Thanks. I dont know if it is a bug or for some other reason, my setup works better when I add both deterministic and non-deterministic commands to get deterministic mapping. When I used only deterministic commands, I got some issues with reverse NAT translations. In particular, those internal addresses mapped with the first outside address established sessions while all other addresses did not function properly. Adding non-deterministic commands fixed the problem somehow.
About the API calls, do I need to build a run a .c program as documented here <https://wiki.fd.io/view/VPP/How_To_Use_The_C_API> or is there a more simple approach like vat# console for this purpose? On Tue, Apr 24, 2018 at 3:20 PM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote: > Hi, > > > > You can’t use deterministic and non-deterministic NAT commands at same > time. > > When you want to store active deterministic sessions somewhere you can use > API nat_det_session_dump (https://wiki.fd.io/view/VPP/NAT#API_2), just > call this API periodically. > > > > Matus > > > > > > *From:* Hamid Rasool <14mseesras...@seecs.edu.pk> > *Sent:* Tuesday, April 24, 2018 11:56 AM > > *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) < > matfa...@cisco.com> > *Cc:* vpp-dev@lists.fd.io > *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP > > > > Thanks Matus. > > > > I was using namespaces to generate internal addresses and after verifying, > the address range was indeed deterministic. > > > > To partially solve my logging issue, when you add the commands for > deterministic and non-deterministic at the same time (start address-end > address according to the outside address pool), I get back details of the > current sessions through 'show nat44 deterministic sessions' commands. This > command only shows the active sessions. Is there any way to make this > mapping persistent/store these results in a file/database? > > > > Regards. > > > > On Tue, Apr 24, 2018 at 1:17 PM, Matus Fabian -X (matfabia - PANTHEON > TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote: > > Hi, > > > > Are internal addresses you used sequence or are randomly selected from > internal network range? > > Deterministic NAT use sequential outside address and port range assignment > (first block of external address goes to first address from inside network > range, second block of external address goes to second address and so on). > There is also CLI where you can obtain outside address and port range for > specific inside host “nat44 deterministic forward <addr>” and also CLI to > obtain inside host address from specific outside address and port pair > “nat44 deterministic reverse <addr>:<port>” > > Example: > > DBGvpp# nat44 deterministic add in 10.0.0.0/18 out 1.1.1.1/30 > > DBGvpp# nat44 deterministic forward 10.0.55.6 > > 1.1.1.3:<27994-28008> > > DBGvpp# nat44 deterministic forward 10.0.55.7 > > 1.1.1.3:<28009-28023> > > DBGvpp# nat44 deterministic forward 10.0.55.8 > > 1.1.1.3:<28024-28038> > > DBGvpp# nat44 deterministic reverse 1.1.1.1:1276 > > 10.0.16.16 > > > > > > Matus > > > > > > *From:* Hamid Rasool <14mseesras...@seecs.edu.pk> > *Sent:* Tuesday, April 24, 2018 9:44 AM > > > *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) < > matfa...@cisco.com> > *Cc:* vpp-dev@lists.fd.io > *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP > > > > Hi again, > > > > I have ran into some issues while performing deterministic CG-NAT. You > guys told that we do not require logging in this because we are sure that > clients will get deterministic outside addresses according to ratio. > However, I was set mappings ratio as 16 and have created sessions using 16 > different inside addresses. In case of deterministic, they should all map > to a single outside address and then the 17th different inside address > should be attached to a different outside address. This is not the case for > me as 10 sessions are going to 1st address and other 6 are mapped to second > one. > > > > There is currently no way to track this other than tcpdump. In the normal > nat44, there is a show nat44 addresses which gives some idea about the > mappings, but the show nat44 deterministic mappings (in stable/1804) only > provides the ratio and number of ports calculated which is not too helpful. > > > > Looking for better ideas to track these addresses or make them truly > deterministic. Thanks. > > > > On Mon, Apr 23, 2018 at 10:47 AM, Matus Fabian -X (matfabia - PANTHEON > TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote: > > Src address is mandatory parameter > > > > Matus > > > > *From:* Hamid Rasool <14mseesras...@seecs.edu.pk> > *Sent:* Monday, April 23, 2018 7:31 AM > *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) < > matfa...@cisco.com> > > *Cc:* vpp-dev@lists.fd.io > *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP > > > > Is the src <IP address> necessary in the netflow export collector command? > I have ping connectivity with the collector but still I am unable to get > any flows are visible. > > It is a bit odd because I only want to verify the inside address:inside > port and outside address:outside port and for that you need an extra setup. > > > > Thanks. > > > > On Mon, Apr 16, 2018 at 6:49 PM, Hamid Rasool <14mseesras...@seecs.edu.pk> > wrote: > > No luck with the tcpdump (it only shows the broadcast routing protocol > messages from a virtual router interface that it is connected with;my test > bed topology has multiple hosts) during ipfix flush command either. > > > > Is there any logs for ipfix / NAT translation logs stored on the local > machine where vpp is running? So far the only way you can obtain the > translated ports currently is by running tcpdump on the vpp machine > outbound interface but they are not viable to maintain logging. I have > tried running tcpdump on the vpp machine on the interface which is used to > check ping connectivity with the collector machine and have still not > observed anything relevant. > > > > Thanks. > > > > On Mon, Apr 16, 2018 at 3:52 PM, Matus Fabian -X (matfabia - PANTHEON > TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote: > > This should send some IPfix NAT44 session create events. Do you observe > any traffic in tcpdump at the collector machine when use “ipfix flush”? > This command should at least send IPfix templates. > > > > Matus > > > > > > *From:* vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> *On Behalf Of *Hamid > via Lists.Fd.Io > *Sent:* Monday, April 16, 2018 12:17 PM > > > *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) < > matfa...@cisco.com> > *Cc:* vpp-dev@lists.fd.io > *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP > > > > Currently I have just 1 client connected. > > > > vpp# show nat44 sessions > > NAT44 sessions: > > 100.64.0.1: 100 dynamic translations, 0 static translations > > > > > > Here are all of the VPP commands used (involve a few TAP and bvi > interfaces): > Is there a command history option in vpp cli? > > loopback create > > set int l2 bridge loop0 1 bvi > > set int ip address loop0 192.168.10.1/24 > > set int state loop0 up > > > > tap connect lstack address 192.168.10.2/24 > > set int l2 bridge tapcli-0 1 > > set int state tapcli-0 up > > > > loopback create > > set int l2 bridge loop1 2 bvi > > set int ip address loop1 192.168.100.1/24 > > set int state loop1 up > > > > tap connect lstack1 address 192.168.100.2/24 > > set int l2 bridge tapcli-1 2 > > set int state tapcli-1 up > > > > nat44 add interface address loop0 > > set interface nat44 in loop1 out loop0 > > nat44 add address 192.168.10.20 - 192.168.10.30 > > > > set int l2 bridge GigabitEthernet0/3/0 1 > > set int state GigabitEthernet0/3/0 up > > > > ip route add 100.64.0.0/24 via 192.168.100.2 > > ip route add 0.0.0.0/0 via 192.168.10.3 > > > > set ipfix exporter collector 192.168.4.3 port 2055 src 192.168.10.1 > > nat ipfix logging > > > > > > On Mon, Apr 16, 2018 at 3:07 PM, Matus Fabian -X (matfabia - PANTHEON > TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote: > > How many NAT session client create? IPfix should send at least templates > each 20 seconds if there is no data. You can manually send cached IPfix > data and templates by “ipfix flush”. Could you please provide your VPP > config (all used CLI config commands)? There are couple of NAT IPfix tests > and all pass. > > > > Matus > > > > > > *From:* Hamid Rasool <hamidras...@gmail.com> > *Sent:* Monday, April 16, 2018 11:09 AM > > > *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) < > matfa...@cisco.com> > *Cc:* vpp-dev <vpp-dev@lists.fd.io> > *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP > > > > I have not made any changes to the default startup config, i.e. there is > no 'nat { }' present in the config and the plugins and dpdk sections > commented out. > > > > I want these templates for NAT44 Session create and NAT44 Session delete > events: > > observationTimeMilliseconds > > 64 > > natEvent > > 8 > > sourceIPv4Address > > 32 > > postNATSourceIPv4Address > > 32 > > protocolIdentifier > > 8 > > sourceTransportPort > > 16 > > postNAPTSourceTransportPort > > 16 > > I have also moved to the master since last week (and have noticed some > details added to show nat44 commands), my version is now: > vpp v18.07-rc0~26-ge150238 > > > > Thanks. > > > > On Mon, Apr 16, 2018 at 12:50 PM, Matus Fabian -X (matfabia - PANTHEON > TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote: > > Hi, > > > > What is your NAT plugin config and what NAT IPfix event do you want > trigger? > > > > Matus > > > > > > *From:* Hamid Rasool <hamidras...@gmail.com> > *Sent:* Monday, April 16, 2018 9:12 AM > *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) < > matfa...@cisco.com> > *Cc:* vpp-dev <vpp-dev@lists.fd.io> > > > *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP > > > > Hi Matus, > > > > I have tried setting up NFSen and NFDump setup on a logically connected VM > with my VPP instance. I have then used the 2 commands that you added in the > Wiki: > > > > vpp# set ipfix exporter collector 192.168.4.3 port 2055(listening port) > src 192.168.10.1(outbound interface IP) > > vpp# nat ipfix logging > > > > The graphs did not show anything after I passed iperf and ping traffic > from the CG-NAT host clients, and did not even observe any traffic in > tcpdump at the collector machine. I have verified ping connectivity from > VPP machine to the collector machine and conf files + netstat to verify the > listening port. > > > > Does VPP maintain any local logs for the ipfix exports? > > > > Regards. > > > > > > On Mon, Apr 9, 2018 at 11:39 AM, Matus Fabian -X (matfabia - PANTHEON > TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote: > > Only CLI commands, no startup config changes required > > > > Matus > > > > *From:* Hamid Rasool <14mseesras...@seecs.edu.pk> > *Sent:* Monday, April 9, 2018 8:06 AM > *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) < > matfa...@cisco.com>; vpp-dev <vpp-dev@lists.fd.io> > > > *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP > > > > Thanks again Matus. Specially for updating the Wiki! > > > > Do I need to change anything in the startup config to enable ipfix in NAT > or do the CLI commands in the example config work as standard? > > > > On Mon, Apr 9, 2018 at 10:20 AM, Matus Fabian -X (matfabia - PANTHEON > TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote: > > Supported templates for deterministic NAT https://wiki.fd.io/view/VPP/ > NAT#IPFIX_templates > > Supported templates for standard NAT https://wiki.fd.io/view/VPP/ > NAT#NAT_IPFIX_logging > > IPFix data and template records are transmitted over UDP ( > https://tools.ietf.org/html/rfc7011, https://tools.ietf.org/html/rfc8158) > > IPFix example configuration https://wiki.fd.io/view/VPP/ > NAT#Enable_NAT_plugin_IPFIX_logging_example > > > > Matus > > > > > > *From:* Hamid Rasool <14mseesras...@seecs.edu.pk> > *Sent:* Friday, April 6, 2018 4:23 PM > > > *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) < > matfa...@cisco.com> > *Cc:* vpp-dev@lists.fd.io > *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP > > > > Thanks Matus for the rapid response. The del command did the trick and I > will try to repeat the setup for 18.04-rc1 build. I also got some more info > through the command 'show nat44 detail' which did not show up by ? in the > CLI by default. > > > > About IPFIX logging, can you suggest an example template to perform the > logging: > > e.g. > > nat { > > NAT44 Addresses exhausted > > NAT44 Session create > > NAT44 Session delete > > } > > > > Also, any pointers to access these IPFIX logs for nat session details > without using deterministic NAT once the logging has been enable would also > be very helpful. > > > > Regards, > > Hamid > > > > On Fri, Apr 6, 2018 at 3:42 PM, Matus Fabian -X (matfabia - PANTHEON > TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote: > > “show nat44 deterministic mappings” probably doesn’t work because you use > older version of the VPP (this was changed in 1804) > > To delete NAT deterministic mapping use “nat44 deterministic add in > <addr>/<plen> out <addr>/<plen> del” > > Currently you can’t alocate specific number of ports of the external > address to the internal clients. It is possible to implenet this, patches > are welcome. > > NAT plugin use IPfix for logging events https://wiki.fd.io/view/VPP/ > NAT#IPFIX_templates. Deterministic NAT doesn’t log session since > internall address is statically mapped to set of external ports of the > address (purpose of deterministic NAT is to reduce logging > https://tools.ietf.org/html/rfc7422). > > > > Matus > > > > *From:* Hamid Rasool <14mseesras...@seecs.edu.pk> > *Sent:* Friday, April 6, 2018 12:16 PM > *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) < > matfa...@cisco.com> > *Cc:* vpp-dev@lists.fd.io > *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP > > > > Thanks Fabian. > > > > I have configured these steps and it seems to work (although some > variations of nat deterministic add command caused vpp to crash and reset > configurations though). However, there is another command in the VPP/NAT > wiki: "show nat44 deterministic mappings" which does not seem to work. > > The "show nat44" command only seem to work however: > > > > vpp# nat44 deterministic add in 10.10.3.0/25 out 192.168.100.64/28 > > vpp# show nat44 > > NAT plugin mode: deterministic mapping > > udp timeout: 300sec > > tcp-established timeout: 7440sec > > tcp-transitory timeout: 240sec > > icmp timeout: 60sec > > 1 deterministic mappings > > > > > > I want to ask how can we delete a pool mapping once we have set it or even > change it because there seems to be no options to do that. Another query is > about how can we allocate a specific number of ports of the external > address to the internal clients. Lets say I want to map 8 internal > addresses to 1 external for a pool of external addresses, which makes about > 8000 ports (out of 65000) for each internal address. Is there any way to > implement. > > Last question for now, where are the session logs stored for NAT for each > flow of packet. Does VPP provide syslog stats or any flow records for nat > sessions? > > > > Thanks again! > > > > > > > > [image: > https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif] > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> > > Virus-free. www.avast.com > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link> > > > > On Mon, Mar 19, 2018 at 5:19 PM, Matus Fabian -X (matfabia - PANTHEON > TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote: > > Hi, > > > > There is example of CGNAT configuration for currently supported feature > set https://wiki.fd.io/view/VPP/NAT#Example_configuration > > > > Basically you need do following 3 steps: > > To enable CGNAT mode of NAT plugin add following to startup config: “nat { > deterministic }” > > Set inside and outside interfaces: set interface nat44 in <intfc> out > <intfc> > > Set pool address range for inside network range: nat44 deterministic add > in <addr>/<plen> out <addr>/<plen> > > > > That is all you can currently configure. > > > > Matus > > > > > > *From:* vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> *On Behalf Of *Hamid > via Lists.Fd.Io > *Sent:* Monday, March 19, 2018 1:03 PM > *To:* vpp-dev@lists.fd.io > *Cc:* vpp-dev@lists.fd.io > *Subject:* [vpp-dev] #vpp CGNAT implementation in VPP > > > > Hi, > > I have a Ubuntu server machine having 32 cores and four 1 Gigabit NICs > with KVM hypervisor. I want to test VPP performance for CGNAT in NAT444 > mode while supporting routing protocols like BGP and IS-IS on VM topology > setup. Kindly direct me somewhere to get me started. The usage of CGNAT > with a pool of out address ranges and allocating port numbers is not > directly explained in the NAT plugin Wiki page. Any info regarding how to > generate packet traffic to check performance in terms of number of > concurrent sessions handled by CGNAT on my hardware will also be > appreciated. > > I have tried the progressive VPP tutorial but some of the switching > related exercises are not functioning as expected and there is no similar > tutorial or guide to apply CG-NAT along with routing as a PoC software > router would do. Integration with FRR as per FRR wiki was also outdated and > could not be achieved on my setup. > > Waiting for suggestions. Thanks! > > > > > > > > > > > > > > > > > > > > > > >
