interface which is used to check ping connectivity with the collector machine and have still not observed anything relevant. Thanks. On Mon, Apr 16, 2018 at 3:52 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: This should send some IPfix NAT44 session create events. Do you observe any traffic in tcpdump at the collector machine when use “ipfix flush”? This command should at least send IPfix templates. Matus From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Hamid via Lists.Fd.Io<http://Lists.Fd.Io> Sent: Monday, April 16, 2018 12:17 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Currently I have just 1 client connected. vpp# show nat44 sessions NAT44 sessions: 100.64.0.1<http://100.64.0.1>: 100 dynamic translations, 0 static translations Here are all of the VPP commands used (involve a few TAP and bvi interfaces): Is there a command history option in vpp cli? loopback create set int l2 bridge loop0 1 bvi set int ip address loop0 192.168.10.1/24<http://192.168.10.1/24> set int state loop0 up tap connect lstack address 192.168.10.2/24<http://192.168.10.2/24> set int l2 bridge tapcli-0 1 set int state tapcli-0 up loopback create set int l2 bridge loop1 2 bvi set int ip address loop1 192.168.100.1/24<http://192.168.100.1/24> set int state loop1 up tap connect lstack1 address 192.168.100.2/24<http://192.168.100.2/24> set int l2 bridge tapcli-1 2 set int state tapcli-1 up nat44 add interface address loop0 set interface nat44 in loop1 out loop0 nat44 add address 192.168.10.20 - 192.168.10.30 set int l2 bridge GigabitEthernet0/3/0 1 set int state GigabitEthernet0/3/0 up ip route add 100.64.0.0/24<http://100.64.0.0/24> via 192.168.100.2 ip route add 0.0.0.0/0<http://0.0.0.0/0> via 192.168.10.3 set ipfix exporter collector 192.168.4.3 port 2055 src 192.168.10.1 nat ipfix logging On Mon, Apr 16, 2018 at 3:07 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: How many NAT session client create? IPfix should send at least templates each 20 seconds if there is no data. You can manually send cached IPfix data and templates by “ipfix flush”. Could you please provide your VPP config (all used CLI config commands)? There are couple of NAT IPfix tests and all pass. Matus From: Hamid Rasool <hamidras...@gmail.com<mailto:hamidras...@gmail.com>> Sent: Monday, April 16, 2018 11:09 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP I have not made any changes to the default startup config, i.e. there is no 'nat { }' present in the config and the plugins and dpdk sections commented out. I want these templates for NAT44 Session create and NAT44 Session delete events: observationTimeMilliseconds 64 natEvent 8 sourceIPv4Address 32 postNATSourceIPv4Address 32 protocolIdentifier 8 sourceTransportPort 16 postNAPTSourceTransportPort 16 I have also moved to the master since last week (and have noticed some details added to show nat44 commands), my version is now: vpp v18.07-rc0~26-ge150238 Thanks. On Mon, Apr 16, 2018 at 12:50 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Hi, What is your NAT plugin config and what NAT IPfix event do you want trigger? Matus From: Hamid Rasool <hamidras...@gmail.com<mailto:hamidras...@gmail.com>> Sent: Monday, April 16, 2018 9:12 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Hi Matus, I have tried setting up NFSen and NFDump setup on a logically connected VM with my VPP instance. I have then used the 2 commands that you added in the Wiki: vpp# set ipfix exporter collector 192.168.4.3 port 2055(listening port) src 192.168.10.1(outbound interface IP) vpp# nat ipfix logging The graphs did not show anything after I passed iperf and ping traffic from the CG-NAT host clients, and did not even observe any traffic in tcpdump at the collector machine. I have verified ping connectivity from VPP machine to the collector machine and conf files + netstat to verify the listening port. Does VPP maintain any local logs for the ipfix exports? Regards. On Mon, Apr 9, 2018 at 11:39 AM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Only CLI commands, no startup config changes required Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk<mailto:14mseesras...@seecs.edu.pk>> Sent: Monday, April 9, 2018 8:06 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>>; vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Thanks again Matus. Specially for updating the Wiki! Do I need to change anything in the startup config to enable ipfix in NAT or do the CLI commands in the example config work as standard? On Mon, Apr 9, 2018 at 10:20 AM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Supported templates for deterministic NAT https://wiki.fd.io/view/VPP/NAT#IPFIX_templates Supported templates for standard NAT https://wiki.fd.io/view/VPP/NAT#NAT_IPFIX_logging IPFix data and template records are transmitted over UDP (https://tools.ietf.org/html/rfc7011, https://tools.ietf.org/html/rfc8158) IPFix example configuration https://wiki.fd.io/view/VPP/NAT#Enable_NAT_plugin_IPFIX_logging_example Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk<mailto:14mseesras...@seecs.edu.pk>> Sent: Friday, April 6, 2018 4:23 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Thanks Matus for the rapid response. The del command did the trick and I will try to repeat the setup for 18.04-rc1 build. I also got some more info through the command 'show nat44 detail' which did not show up by ? in the CLI by default. About IPFIX logging, can you suggest an example template to perform the logging: e.g. nat { NAT44 Addresses exhausted NAT44 Session create NAT44 Session delete } Also, any pointers to access these IPFIX logs for nat session details without using deterministic NAT once the logging has been enable would also be very helpful. Regards, Hamid On Fri, Apr 6, 2018 at 3:42 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: “show nat44 deterministic mappings” probably doesn’t work because you use older version of the VPP (this was changed in 1804) To delete NAT deterministic mapping use “nat44 deterministic add in <addr>/<plen> out <addr>/<plen> del” Currently you can’t alocate specific number of ports of the external address to the internal clients. It is possible to implenet this, patches are welcome. NAT plugin use IPfix for logging events https://wiki.fd.io/view/VPP/NAT#IPFIX_templates. Deterministic NAT doesn’t log session since internall address is statically mapped to set of external ports of the address (purpose of deterministic NAT is to reduce logging https://tools.ietf.org/html/rfc7422). Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk<mailto:14mseesras...@seecs.edu.pk>> Sent: Friday, April 6, 2018 12:16 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Thanks Fabian. I have configured these steps and it seems to work (although some variations of nat deterministic add command caused vpp to crash and reset configurations though). However, there is another command in the VPP/NAT wiki: "show nat44 deterministic mappings" which does not seem to work. The "show nat44" command only seem to work however: vpp# nat44 deterministic add in 10.10.3.0/25<http://10.10.3.0/25> out 192.168.100.64/28<http://192.168.100.64/28> vpp# show nat44 NAT plugin mode: deterministic mapping udp timeout: 300sec tcp-established timeout: 7440sec tcp-transitory timeout: 240sec icmp timeout: 60sec 1 deterministic mappings I want to ask how can we delete a pool mapping once we have set it or even change it because there seems to be no options to do that. Another query is about how can we allocate a specific number of ports of the external address to the internal clients. Lets say I want to map 8 internal addresses to 1 external for a pool of external addresses, which makes about 8000 ports (out of 65000) for each internal address. Is there any way to implement. Last question for now, where are the session logs stored for NAT for each flow of packet. Does VPP provide syslog stats or any flow records for nat sessions? Thanks again! [https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link> On Mon, Mar 19, 2018 at 5:19 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Hi, There is example of CGNAT configuration for currently supported feature set https://wiki.fd.io/view/VPP/NAT#Example_configuration Basically you need do following 3 steps: To enable CGNAT mode of NAT plugin add following to startup config: “nat { deterministic }” Set inside and outside interfaces: set interface nat44 in <intfc> out <intfc> Set pool address range for inside network range: nat44 deterministic add in <addr>/<plen> out <addr>/<plen> That is all you can currently configure. Matus From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Hamid via Lists.Fd.Io<http://Lists.Fd.Io> Sent: Monday, March 19, 2018 1:03 PM To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: [vpp-dev] #vpp CGNAT implementation in VPP Hi, I have a Ubuntu server machine having 32 cores and four 1 Gigabit NICs with KVM hypervisor. I want to test VPP performance for CGNAT in NAT444 mode while supporting routing protocols like BGP and IS-IS on VM topology setup. Kindly direct me somewhere to get me started. The usage of CGNAT with a pool of out address ranges and allocating port numbers is not directly explained in the NAT plugin Wiki page. Any info regarding how to generate packet traffic to check performance in terms of number of concurrent sessions handled by CGNAT on my hardware will also be appreciated. I have tried the progressive VPP tutorial but some of the switching related exercises are not functioning as expected and there is no similar tutorial or guide to apply CG-NAT along with routing as a PoC software router would do. Integration with FRR as per FRR wiki was also outdated and could not be achieved on my setup. Waiting for suggestions. Thanks!
