Is the src <IP address> necessary in the netflow export collector command?
I have ping connectivity with the collector but still I am unable to get
any flows are visible.
It is a bit odd because I only want to verify the inside address:inside
port and outside address:outside port and for that you need an extra setup.
Thanks.
On Mon, Apr 16, 2018 at 6:49 PM, Hamid Rasool <14mseesras...@seecs.edu.pk>
wrote:
> No luck with the tcpdump (it only shows the broadcast routing protocol
> messages from a virtual router interface that it is connected with;my test
> bed topology has multiple hosts) during ipfix flush command either.
>
> Is there any logs for ipfix / NAT translation logs stored on the local
> machine where vpp is running? So far the only way you can obtain the
> translated ports currently is by running tcpdump on the vpp machine
> outbound interface but they are not viable to maintain logging. I have
> tried running tcpdump on the vpp machine on the interface which is used to
> check ping connectivity with the collector machine and have still not
> observed anything relevant.
>
> Thanks.
>
> On Mon, Apr 16, 2018 at 3:52 PM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>
>> This should send some IPfix NAT44 session create events. Do you observe
>> any traffic in tcpdump at the collector machine when use “ipfix flush”?
>> This command should at least send IPfix templates.
>>
>>
>>
>> Matus
>>
>>
>>
>>
>>
>> *From:* vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> *On Behalf Of *Hamid
>> via Lists.Fd.Io
>> *Sent:* Monday, April 16, 2018 12:17 PM
>>
>> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
>> matfa...@cisco.com>
>> *Cc:* vpp-dev@lists.fd.io
>> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>>
>>
>>
>> Currently I have just 1 client connected.
>>
>>
>>
>> vpp# show nat44 sessions
>>
>> NAT44 sessions:
>>
>> 100.64.0.1: 100 dynamic translations, 0 static translations
>>
>>
>>
>>
>>
>> Here are all of the VPP commands used (involve a few TAP and bvi
>> interfaces):
>> Is there a command history option in vpp cli?
>>
>> loopback create
>>
>> set int l2 bridge loop0 1 bvi
>>
>> set int ip address loop0 192.168.10.1/24
>>
>> set int state loop0 up
>>
>>
>>
>> tap connect lstack address 192.168.10.2/24
>>
>> set int l2 bridge tapcli-0 1
>>
>> set int state tapcli-0 up
>>
>>
>>
>> loopback create
>>
>> set int l2 bridge loop1 2 bvi
>>
>> set int ip address loop1 192.168.100.1/24
>>
>> set int state loop1 up
>>
>>
>>
>> tap connect lstack1 address 192.168.100.2/24
>>
>> set int l2 bridge tapcli-1 2
>>
>> set int state tapcli-1 up
>>
>>
>>
>> nat44 add interface address loop0
>>
>> set interface nat44 in loop1 out loop0
>>
>> nat44 add address 192.168.10.20 - 192.168.10.30
>>
>>
>>
>> set int l2 bridge GigabitEthernet0/3/0 1
>>
>> set int state GigabitEthernet0/3/0 up
>>
>>
>>
>> ip route add 100.64.0.0/24 via 192.168.100.2
>>
>> ip route add 0.0.0.0/0 via 192.168.10.3
>>
>>
>>
>> set ipfix exporter collector 192.168.4.3 port 2055 src 192.168.10.1
>>
>> nat ipfix logging
>>
>>
>>
>>
>>
>> On Mon, Apr 16, 2018 at 3:07 PM, Matus Fabian -X (matfabia - PANTHEON
>> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>>
>> How many NAT session client create? IPfix should send at least templates
>> each 20 seconds if there is no data. You can manually send cached IPfix
>> data and templates by “ipfix flush”. Could you please provide your VPP
>> config (all used CLI config commands)? There are couple of NAT IPfix tests
>> and all pass.
>>
>>
>>
>> Matus
>>
>>
>>
>>
>>
>> *From:* Hamid Rasool <hamidras...@gmail.com>
>> *Sent:* Monday, April 16, 2018 11:09 AM
>>
>>
>> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
>> matfa...@cisco.com>
>> *Cc:* vpp-dev <vpp-dev@lists.fd.io>
>> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>>
>>
>>
>> I have not made any changes to the default startup config, i.e. there is
>> no 'nat { }' present in the config and the plugins and dpdk sections
>> commented out.
>>
>>
>>
>> I want these templates for NAT44 Session create and NAT44 Session delete
>> events:
>>
>> observationTimeMilliseconds
>>
>> 64
>>
>> natEvent
>>
>> 8
>>
>> sourceIPv4Address
>>
>> 32
>>
>> postNATSourceIPv4Address
>>
>> 32
>>
>> protocolIdentifier
>>
>> 8
>>
>> sourceTransportPort
>>
>> 16
>>
>> postNAPTSourceTransportPort
>>
>> 16
>>
>> I have also moved to the master since last week (and have noticed some
>> details added to show nat44 commands), my version is now:
>> vpp v18.07-rc0~26-ge150238
>>
>>
>>
>> Thanks.
>>
>>
>>
>> On Mon, Apr 16, 2018 at 12:50 PM, Matus Fabian -X (matfabia - PANTHEON
>> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>>
>> Hi,
>>
>>
>>
>> What is your NAT plugin config and what NAT IPfix event do you want
>> trigger?
>>
>>
>>
>> Matus
>>
>>
>>
>>
>>
>> *From:* Hamid Rasool <hamidras...@gmail.com>
>> *Sent:* Monday, April 16, 2018 9:12 AM
>> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
>> matfa...@cisco.com>
>> *Cc:* vpp-dev <vpp-dev@lists.fd.io>
>>
>>
>> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>>
>>
>>
>> Hi Matus,
>>
>>
>>
>> I have tried setting up NFSen and NFDump setup on a logically connected
>> VM with my VPP instance. I have then used the 2 commands that you added in
>> the Wiki:
>>
>>
>>
>> vpp# set ipfix exporter collector 192.168.4.3 port 2055(listening port)
>> src 192.168.10.1(outbound interface IP)
>>
>> vpp# nat ipfix logging
>>
>>
>>
>> The graphs did not show anything after I passed iperf and ping traffic
>> from the CG-NAT host clients, and did not even observe any traffic in
>> tcpdump at the collector machine. I have verified ping connectivity from
>> VPP machine to the collector machine and conf files + netstat to verify the
>> listening port.
>>
>>
>>
>> Does VPP maintain any local logs for the ipfix exports?
>>
>>
>>
>> Regards.
>>
>>
>>
>>
>>
>> On Mon, Apr 9, 2018 at 11:39 AM, Matus Fabian -X (matfabia - PANTHEON
>> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>>
>> Only CLI commands, no startup config changes required
>>
>>
>>
>> Matus
>>
>>
>>
>> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
>> *Sent:* Monday, April 9, 2018 8:06 AM
>> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
>> matfa...@cisco.com>; vpp-dev <vpp-dev@lists.fd.io>
>>
>>
>> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>>
>>
>>
>> Thanks again Matus. Specially for updating the Wiki!
>>
>>
>>
>> Do I need to change anything in the startup config to enable ipfix in NAT
>> or do the CLI commands in the example config work as standard?
>>
>>
>>
>> On Mon, Apr 9, 2018 at 10:20 AM, Matus Fabian -X (matfabia - PANTHEON
>> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>>
>> Supported templates for deterministic NAT https://wiki.fd.io/view/VPP/NA
>> T#IPFIX_templates
>>
>> Supported templates for standard NAT https://wiki.fd.io/view/VPP/NA
>> T#NAT_IPFIX_logging
>>
>> IPFix data and template records are transmitted over UDP (
>> https://tools.ietf.org/html/rfc7011, https://tools.ietf.org/html/rfc8158)
>>
>> IPFix example configuration https://wiki.fd.io/view/VPP/NA
>> T#Enable_NAT_plugin_IPFIX_logging_example
>>
>>
>>
>> Matus
>>
>>
>>
>>
>>
>> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
>> *Sent:* Friday, April 6, 2018 4:23 PM
>>
>>
>> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
>> matfa...@cisco.com>
>> *Cc:* vpp-dev@lists.fd.io
>> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>>
>>
>>
>> Thanks Matus for the rapid response. The del command did the trick and I
>> will try to repeat the setup for 18.04-rc1 build. I also got some more info
>> through the command 'show nat44 detail' which did not show up by ? in the
>> CLI by default.
>>
>>
>>
>> About IPFIX logging, can you suggest an example template to perform the
>> logging:
>>
>> e.g.
>>
>> nat {
>>
>> NAT44 Addresses exhausted
>>
>> NAT44 Session create
>>
>> NAT44 Session delete
>>
>> }
>>
>>
>>
>> Also, any pointers to access these IPFIX logs for nat session details
>> without using deterministic NAT once the logging has been enable would also
>> be very helpful.
>>
>>
>>
>> Regards,
>>
>> Hamid
>>
>>
>>
>> On Fri, Apr 6, 2018 at 3:42 PM, Matus Fabian -X (matfabia - PANTHEON
>> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>>
>> “show nat44 deterministic mappings” probably doesn’t work because you use
>> older version of the VPP (this was changed in 1804)
>>
>> To delete NAT deterministic mapping use “nat44 deterministic add in
>> <addr>/<plen> out <addr>/<plen> del”
>>
>> Currently you can’t alocate specific number of ports of the external
>> address to the internal clients. It is possible to implenet this, patches
>> are welcome.
>>
>> NAT plugin use IPfix for logging events https://wiki.fd.io/view/VPP/NA
>> T#IPFIX_templates. Deterministic NAT doesn’t log session since internall
>> address is statically mapped to set of external ports of the address
>> (purpose of deterministic NAT is to reduce logging
>> https://tools.ietf.org/html/rfc7422).
>>
>>
>>
>> Matus
>>
>>
>>
>> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
>> *Sent:* Friday, April 6, 2018 12:16 PM
>> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
>> matfa...@cisco.com>
>> *Cc:* vpp-dev@lists.fd.io
>> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>>
>>
>>
>> Thanks Fabian.
>>
>>
>>
>> I have configured these steps and it seems to work (although some
>> variations of nat deterministic add command caused vpp to crash and reset
>> configurations though). However, there is another command in the VPP/NAT
>> wiki: "show nat44 deterministic mappings" which does not seem to work.
>>
>> The "show nat44" command only seem to work however:
>>
>>
>>
>> vpp# nat44 deterministic add in 10.10.3.0/25 out 192.168.100.64/28
>>
>> vpp# show nat44
>>
>> NAT plugin mode: deterministic mapping
>>
>> udp timeout: 300sec
>>
>> tcp-established timeout: 7440sec
>>
>> tcp-transitory timeout: 240sec
>>
>> icmp timeout: 60sec
>>
>> 1 deterministic mappings
>>
>>
>>
>>
>>
>> I want to ask how can we delete a pool mapping once we have set it or
>> even change it because there seems to be no options to do that. Another
>> query is about how can we allocate a specific number of ports of the
>> external address to the internal clients. Lets say I want to map 8 internal
>> addresses to 1 external for a pool of external addresses, which makes about
>> 8000 ports (out of 65000) for each internal address. Is there any way to
>> implement.
>>
>> Last question for now, where are the session logs stored for NAT for each
>> flow of packet. Does VPP provide syslog stats or any flow records for nat
>> sessions?
>>
>>
>>
>> Thanks again!
>>
>>
>>
>>
>>
>>
>>
>> [image:
>> https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
>>
>> Virus-free. www.avast.com
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
>>
>>
>>
>> On Mon, Mar 19, 2018 at 5:19 PM, Matus Fabian -X (matfabia - PANTHEON
>> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>>
>> Hi,
>>
>>
>>
>> There is example of CGNAT configuration for currently supported feature
>> set https://wiki.fd.io/view/VPP/NAT#Example_configuration
>>
>>
>>
>> Basically you need do following 3 steps:
>>
>> To enable CGNAT mode of NAT plugin add following to startup config: “nat
>> { deterministic }”
>>
>> Set inside and outside interfaces: set interface nat44 in <intfc> out
>> <intfc>
>>
>> Set pool address range for inside network range: nat44 deterministic add
>> in <addr>/<plen> out <addr>/<plen>
>>
>>
>>
>> That is all you can currently configure.
>>
>>
>>
>> Matus
>>
>>
>>
>>
>>
>> *From:* vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> *On Behalf Of *Hamid
>> via Lists.Fd.Io
>> *Sent:* Monday, March 19, 2018 1:03 PM
>> *To:* vpp-dev@lists.fd.io
>> *Cc:* vpp-dev@lists.fd.io
>> *Subject:* [vpp-dev] #vpp CGNAT implementation in VPP
>>
>>
>>
>> Hi,
>>
>> I have a Ubuntu server machine having 32 cores and four 1 Gigabit NICs
>> with KVM hypervisor. I want to test VPP performance for CGNAT in NAT444
>> mode while supporting routing protocols like BGP and IS-IS on VM topology
>> setup. Kindly direct me somewhere to get me started. The usage of CGNAT
>> with a pool of out address ranges and allocating port numbers is not
>> directly explained in the NAT plugin Wiki page. Any info regarding how to
>> generate packet traffic to check performance in terms of number of
>> concurrent sessions handled by CGNAT on my hardware will also be
>> appreciated.
>>
>> I have tried the progressive VPP tutorial but some of the switching
>> related exercises are not functioning as expected and there is no similar
>> tutorial or guide to apply CG-NAT along with routing as a PoC software
>> router would do. Integration with FRR as per FRR wiki was also outdated and
>> could not be achieved on my setup.
>>
>> Waiting for suggestions. Thanks!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
