Hello all, I am trying to configure NAT and VPP run together, but its not working.
My configuration is as follows: version: vpp v18.10-release built by root on 41f0552eeae3 Interfaces: GigabitEthernet1/0/0 (up): L3 100.69.1.1/24 L3 2001:xxx:xxx:600::1/56 GigabitEthernet1/0/1 (up): L3 xxx.79.223.14/29 L3 2001:xxx:xxx:10d::600/64 Policer config with default route: configure policer name policy1 cir 500 eir 0 cb 5000 eb 15000 rate kbps round closest type 1r3c conform-action transmit exceed-action mark-and-transmit AF22 violate-action drop configure policer name policy2 cir 750 eir 0 cb 7500 eb 20000 rate kbps round closest type 1r3c conform-action transmit exceed-action mark-and-transmit AF22 violate-action drop classify table mask l3 ip4 src classify table mask l3 ip4 dst classify session policer-hit-next policy1 exceed-color table-index 0 match l3 ip4 src 100.69.1.4 classify session policer-hit-next policy2 exceed-color table-index 1 match l3 ip4 dst 100.69.1.4 set policer classify interface GigabitEthernet1/0/0 ip4-table 0 set policer classify interface GigabitEthernet1/0/1 ip4-table 1 ip route add 0.0.0.0/0 via xxx.79.223.9 GigabitEthernet1/0/1 ip route add ::/0 via 2001:xxx:xxxx:10d::1 GigabitEthernet1/0/1 At this point, if I do a wget at 100.69.1.4 to download from xxx.79.223.9, the speed is about 1mbps, but ranging from about 1.5mbps to 831kbps /dev/null 14%[===> ] 75.30M 1.18Mb/s The packet trace show: 100.69.1.4 -> xxx.79.223.9 01:10:21:269382: dpdk-input GigabitEthernet1/0/0 rx queue 0 01:10:21:269383: ip4-input-no-checksum 01:10:21:269384: ip4-policer-classify 01:10:21:269384: ip4-lookup 01:10:21:269384: ip4-rewrite 01:10:21:269384: GigabitEthernet1/0/1-output 01:10:21:269385: GigabitEthernet1/0/1-tx xxx.79.223.9 -> 100.69.1.4 01:10:21:268964: dpdk-input GigabitEthernet1/0/1 rx queue 0 01:10:21:268970: ip4-input-no-checksum 01:10:21:268973: ip4-policer-classify 01:10:21:268974: ip4-lookup 01:10:21:268975: ip4-rewrite 01:10:21:268976: GigabitEthernet1/0/0-output 01:10:21:268976: GigabitEthernet1/0/0-tx Now adding NAT using the commands: nat44 add interface address GigabitEthernet1/0/1 set interface nat44 in GigabitEthernet1/0/0 out GigabitEthernet1/0/1 Policer stops working at this point. traces show: 100.69.1.4 -> xxx.79.223.9 01:23:19:656284: dpdk-input GigabitEthernet1/0/0 rx queue 0 01:23:19:656285: ip4-input-no-checksum 01:23:19:656285: nat44-in2out 01:23:19:656285: ip4-lookup 01:23:19:656286: ip4-rewrite 01:23:19:656286: GigabitEthernet1/0/1-output 01:23:19:656286: GigabitEthernet1/0/1-tx xxx.79.223.9 -> xxx.79.223.14 01:23:19:656289: dpdk-input GigabitEthernet1/0/1 rx queue 0 01:23:19:656290: ip4-input-no-checksum 01:23:19:656290: nat44-out2in 01:23:19:656290: ip4-lookup 01:23:19:656290: ip4-rewrite 01:23:19:656290: GigabitEthernet1/0/0-output 01:23:19:656291: GigabitEthernet1/0/0-tx The traces show that when NAT is enabled, policer nodes are not getting traversed. Ideally 100.69.1.4 -> xxx.79.223.9 should have ip4-input-no-checksum -> ip4-policer-classify -> nat44-in2out -> ip4-lookup and xxx.79.223.9 -> 100.69.1.4 should have ip4-input-no-checksum -> nat44-in2out -> ip4-policer-classify -> ip4-lookup Is such a configuration possible? How can I configure VPP for it? Is there any incompatibility between NAT and Policer? Thanks and Regards, Raj
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11963): https://lists.fd.io/g/vpp-dev/message/11963 Mute This Topic: https://lists.fd.io/mt/29379239/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
