Dear Neale, Thanks for your prompt response. Answer comments inline. On Wed, Jul 24, 2019 at 5:16 PM Neale Ranns (nranns) <nra...@cisco.com> wrote:
> > > Dear Brayan, > > > > You should always add a next-hop to a path when IP routing. > > Answers comments inline. > > > > /neale > > > > *De : *<vpp-dev@lists.fd.io> au nom de brayan ortega < > brayan.ortega6...@gmail.com> > *Date : *mercredi 24 juillet 2019 à 11:25 > *À : *"vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io> > *Objet : *[vpp-dev] abf problem with arp > > > > Dear VPP Folks, > > I'm using vpp v19.08-rc0~698-g1f50bf8fc (master branch) and It seems there > is a bug when the abf plugin is enabled and configured in my scenario. > > abf policy is defined as follows: > 1- permit packets > 2- route to output interface without gateway definition ( via 0.0.0.0 ) > 3- attaching it to input interfaces > When the abf policy is defined as described, the connected networks to > output interfaces will be unreachable. I checked the trace of packets and > saw the following. First, an icmp packet is received on input interface. > Then arp packet is sent and arp reply is received. But in next icmp packet > again this scenario happens while we have an entry for destination ip in > arp table. however, arp reply is dropped and "arp-disabled: ARP Disabled > on this interface" log is seen in trace output. My vppctl trace output is > available here: https://paste.ubuntu.com/p/pB2sh3GxrD/ > > The following is the ping result from my client: > > Client 1: ping 30.30.30.2 ( 30.30.30.30 is my router ip address) isn't > established. > > > > My topology and vpp configuration are attached to this email. > > If it is needed to set a gateway for abf, > > > > Yes. > > > > then we can not reach to connected network devices. So I had to set my > abf gateway to 0.0.0.0 for connected networks when there is an abf policy > for networks which are not connected directly. > > > > Are you saying that the ACL you are using in the ABF policy also matches > connected devices and so the ABF policy is also used to forward to attached > devices? This won’t work for ABF, since ABF runs before the normal IP > lookup. So either don’t include connected subnets in the ACL definition, or > add a higher priority policy for each of the connected devices with a > nexthop of that connected device. > Suppose we have a lot of connected devices, It is not reasonable to write a lot of higher priorities policies for them. On the other hands, for unconnected network, it is needed to write a general abf policy ( any ) and then exclude connected network devices. what's your opinion about bringing your idea in code level. Instead of writing a lot of abf policies for connected network devices with higher priority than general abf policy, we write abf policies for connected networks with next-hop 0.0.0.0 and then in abf plugin, check if the next-hop is 0.0.0.0 then change next-hop to packet destination ip! I would like to know your advice and opinion. > > > The reason this: > > Ip route 2.0.0.0/8 via 0.0.0.0 Eth0 > > Kinda (because a router connected to eth0 must have proxy ARP configured > for 2/8) works for IP routing, Is that the first packet to say 2.0.0.1 > generates an ARP request and the proxying router replies. The ARP response > creates an ARP entry for 2.0.0.1 and a FIB entry 2.0.0.01/32 via the > proxying router. The next packet through does an LPM and hits the /32, so > is forwarded successfully. > > There’s no such LPM for ABF, so all packets generate ARP requests. > Do you think this is bug? It seems it is not a normal functionality. I checked this scenario ( write route policy without next-hop definition) on Cisco router and there aren't this problem ( my client1 icmp connection was established ). Warm Regards, Brayan > > > Hth, > > /neale > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13566): https://lists.fd.io/g/vpp-dev/message/13566 Mute This Topic: https://lists.fd.io/mt/32582274/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
