Re: [vpp-dev] query on L2 ACL for VLANs

Mon, 07 Aug 2017 05:13:11 -0700 

Hi John,

Thanks for quick response.
I tried as you suggested to associate input ACL on IP-forwarding path for
tagged packets. Ingress packets are not hitting ACL node and are dropped.
However ACL with src/dst IP, MAC address, udp port numbers are fine.

*Following are the configuration steps followed.*

set int ip address TenGigabitEthernet1/0/0 172.27.28.5/24
set interface state  TenGigabitEthernet1/0/0 up
set int ip address TenGigabitEthernet1/0/1 172.27.29.5/24
set interface state  TenGigabitEthernet1/0/1 up
create sub-interfaces TenGigabitEthernet1/0/0  100
set interface state  TenGigabitEthernet1/0/0.100 up

*ACL configuration*
classify table mask l2 tag1
classify session acl-hit-next deny opaque-index 0 table-index 0 match l2
tag1 100
set int input acl intfc TenGigabitEthernet1/0/0.100 *ip4-table* 0

*Trace captured on VPP*
00:16:11:820587: dpdk-input
  TenGigabitEthernet1/0/0 rx queue 0
  buffer 0x4d40: current data 0, length 124, free-list 0, clone-count 0,
totlen-nifb 0, trace 0x0
  PKT MBUF: port 0, nb_segs 1, pkt_len 124
    buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr
0x6de35040
    packet_type 0x291
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without
extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
  UDP: 172.27.28.6 -> 172.27.29.6
    tos 0x00, ttl 255, length 106, checksum 0x2a38
    fragment id 0x0008
  UDP: 1024 -> 1024
    length 86, checksum 0xffff
00:16:11:820596: ethernet-input
  IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
00:16:11:820616: ip4-input
  UDP: 172.27.28.6 -> 172.27.29.6
    tos 0x00, ttl 255, length 106, checksum 0x2a38
    fragment id 0x0008
  UDP: 1024 -> 1024
    length 86, checksum 0xffff
00:16:11:820624: ip4-drop
    UDP: 172.27.28.6 -> 172.27.29.6
      tos 0x00, ttl 255, length 106, checksum 0x2a38
      fragment id 0x0008
    UDP: 1024 -> 1024
      length 86, checksum 0xffff
00:16:11:820627: error-drop
  ip4-input: ip4 adjacency drop

I verified in VPP code and packet is dropped while searching for intc arc
(searching for feature enabled on interface). I assume associating
sub-interface with ACL was enabling feature.

Let me know if i missed anything.

Regards,
Balaji









On Wed, Aug 2, 2017 at 9:26 PM, John Lo (loj) <l...@cisco.com> wrote:

> Hi Balaji,
>
>
>
> In order to make input ACL work on the IPv4 forwarding path, you need to
> set it as ip4-table on the interface or sub-interface. For your case for
> packets with VLAN tags, it needs to be set on sub-interface:
>
> set int input acl intfc TenGigabitEthernet1/0/0.100 ip4-table 0
>
>
>
> The names in the CLI  [ip4-table|ip6-table|l2-table] indicate which
> forwarding path the ACL would be applied, not which packet header ACL will
> be matched. The match of the packet is specified with the table/session
> used in the ACL.
>
>
>
> Regards,
>
> John
>
>
>
> *From:* vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] *On
> Behalf Of *Balaji Kn
> *Sent:* Wednesday, August 02, 2017 9:41 AM
> *To:* vpp-dev@lists.fd.io
> *Cc:* l.s.abhil...@gmail.com
> *Subject:* [vpp-dev] query on L2 ACL for VLANs
>
>
>
> Hello,
>
>
>
> I am using VPP 17.07 release code (tag *v17.07*).
>
>
>
> DBGvpp# show int address
>
> TenGigabitEthernet1/0/0 (up):
>
>   172.27.28.5/24
>
> TenGigabitEthernet1/0/1 (up):
>
>   172.27.29.5/24
>
>
>
> My use case is to allow packets based on VLANs. I added an ACL rule in
> classify table as below.
>
>
>
> classify table mask l2 tag1
>
> classify session acl-hit-next permit opaque-index 0 table-index 0 match l2
> tag1 100
>
> set int input acl intfc TenGigabitEthernet1/0/0 l2-table 0
>
>
>
> Tagged packets were dropped in ethernet node.
>
>
>
> 00:08:39:270674: dpdk-input
>
>   TenGigabitEthernet1/0/0 rx queue 0
>
>   buffer 0x4d67: current data 0, length 124, free-list 0, clone-count 0,
> totlen-nifb 0, trace 0x1
>
>   PKT MBUF: port 0, nb_segs 1, pkt_len 124
>
>     buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr
> 0x6de35a00
>
>     packet_type 0x291
>
>     Packet Offload Flags
>
>       PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
>
>       PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
>
>     Packet Types
>
>       RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
>
>       RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without
> extension headers
>
>       RTE_PTYPE_L4_UDP (0x0200) UDP packet
>
>   IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
>
>   UDP: 172.27.28.6 -> 172.27.29.6
>
>     tos 0x00, ttl 255, length 106, checksum 0x2a24
>
>     fragment id 0x001c
>
>   UDP: 1024 -> 1024
>
>     length 86, checksum 0xffff
>
> 00:08:39:270679: ethernet-input
>
>   IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
>
> 00:08:39:270685: error-drop
>
>   ethernet-input: unknown vlan
>
>
>
> DBGvpp#
>
>
>
> Hence i created a sub-interface to allow tagged packet.
>
> create sub-interfaces TenGigabitEthernet1/0/0  100
>
> set interface state  TenGigabitEthernet1/0/0.100 up
>
>
>
> Still the packets are not hitting ACL node and still packets are dropped.
> This time in ip4-input node.
>
>
>
> 00:07:42:330550: dpdk-input
>
>   TenGigabitEthernet1/0/0 rx queue 0
>
>   buffer 0x4d8e: current data 0, length 124, free-list 0, clone-count 0,
> totlen-nifb 0, trace 0x0
>
>   PKT MBUF: port 0, nb_segs 1, pkt_len 124
>
>     buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr
> 0x6de363c0
>
>     packet_type 0x291
>
>     Packet Offload Flags
>
>       PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
>
>       PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
>
>     Packet Types
>
>       RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
>
>       RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without
> extension headers
>
>       RTE_PTYPE_L4_UDP (0x0200) UDP packet
>
>   IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
>
>   UDP: 172.27.28.6 -> 172.27.29.6
>
>     tos 0x00, ttl 255, length 106, checksum 0x2a25
>
>     fragment id 0x001b
>
>   UDP: 1024 -> 1024
>
>     length 86, checksum 0xffff
>
> 00:07:42:330560: ethernet-input
>
>   IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100
>
> 00:07:42:330572: ip4-input
>
>   UDP: 172.27.28.6 -> 172.27.29.6
>
>     tos 0x00, ttl 255, length 106, checksum 0x2a25
>
>     fragment id 0x001b
>
>   UDP: 1024 -> 1024
>
>     length 86, checksum 0xffff
>
> 00:07:42:330583: ip4-drop
>
>     UDP: 172.27.28.6 -> 172.27.29.6
>
>       tos 0x00, ttl 255, length 106, checksum 0x2a25
>
>       fragment id 0x001b
>
>     UDP: 1024 -> 1024
>
>       length 86, checksum 0xffff
>
> 00:07:42:330586: error-drop
>
>   ip4-input: ip4 adjacency drop
>
>
>
> Can you help me know if i am missing any configuration so that my packets
> hit ACL node and then ip4-input node.
>
>
>
> Please let me know if you need any information on configurations/setup.
>
>
>
> Regards,
>
> Balaji
>
>
>

_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Reply via email to