Hi John, Thanks for quick response. I tried as you suggested to associate input ACL on IP-forwarding path for tagged packets. Ingress packets are not hitting ACL node and are dropped. However ACL with src/dst IP, MAC address, udp port numbers are fine.
*Following are the configuration steps followed.* set int ip address TenGigabitEthernet1/0/0 172.27.28.5/24 set interface state TenGigabitEthernet1/0/0 up set int ip address TenGigabitEthernet1/0/1 172.27.29.5/24 set interface state TenGigabitEthernet1/0/1 up create sub-interfaces TenGigabitEthernet1/0/0 100 set interface state TenGigabitEthernet1/0/0.100 up *ACL configuration* classify table mask l2 tag1 classify session acl-hit-next deny opaque-index 0 table-index 0 match l2 tag1 100 set int input acl intfc TenGigabitEthernet1/0/0.100 *ip4-table* 0 *Trace captured on VPP* 00:16:11:820587: dpdk-input TenGigabitEthernet1/0/0 rx queue 0 buffer 0x4d40: current data 0, length 124, free-list 0, clone-count 0, totlen-nifb 0, trace 0x0 PKT MBUF: port 0, nb_segs 1, pkt_len 124 buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr 0x6de35040 packet_type 0x291 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without extension headers RTE_PTYPE_L4_UDP (0x0200) UDP packet IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100 UDP: 172.27.28.6 -> 172.27.29.6 tos 0x00, ttl 255, length 106, checksum 0x2a38 fragment id 0x0008 UDP: 1024 -> 1024 length 86, checksum 0xffff 00:16:11:820596: ethernet-input IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100 00:16:11:820616: ip4-input UDP: 172.27.28.6 -> 172.27.29.6 tos 0x00, ttl 255, length 106, checksum 0x2a38 fragment id 0x0008 UDP: 1024 -> 1024 length 86, checksum 0xffff 00:16:11:820624: ip4-drop UDP: 172.27.28.6 -> 172.27.29.6 tos 0x00, ttl 255, length 106, checksum 0x2a38 fragment id 0x0008 UDP: 1024 -> 1024 length 86, checksum 0xffff 00:16:11:820627: error-drop ip4-input: ip4 adjacency drop I verified in VPP code and packet is dropped while searching for intc arc (searching for feature enabled on interface). I assume associating sub-interface with ACL was enabling feature. Let me know if i missed anything. Regards, Balaji On Wed, Aug 2, 2017 at 9:26 PM, John Lo (loj) <l...@cisco.com> wrote: > Hi Balaji, > > > > In order to make input ACL work on the IPv4 forwarding path, you need to > set it as ip4-table on the interface or sub-interface. For your case for > packets with VLAN tags, it needs to be set on sub-interface: > > set int input acl intfc TenGigabitEthernet1/0/0.100 ip4-table 0 > > > > The names in the CLI [ip4-table|ip6-table|l2-table] indicate which > forwarding path the ACL would be applied, not which packet header ACL will > be matched. The match of the packet is specified with the table/session > used in the ACL. > > > > Regards, > > John > > > > *From:* vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] *On > Behalf Of *Balaji Kn > *Sent:* Wednesday, August 02, 2017 9:41 AM > *To:* vpp-dev@lists.fd.io > *Cc:* l.s.abhil...@gmail.com > *Subject:* [vpp-dev] query on L2 ACL for VLANs > > > > Hello, > > > > I am using VPP 17.07 release code (tag *v17.07*). > > > > DBGvpp# show int address > > TenGigabitEthernet1/0/0 (up): > > 172.27.28.5/24 > > TenGigabitEthernet1/0/1 (up): > > 172.27.29.5/24 > > > > My use case is to allow packets based on VLANs. I added an ACL rule in > classify table as below. > > > > classify table mask l2 tag1 > > classify session acl-hit-next permit opaque-index 0 table-index 0 match l2 > tag1 100 > > set int input acl intfc TenGigabitEthernet1/0/0 l2-table 0 > > > > Tagged packets were dropped in ethernet node. > > > > 00:08:39:270674: dpdk-input > > TenGigabitEthernet1/0/0 rx queue 0 > > buffer 0x4d67: current data 0, length 124, free-list 0, clone-count 0, > totlen-nifb 0, trace 0x1 > > PKT MBUF: port 0, nb_segs 1, pkt_len 124 > > buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr > 0x6de35a00 > > packet_type 0x291 > > Packet Offload Flags > > PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid > > PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid > > Packet Types > > RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet > > RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without > extension headers > > RTE_PTYPE_L4_UDP (0x0200) UDP packet > > IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100 > > UDP: 172.27.28.6 -> 172.27.29.6 > > tos 0x00, ttl 255, length 106, checksum 0x2a24 > > fragment id 0x001c > > UDP: 1024 -> 1024 > > length 86, checksum 0xffff > > 00:08:39:270679: ethernet-input > > IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100 > > 00:08:39:270685: error-drop > > ethernet-input: unknown vlan > > > > DBGvpp# > > > > Hence i created a sub-interface to allow tagged packet. > > create sub-interfaces TenGigabitEthernet1/0/0 100 > > set interface state TenGigabitEthernet1/0/0.100 up > > > > Still the packets are not hitting ACL node and still packets are dropped. > This time in ip4-input node. > > > > 00:07:42:330550: dpdk-input > > TenGigabitEthernet1/0/0 rx queue 0 > > buffer 0x4d8e: current data 0, length 124, free-list 0, clone-count 0, > totlen-nifb 0, trace 0x0 > > PKT MBUF: port 0, nb_segs 1, pkt_len 124 > > buf_len 2176, data_len 124, ol_flags 0x180, data_off 128, phys_addr > 0x6de363c0 > > packet_type 0x291 > > Packet Offload Flags > > PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid > > PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid > > Packet Types > > RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet > > RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without > extension headers > > RTE_PTYPE_L4_UDP (0x0200) UDP packet > > IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100 > > UDP: 172.27.28.6 -> 172.27.29.6 > > tos 0x00, ttl 255, length 106, checksum 0x2a25 > > fragment id 0x001b > > UDP: 1024 -> 1024 > > length 86, checksum 0xffff > > 00:07:42:330560: ethernet-input > > IP4: 00:10:94:00:00:01 -> 24:6e:96:32:7f:98 802.1q vlan 100 > > 00:07:42:330572: ip4-input > > UDP: 172.27.28.6 -> 172.27.29.6 > > tos 0x00, ttl 255, length 106, checksum 0x2a25 > > fragment id 0x001b > > UDP: 1024 -> 1024 > > length 86, checksum 0xffff > > 00:07:42:330583: ip4-drop > > UDP: 172.27.28.6 -> 172.27.29.6 > > tos 0x00, ttl 255, length 106, checksum 0x2a25 > > fragment id 0x001b > > UDP: 1024 -> 1024 > > length 86, checksum 0xffff > > 00:07:42:330586: error-drop > > ip4-input: ip4 adjacency drop > > > > Can you help me know if i am missing any configuration so that my packets > hit ACL node and then ip4-input node. > > > > Please let me know if you need any information on configurations/setup. > > > > Regards, > > Balaji > > >
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev