This should send some IPfix NAT44 session create events. Do you observe any traffic in tcpdump at the collector machine when use “ipfix flush”? This command should at least send IPfix templates.
Matus From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Hamid via Lists.Fd.Io Sent: Monday, April 16, 2018 12:17 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com> Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Currently I have just 1 client connected. vpp# show nat44 sessions NAT44 sessions: 100.64.0.1<http://100.64.0.1>: 100 dynamic translations, 0 static translations Here are all of the VPP commands used (involve a few TAP and bvi interfaces): Is there a command history option in vpp cli? loopback create set int l2 bridge loop0 1 bvi set int ip address loop0 192.168.10.1/24<http://192.168.10.1/24> set int state loop0 up tap connect lstack address 192.168.10.2/24<http://192.168.10.2/24> set int l2 bridge tapcli-0 1 set int state tapcli-0 up loopback create set int l2 bridge loop1 2 bvi set int ip address loop1 192.168.100.1/24<http://192.168.100.1/24> set int state loop1 up tap connect lstack1 address 192.168.100.2/24<http://192.168.100.2/24> set int l2 bridge tapcli-1 2 set int state tapcli-1 up nat44 add interface address loop0 set interface nat44 in loop1 out loop0 nat44 add address 192.168.10.20 - 192.168.10.30 set int l2 bridge GigabitEthernet0/3/0 1 set int state GigabitEthernet0/3/0 up ip route add 100.64.0.0/24<http://100.64.0.0/24> via 192.168.100.2 ip route add 0.0.0.0/0<http://0.0.0.0/0> via 192.168.10.3 set ipfix exporter collector 192.168.4.3 port 2055 src 192.168.10.1 nat ipfix logging On Mon, Apr 16, 2018 at 3:07 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: How many NAT session client create? IPfix should send at least templates each 20 seconds if there is no data. You can manually send cached IPfix data and templates by “ipfix flush”. Could you please provide your VPP config (all used CLI config commands)? There are couple of NAT IPfix tests and all pass. Matus From: Hamid Rasool <hamidras...@gmail.com<mailto:hamidras...@gmail.com>> Sent: Monday, April 16, 2018 11:09 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP I have not made any changes to the default startup config, i.e. there is no 'nat { }' present in the config and the plugins and dpdk sections commented out. I want these templates for NAT44 Session create and NAT44 Session delete events: observationTimeMilliseconds 64 natEvent 8 sourceIPv4Address 32 postNATSourceIPv4Address 32 protocolIdentifier 8 sourceTransportPort 16 postNAPTSourceTransportPort 16 I have also moved to the master since last week (and have noticed some details added to show nat44 commands), my version is now: vpp v18.07-rc0~26-ge150238 Thanks. On Mon, Apr 16, 2018 at 12:50 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Hi, What is your NAT plugin config and what NAT IPfix event do you want trigger? Matus From: Hamid Rasool <hamidras...@gmail.com<mailto:hamidras...@gmail.com>> Sent: Monday, April 16, 2018 9:12 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Hi Matus, I have tried setting up NFSen and NFDump setup on a logically connected VM with my VPP instance. I have then used the 2 commands that you added in the Wiki: vpp# set ipfix exporter collector 192.168.4.3 port 2055(listening port) src 192.168.10.1(outbound interface IP) vpp# nat ipfix logging The graphs did not show anything after I passed iperf and ping traffic from the CG-NAT host clients, and did not even observe any traffic in tcpdump at the collector machine. I have verified ping connectivity from VPP machine to the collector machine and conf files + netstat to verify the listening port. Does VPP maintain any local logs for the ipfix exports? Regards. On Mon, Apr 9, 2018 at 11:39 AM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Only CLI commands, no startup config changes required Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk<mailto:14mseesras...@seecs.edu.pk>> Sent: Monday, April 9, 2018 8:06 AM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>>; vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Thanks again Matus. Specially for updating the Wiki! Do I need to change anything in the startup config to enable ipfix in NAT or do the CLI commands in the example config work as standard? On Mon, Apr 9, 2018 at 10:20 AM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Supported templates for deterministic NAT https://wiki.fd.io/view/VPP/NAT#IPFIX_templates Supported templates for standard NAT https://wiki.fd.io/view/VPP/NAT#NAT_IPFIX_logging IPFix data and template records are transmitted over UDP (https://tools.ietf.org/html/rfc7011, https://tools.ietf.org/html/rfc8158) IPFix example configuration https://wiki.fd.io/view/VPP/NAT#Enable_NAT_plugin_IPFIX_logging_example Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk<mailto:14mseesras...@seecs.edu.pk>> Sent: Friday, April 6, 2018 4:23 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Thanks Matus for the rapid response. The del command did the trick and I will try to repeat the setup for 18.04-rc1 build. I also got some more info through the command 'show nat44 detail' which did not show up by ? in the CLI by default. About IPFIX logging, can you suggest an example template to perform the logging: e.g. nat { NAT44 Addresses exhausted NAT44 Session create NAT44 Session delete } Also, any pointers to access these IPFIX logs for nat session details without using deterministic NAT once the logging has been enable would also be very helpful. Regards, Hamid On Fri, Apr 6, 2018 at 3:42 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: “show nat44 deterministic mappings” probably doesn’t work because you use older version of the VPP (this was changed in 1804) To delete NAT deterministic mapping use “nat44 deterministic add in <addr>/<plen> out <addr>/<plen> del” Currently you can’t alocate specific number of ports of the external address to the internal clients. It is possible to implenet this, patches are welcome. NAT plugin use IPfix for logging events https://wiki.fd.io/view/VPP/NAT#IPFIX_templates. Deterministic NAT doesn’t log session since internall address is statically mapped to set of external ports of the address (purpose of deterministic NAT is to reduce logging https://tools.ietf.org/html/rfc7422). Matus From: Hamid Rasool <14mseesras...@seecs.edu.pk<mailto:14mseesras...@seecs.edu.pk>> Sent: Friday, April 6, 2018 12:16 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP Thanks Fabian. I have configured these steps and it seems to work (although some variations of nat deterministic add command caused vpp to crash and reset configurations though). However, there is another command in the VPP/NAT wiki: "show nat44 deterministic mappings" which does not seem to work. The "show nat44" command only seem to work however: vpp# nat44 deterministic add in 10.10.3.0/25<http://10.10.3.0/25> out 192.168.100.64/28<http://192.168.100.64/28> vpp# show nat44 NAT plugin mode: deterministic mapping udp timeout: 300sec tcp-established timeout: 7440sec tcp-transitory timeout: 240sec icmp timeout: 60sec 1 deterministic mappings I want to ask how can we delete a pool mapping once we have set it or even change it because there seems to be no options to do that. Another query is about how can we allocate a specific number of ports of the external address to the internal clients. Lets say I want to map 8 internal addresses to 1 external for a pool of external addresses, which makes about 8000 ports (out of 65000) for each internal address. Is there any way to implement. Last question for now, where are the session logs stored for NAT for each flow of packet. Does VPP provide syslog stats or any flow records for nat sessions? Thanks again! [https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link> On Mon, Mar 19, 2018 at 5:19 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Hi, There is example of CGNAT configuration for currently supported feature set https://wiki.fd.io/view/VPP/NAT#Example_configuration Basically you need do following 3 steps: To enable CGNAT mode of NAT plugin add following to startup config: “nat { deterministic }” Set inside and outside interfaces: set interface nat44 in <intfc> out <intfc> Set pool address range for inside network range: nat44 deterministic add in <addr>/<plen> out <addr>/<plen> That is all you can currently configure. Matus From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Hamid via Lists.Fd.Io<http://Lists.Fd.Io> Sent: Monday, March 19, 2018 1:03 PM To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: [vpp-dev] #vpp CGNAT implementation in VPP Hi, I have a Ubuntu server machine having 32 cores and four 1 Gigabit NICs with KVM hypervisor. I want to test VPP performance for CGNAT in NAT444 mode while supporting routing protocols like BGP and IS-IS on VM topology setup. Kindly direct me somewhere to get me started. The usage of CGNAT with a pool of out address ranges and allocating port numbers is not directly explained in the NAT plugin Wiki page. Any info regarding how to generate packet traffic to check performance in terms of number of concurrent sessions handled by CGNAT on my hardware will also be appreciated. I have tried the progressive VPP tutorial but some of the switching related exercises are not functioning as expected and there is no similar tutorial or guide to apply CG-NAT along with routing as a PoC software router would do. Integration with FRR as per FRR wiki was also outdated and could not be achieved on my setup. Waiting for suggestions. Thanks!
