Re: [vpp-dev] query on L2 ACL for VLANs

Fri, 04 Aug 2017 09:54:39 -0700 

Hi Balaj

I think the problem is that you did not configure an IP address on the 
sub-interface. Thus, IP4 forwarding is not enabled.   You can check state of 
various forwarding features on an interface or sub-interface using the command:
              show int feat TenGigabitEthernet1/0/0.100

If an interface does not have IP4 address configured, you will see the 
ip4-unitcast feature listed as ip4-drop:
   ip4-unicast:
    ip4-drop

Regards,
John

From: Balaji Kn [mailto:[email protected]]
Sent: Friday, August 04, 2017 7:28 AM
To: John Lo (loj) <[email protected]>
Cc: [email protected]; [email protected]
Subject: Re: [vpp-dev] query on L2 ACL for VLANs

Hi John,

Thanks for quick response.
I tried as you suggested to associate input ACL on IP-forwarding path for 
tagged packets. Ingress packets are not hitting ACL node and are dropped. 
However ACL with src/dst IP, MAC address, udp port numbers are fine.

Following are the configuration steps followed.

set int ip address TenGigabitEthernet1/0/0 172.27.28.5/24<http://172.27.28.5/24>
set interface state  TenGigabitEthernet1/0/0 up
set int ip address TenGigabitEthernet1/0/1 172.27.29.5/24<http://172.27.29.5/24>
set interface state  TenGigabitEthernet1/0/1 up
create sub-interfaces TenGigabitEthernet1/0/0  100
set interface state  TenGigabitEthernet1/0/0.100 up

ACL configuration
classify table mask l2 tag1
classify session acl-hit-next deny opaque-index 0 table-index 0 match l2 tag1 
100
set int input acl intfc TenGigabitEthernet1/0/0.100 ip4-table 0

Trace captured on VPP
00:16:11:820587: dpdk-input
  TenGigabitEthernet1/0/0 rx queue 0
  buffer 0x4d40: current data 0, length 124, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x0
  PKT MBUF: port 0, nb_segs 1, pkt_len 124
    buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr 
0x6de35040
    packet_type 0x291
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without 
extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
  UDP: 172.27.28.6 -> 172.27.29.6
    tos 0x00, ttl 255, length 106, checksum 0x2a38
    fragment id 0x0008
  UDP: 1024 -> 1024
    length 86, checksum 0xffff
00:16:11:820596: ethernet-input
  IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
00:16:11:820616: ip4-input
  UDP: 172.27.28.6 -> 172.27.29.6
    tos 0x00, ttl 255, length 106, checksum 0x2a38
    fragment id 0x0008
  UDP: 1024 -> 1024
    length 86, checksum 0xffff
00:16:11:820624: ip4-drop
    UDP: 172.27.28.6 -> 172.27.29.6
      tos 0x00, ttl 255, length 106, checksum 0x2a38
      fragment id 0x0008
    UDP: 1024 -> 1024
      length 86, checksum 0xffff
00:16:11:820627: error-drop
  ip4-input: ip4 adjacency drop

I verified in VPP code and packet is dropped while searching for intc arc 
(searching for feature enabled on interface). I assume associating 
sub-interface with ACL was enabling feature.

Let me know if i missed anything.

Regards,
Balaji









On Wed, Aug 2, 2017 at 9:26 PM, John Lo (loj) 
<[email protected]<mailto:[email protected]>> wrote:
Hi Balaji,

In order to make input ACL work on the IPv4 forwarding path, you need to set it 
as ip4-table on the interface or sub-interface. For your case for packets with 
VLAN tags, it needs to be set on sub-interface:
set int input acl intfc TenGigabitEthernet1/0/0.100 ip4-table 0

The names in the CLI  [ip4-table|ip6-table|l2-table] indicate which forwarding 
path the ACL would be applied, not which packet header ACL will be matched. The 
match of the packet is specified with the table/session used in the ACL.

Regards,
John

From: [email protected]<mailto:[email protected]> 
[mailto:[email protected]<mailto:[email protected]>] On 
Behalf Of Balaji Kn
Sent: Wednesday, August 02, 2017 9:41 AM
To: [email protected]<mailto:[email protected]>
Cc: [email protected]<mailto:[email protected]>
Subject: [vpp-dev] query on L2 ACL for VLANs

Hello,

I am using VPP 17.07 release code (tag v17.07).

DBGvpp# show int address
TenGigabitEthernet1/0/0 (up):
  172.27.28.5/24<http://172.27.28.5/24>
TenGigabitEthernet1/0/1 (up):
  172.27.29.5/24<http://172.27.29.5/24>

My use case is to allow packets based on VLANs. I added an ACL rule in classify 
table as below.

classify table mask l2 tag1
classify session acl-hit-next permit opaque-index 0 table-index 0 match l2 tag1 
100
set int input acl intfc TenGigabitEthernet1/0/0 l2-table 0

Tagged packets were dropped in ethernet node.

00:08:39:270674: dpdk-input
  TenGigabitEthernet1/0/0 rx queue 0
  buffer 0x4d67: current data 0, length 124, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x1
  PKT MBUF: port 0, nb_segs 1, pkt_len 124
    buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr 
0x6de35a00
    packet_type 0x291
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without 
extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
  UDP: 172.27.28.6 -> 172.27.29.6
    tos 0x00, ttl 255, length 106, checksum 0x2a24
    fragment id 0x001c
  UDP: 1024 -> 1024
    length 86, checksum 0xffff
00:08:39:270679: ethernet-input
  IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
00:08:39:270685: error-drop
  ethernet-input: unknown vlan

DBGvpp#

Hence i created a sub-interface to allow tagged packet.
create sub-interfaces TenGigabitEthernet1/0/0  100
set interface state  TenGigabitEthernet1/0/0.100 up

Still the packets are not hitting ACL node and still packets are dropped. This 
time in ip4-input node.

00:07:42:330550: dpdk-input
  TenGigabitEthernet1/0/0 rx queue 0
  buffer 0x4d8e: current data 0, length 124, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x0
  PKT MBUF: port 0, nb_segs 1, pkt_len 124
    buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr 
0x6de363c0
    packet_type 0x291
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without 
extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
  UDP: 172.27.28.6 -> 172.27.29.6
    tos 0x00, ttl 255, length 106, checksum 0x2a25
    fragment id 0x001b
  UDP: 1024 -> 1024
    length 86, checksum 0xffff
00:07:42:330560: ethernet-input
  IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
00:07:42:330572: ip4-input
  UDP: 172.27.28.6 -> 172.27.29.6
    tos 0x00, ttl 255, length 106, checksum 0x2a25
    fragment id 0x001b
  UDP: 1024 -> 1024
    length 86, checksum 0xffff
00:07:42:330583: ip4-drop
    UDP: 172.27.28.6 -> 172.27.29.6
      tos 0x00, ttl 255, length 106, checksum 0x2a25
      fragment id 0x001b
    UDP: 1024 -> 1024
      length 86, checksum 0xffff
00:07:42:330586: error-drop
  ip4-input: ip4 adjacency drop

Can you help me know if i am missing any configuration so that my packets hit 
ACL node and then ip4-input node.

Please let me know if you need any information on configurations/setup.

Regards,
Balaji



_______________________________________________
vpp-dev mailing list
[email protected]
https://lists.fd.io/mailman/listinfo/vpp-dev

Reply via email to