Re: [vpp-dev] NAT44 && vxlan tunnel conflict

wangchuan...@163.com Tue, 30 Oct 2018 19:26:03 -0700

I want to use the vpp as the data forwarding center through vxlan tunnel, and 
the server-PC VPP running on can be SSH-login at remote PC.
PC2 <-> PC1 disconnected after add NAT (tapSSH - TenGigabitEthernet8/0/0).
My current main doubts is that how can I limit the NAT44 only work at SSH(port 
22 tcp)?


The topology is show below: 
################cmd config like:#######################
BASE:
set int state TenGigabitEthernet8/0/0 up
set int ip addr TenGigabitEthernet8/0/0 172.16.4.2/24

create bridge-domain 9999 learn 1 forward 1 uu-flood 1 flood 1 arp-term 1
loopback create
set int l2 bridge loop0 9999 bvi
set int ip address loop0 192.168.120.1/24
set int state loop0 up

tap connect tapSSH address 192.168.120.2/24
set int l2 bridge tapcli-0 9999
set int state tapcli-0 up

create vxlan tunnel src 172.16.4.2 dst 172.16.4.177 vni 100
set interface l2 bridge vxlan_tunnel0 9999
create vxlan tunnel src 172.16.4.2 dst 172.16.4.188 vni 100
set interface l2 bridge vxlan_tunnel1 9999

#NAT
nat44 add interface address TenGigabitEthernet8/0/0
set interface nat44 in loop0 out TenGigabitEthernet8/0/0
nat44 add static mapping local 192.168.120.2 22 external 
TenGigabitEthernet8/0/0 22 tcp


#################and trace is show below#######################
BASE：
00:24:38:826034: dpdk-input
  TenGigabitEthernet8/0/0 rx queue 0
  buffer 0x18d92: current data 14, length 134, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x2
                  ext-hdr-valid 
                  l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 
l3-hdr-offset 14 
  PKT MBUF: port 1, nb_segs 1, pkt_len 148
    buf_len 2176, data_len 148, ol_flags 0x180, data_off 128, phys_addr 
0x6de36500
    packet_type 0x211 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 00:25:7c:30:05:ec -> 00:a0:c9:00:00:02
  UDP: 172.16.4.177 -> 172.16.4.2
    tos 0x00, ttl 64, length 134, checksum 0x12ba
    fragment id 0x06da
  UDP: 4789 -> 4789
    length 114, checksum 0x0000
00:24:38:826037: ip4-input-no-checksum
  UDP: 172.16.4.177 -> 172.16.4.2
    tos 0x00, ttl 64, length 134, checksum 0x12ba
    fragment id 0x06da
  UDP: 4789 -> 4789
    length 114, checksum 0x0000
00:24:38:826040: ip4-lookup
  fib 0 dpo-idx 7 flow hash: 0x00000000
  UDP: 172.16.4.177 -> 172.16.4.2
    tos 0x00, ttl 64, length 134, checksum 0x12ba
    fragment id 0x06da
  UDP: 4789 -> 4789
    length 114, checksum 0x0000
00:24:38:826041: ip4-local
    UDP: 172.16.4.177 -> 172.16.4.2
      tos 0x00, ttl 64, length 134, checksum 0x12ba
      fragment id 0x06da
    UDP: 4789 -> 4789
      length 114, checksum 0x0000
00:24:38:826042: ip4-udp-lookup
  UDP: src-port 4789 dst-port 4789
00:24:38:826043: vxlan4-input
  VXLAN decap from vxlan_tunnel0 vni 100 next 1 error 0
00:24:38:826051: l2-input
  l2-input: sw_if_index 5 dst 00:25:7c:30:05:ef src 00:25:7c:30:05:eb
00:24:38:826053: l2-learn
  l2-learn: sw_if_index 5 dst 00:25:7c:30:05:ef src 00:25:7c:30:05:eb bd_index 1
00:24:38:826057: l2-fwd
  l2-fwd:   sw_if_index 5 dst 00:25:7c:30:05:ef src 00:25:7c:30:05:eb bd_index 1
00:24:38:826058: l2-output
  l2-output: sw_if_index 6 dst 00:25:7c:30:05:ef src 00:25:7c:30:05:eb data 08 
00 45 00 00 54 ac 4b 40 00 40 01
00:24:38:826058: vxlan4-encap
  VXLAN encap to vxlan_tunnel1 vni 100
00:24:38:826060: ip4-load-balance
  fib 6 dpo-idx 20 flow hash: 0x00010001
  UDP: 172.16.4.2 -> 172.16.4.188
    tos 0x00, ttl 254, length 134, checksum 0x5b88
    fragment id 0x0000
  UDP: 4789 -> 4789
    length 114, checksum 0x0000
00:24:38:826061: ip4-rewrite
  tx_sw_if_index 2 dpo-idx 5 : ipv4 via 172.16.4.188 TenGigabitEthernet8/0/0: 
mtu:1500 00257c3005f000a0c90000020800 flow hash: 0x00010001
  00000000: 00257c3005f000a0c900000208004500008600000000fd115c88ac100402ac10
  00000020: 04bc12b512b500720000080000000000640000257c3005ef00257c30
00:24:38:826062: TenGigabitEthernet8/0/0-output
  TenGigabitEthernet8/0/0
  IP4: 00:a0:c9:00:00:02 -> 00:25:7c:30:05:f0
  UDP: 172.16.4.2 -> 172.16.4.188
    tos 0x00, ttl 253, length 134, checksum 0x5c88
    fragment id 0x0000
  UDP: 4789 -> 4789
    length 114, checksum 0x0000
00:24:38:826063: TenGigabitEthernet8/0/0-tx
  TenGigabitEthernet8/0/0 tx queue 2
  buffer 0x18d92: current data 0, length 148, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x2
                  ext-hdr-valid 
                  l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 
l3-hdr-offset 14 
  PKT MBUF: port 1, nb_segs 1, pkt_len 148
    buf_len 2176, data_len 148, ol_flags 0x180, data_off 128, phys_addr 
0x6de36500
    packet_type 0x211 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 00:a0:c9:00:00:02 -> 00:25:7c:30:05:f0
  UDP: 172.16.4.2 -> 172.16.4.188
    tos 0x00, ttl 253, length 134, checksum 0x5c88
    fragment id 0x0000
  UDP: 4789 -> 4789
    length 114, checksum 0x0000


BASE ADD NAT44：
00:28:19:652316: dpdk-input
  TenGigabitEthernet8/0/0 rx queue 0
  buffer 0x10669: current data 14, length 134, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x2
                  ext-hdr-valid 
                  l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 
l3-hdr-offset 14 
  PKT MBUF: port 1, nb_segs 1, pkt_len 148
    buf_len 2176, data_len 148, ol_flags 0x180, data_off 128, phys_addr 
0x6e019ac0
    packet_type 0x211 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 00:25:7c:30:05:ec -> 00:a0:c9:00:00:02
  UDP: 172.16.4.177 -> 172.16.4.2
    tos 0x00, ttl 64, length 134, checksum 0xaa25
    fragment id 0x6f6e
  UDP: 4789 -> 4789
    length 114, checksum 0x0000
00:28:19:652318: ip4-input-no-checksum
  UDP: 172.16.4.177 -> 172.16.4.2
    tos 0x00, ttl 64, length 134, checksum 0xaa25
    fragment id 0x6f6e
  UDP: 4789 -> 4789
    length 114, checksum 0x0000
00:28:19:652320: nat44-out2in-worker-handoff
  NAT44_OUT2IN_WORKER_HANDOFF: next worker 1



wangchuan...@163.com
 
From: Dave Barach (dbarach)
Date: 2018-10-30 20:19
To: wangchuan...@163.com; vpp-dev
Subject: RE: RE: [vpp-dev] NAT44 && vxlan tunnel conflict
Please send the exact config you used, and the relevant packet tracer output. 
 
From: wangchuan...@163.com <wangchuan...@163.com> 
Sent: Tuesday, October 30, 2018 1:13 AM
To: Dave Barach (dbarach) <dbar...@cisco.com>; vpp-dev <vpp-dev@lists.fd.io>
Subject: Re: RE: [vpp-dev] NAT44 && vxlan tunnel conflict
 
The attempt failed！  Adding static mapping to bvi or tap-in-OS both does not 
work.
Is there any cmd that can remove the NAT logic of udp-4789 from NAT44？
 
Help
please！
 


wangchuan...@163.com
 
From: Dave Barach (dbarach)
Date: 2018-10-29 22:25
To: wangchuan...@163.com; vpp-dev@lists.fd.io
Subject: RE: [vpp-dev] NAT44 && vxlan tunnel conflict
The NAT plugin is tossing vxlan out-to-in packets. You’ll get different results 
if you add a static mapping for (UDP, 4789) packets – maybe not the desired 
result, but at least a different result...
 
D. 
 
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of 
wangchuan...@163.com
Sent: Monday, October 29, 2018 4:13 AM
To: vpp-dev <vpp-dev@lists.fd.io>
Subject: [vpp-dev] NAT44 && vxlan tunnel conflict
 
Hi all,
    I want to login PC1 through SSH2 where vpp is running, and the VPP is used 
as the VXLAN translate center(only 1 ip).
However, I found some error!  
Data from vxlan tunnel 1 were dropped, which should be decaped at one 
vxlan-tunnel-1 and transmited out from vxlan-tunnel-2.
 
How can I achieve my goal?
Help please!



#####REMARK######



SSH:    172.16.4.3  ----(SSH2)----  172.16.4.2 ----(NAT44)---  192.168.120.2
VXLAN:    172.16.4.177   ----(vxlan)----  172.16.4.2    ----  (NAT44)       --  
  drop 
                                                                                
                      ( desired： vxlan-decap -> br -> vxlan-encap -> 
TenGigabitEthernet6/0/0-tx ）
 
trace：
00:31:35:400543: dpdk-input
  TenGigabitEthernet6/0/0 rx queue 0
  buffer 0x12c31: current data 14, length 164, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x0
                  ext-hdr-valid 
                  l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 
l3-hdr-offset 14 
  PKT MBUF: port 0, nb_segs 1, pkt_len 178
    buf_len 2176, data_len 178, ol_flags 0x180, data_off 128, phys_addr 
0x708b0cc0
    packet_type 0x211 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 00:25:7c:30:05:ec -> 00:a0:c9:00:00:00
  UDP: 172.16.4.177 -> 172.16.4.2
    tos 0x00, ttl 64, length 164, checksum 0x4902
    fragment id 0x1743, flags DONT_FRAGMENT
  UDP: 4789 -> 4789
    length 144, checksum 0x5ceb
00:31:35:400565: ip4-input-no-checksum
  UDP: 172.16.4.177 -> 172.16.4.2
    tos 0x00, ttl 64, length 164, checksum 0x4902
    fragment id 0x1743, flags DONT_FRAGMENT
  UDP: 4789 -> 4789
    length 144, checksum 0x5ceb


00:31:35:400581: nat44-out2in
  NAT44_OUT2IN: sw_if_index 1, next index 0, session index -1
00:31:35:400596: error-drop
  nat44-out2in: No translation





****configure cmd line*************
set int state TenGigabitEthernet6/0/0 up
set int ip addr TenGigabitEthernet6/0/0 172.16.4.2/24

create bridge-domain 9999 learn 1 forward 1 uu-flood 1 flood 1 arp-term 1
loopback create
set int l2 bridge loop0 9999 bvi
set int ip address loop0 192.168.120.1/24
set int state loop0 up
tap connect tapOS address 192.168.120.2/24
set int l2 bridge tapcli-0 9999
set int state tapcli-0 up

create vxlan tunnel src 172.16.4.2 dst 172.16.4.177 vni 100
set interface l2 bridge vxlan_tunnel0 9999
create vxlan tunnel src 172.16.4.2 dst 172.16.4.188 vni 100
set interface l2 bridge vxlan_tunnel0 9999

nat44 add interface address TenGigabitEthernet6/0/0
set interface nat44 in loop0 out TenGigabitEthernet6/0/0
nat44 add static mapping local 192.168.120.2 22 external 
TenGigabitEthernet6/0/0 22 tcp
 


wangchuan...@163.com

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#11044): https://lists.fd.io/g/vpp-dev/message/11044
Mute This Topic: https://lists.fd.io/mt/27779539/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] NAT44 && vxlan tunnel conflict

Reply via email to