Hi Andrew,
VPP version: vpp v17.10-release
Packet trace:
- vpp# trace add dpdk-input 100
- started ping from 192.168.3.16 to 192.168.2.181
- vpp# show trace
GigabitEthernet0/14/0 : idx 1
tap-0 : idx 9
GigabitEthernet0/14/0.2 : idx 11
tap-1 : idx 12
GigabitEthernet0/14/0.3 : idx 14
tap-2 : idx 15
Packet 3
18:47:54:765589: dpdk-input
GigabitEthernet0/14/0 rx queue 0
buffer 0x1ac8e: current data 0, length 60, free-list 0, clone-count
0, totlen-nifb 0, trace 0x2
PKT MBUF: port 0, nb_segs 1, pkt_len 60
buf_len 2176, data_len 60, ol_flags 0x180, data_off 128, phys_addr
0x6b1b23c0
packet_type 0x0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
0x0026: 40:a5:ef:89:fc:a0 -> 01:80:c2:00:00:00 802.1q vlan 2
18:47:54:765593: ethernet-input
0x0026: 40:a5:ef:89:fc:a0 -> 01:80:c2:00:00:00 802.1q vlan 2
18:47:54:765597: l2-input
l2-input: sw_if_index 11 dst 01:80:c2:00:00:00 src 40:a5:ef:89:fc:a0
18:47:54:765598: l2-input-classify
l2-classify: sw_if_index 11, table -1, offset 0, next 12
18:47:54:765600: l2-input-vtr
l2-input-vtr: sw_if_index 11 dst 01:80:c2:00:00:00 src
40:a5:ef:89:fc:a0 data 00 26 42 42 03 00 00 00 00 00 7f ff
18:47:54:765601: l2-learn
l2-learn: sw_if_index 11 dst 01:80:c2:00:00:00 src 40:a5:ef:89:fc:a0
bd_index 2
18:47:54:765602: l2-flood
l2-flood: sw_if_index 11 dst 01:80:c2:00:00:00 src 40:a5:ef:89:fc:a0
bd_index 2
18:47:54:765604: l2-output
l2-output: sw_if_index 12 dst 01:80:c2:00:00:00 src
40:a5:ef:89:fc:a0 data 00 26 42 42 03 00 00 00 00 00 7f ff
18:47:54:765605: tap-1-output
tap-1
0x0026: 40:a5:ef:89:fc:a0 -> 01:80:c2:00:00:00
18:47:54:765620: l2-flood
l2-flood: sw_if_index 11 dst 42:42:03:00:00:00 src 00:00:7f:ff:40:a5
bd_index 2
18:47:54:765622: error-drop
l2-flood: BVI packet with unhandled ethertype
Packet 5
18:47:55:725667: dpdk-input
GigabitEthernet0/14/0 rx queue 0
buffer 0x3c987: current data 0, length 60, free-list 0, clone-count
0, totlen-nifb 0, trace 0x4
PKT MBUF: port 0, nb_segs 1, pkt_len 60
buf_len 2176, data_len 60, ol_flags 0x180, data_off 128, phys_addr
0x6ba26200
packet_type 0x0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
0x0026: 40:a5:ef:89:fc:a0 -> 01:80:c2:00:00:00 802.1q vlan 3
18:47:55:725672: ethernet-input
0x0026: 40:a5:ef:89:fc:a0 -> 01:80:c2:00:00:00 802.1q vlan 3
18:47:55:725676: l2-input
l2-input: sw_if_index 14 dst 01:80:c2:00:00:00 src 40:a5:ef:89:fc:a0
18:47:55:725677: l2-input-classify
l2-classify: sw_if_index 14, table -1, offset 0, next 12
18:47:55:725678: l2-input-vtr
l2-input-vtr: sw_if_index 14 dst 01:80:c2:00:00:00 src
40:a5:ef:89:fc:a0 data 00 26 42 42 03 00 00 00 00 00 7f ff
18:47:55:725678: l2-learn
l2-learn: sw_if_index 14 dst 01:80:c2:00:00:00 src 40:a5:ef:89:fc:a0
bd_index 3
18:47:55:725679: l2-flood
l2-flood: sw_if_index 14 dst 01:80:c2:00:00:00 src 40:a5:ef:89:fc:a0
bd_index 3
18:47:55:725680: l2-output
l2-output: sw_if_index 15 dst 01:80:c2:00:00:00 src
40:a5:ef:89:fc:a0 data 00 26 42 42 03 00 00 00 00 00 7f ff
18:47:55:725681: tap-2-output
tap-2
0x0026: 40:a5:ef:89:fc:a0 -> 01:80:c2:00:00:00
18:47:55:725696: l2-flood
l2-flood: sw_if_index 14 dst 42:42:03:00:00:00 src 00:00:7f:ff:aa:a9
bd_index 3
18:47:55:725697: error-drop
l2-flood: BVI packet with unhandled ethertype
Packet 8
18:47:56:729547: dpdk-input
GigabitEthernet0/14/0 rx queue 0
buffer 0x2b6e: current data 0, length 330, free-list 0, clone-count
0, totlen-nifb 0, trace 0x7
PKT MBUF: port 0, nb_segs 1, pkt_len 330
buf_len 2176, data_len 330, ol_flags 0x180, data_off 128,
phys_addr 0x6abadbc0
packet_type 0x211
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
RTE_PTYPE_L4_UDP (0x0200) UDP packet
IP4: 74:da:38:0d:43:59 -> ff:ff:ff:ff:ff:ff 802.1q vlan 3
UDP: 192.168.3.16 -> 192.168.3.255
tos 0x00, ttl 64, length 312, checksum 0xa64a
fragment id 0x4b0b
UDP: 17500 -> 17500
length 292, checksum 0x5510
18:47:56:729550: ethernet-input
IP4: 74:da:38:0d:43:59 -> ff:ff:ff:ff:ff:ff 802.1q vlan 3
18:47:56:729553: l2-input
l2-input: sw_if_index 14 dst ff:ff:ff:ff:ff:ff src 74:da:38:0d:43:59
18:47:56:729554: l2-input-classify
l2-classify: sw_if_index 14, table -1, offset 0, next 12
18:47:56:729555: l2-input-vtr
l2-input-vtr: sw_if_index 14 dst ff:ff:ff:ff:ff:ff src
74:da:38:0d:43:59 data 08 00 45 00 01 38 4b 0b 00 00 40 11
18:47:56:729555: l2-learn
l2-learn: sw_if_index 14 dst ff:ff:ff:ff:ff:ff src 74:da:38:0d:43:59
bd_index 3
18:47:56:729556: l2-flood
l2-flood: sw_if_index 14 dst ff:ff:ff:ff:ff:ff src 74:da:38:0d:43:59
bd_index 3
18:47:56:729557: l2-output
l2-output: sw_if_index 15 dst ff:ff:ff:ff:ff:ff src
74:da:38:0d:43:59 data 08 00 45 00 01 38 4b 0b 00 00 40 11
18:47:56:729557: tap-2-output
tap-2
IP4: 74:da:38:0d:43:59 -> ff:ff:ff:ff:ff:ff
UDP: 192.168.3.16 -> 192.168.3.255
tos 0x00, ttl 64, length 312, checksum 0xa64a
fragment id 0x4b0b
UDP: 17500 -> 17500
length 292, checksum 0x5510
18:47:56:729581: l2-flood
l2-flood: sw_if_index 14 dst 45:00:01:38:4b:0b src 00:00:40:11:a6:4a
bd_index 3
18:47:56:729582: ip4-input
UDP: 192.168.3.16 -> 192.168.3.255
tos 0x00, ttl 64, length 312, checksum 0xa64a
fragment id 0x4b0b
UDP: 17500 -> 17500
length 292, checksum 0x5510
18:47:56:729583: nat44-in2out
NAT44_IN2OUT_FAST_PATH: sw_if_index 13, next index 3, session -1
18:47:56:729584: nat44-in2out-slowpath
NAT44_IN2OUT_SLOW_PATH: sw_if_index 13, next index 0, session -1
18:47:56:729586: ip4-lookup
fib 0 dpo-idx 0 flow hash: 0x00000000
UDP: 192.168.3.16 -> 192.168.3.255
tos 0x00, ttl 64, length 312, checksum 0xa64a
fragment id 0x4b0b
UDP: 17500 -> 17500
length 292, checksum 0x5510
18:47:56:729587: ip4-drop
UDP: 192.168.3.16 -> 192.168.3.255
tos 0x00, ttl 64, length 312, checksum 0xa64a
fragment id 0x4b0b
UDP: 17500 -> 17500
length 292, checksum 0x5510
18:47:56:729588: error-drop
ip4-input: ip4 adjacency drop
On Thu, Apr 19, 2018 at 11:47 PM, Andrew Yourtchenko <ayour...@gmail.com> wrote:
> Hi Carlito,
>
> What does the packet trace (as per
> https://wiki.fd.io/view/VPP/How_To_Use_The_Packet_Generator_and_Packet_Tracer)
> look like and which version of VPP are you running ?
>
> --a
>
> On 20 Apr 2018, at 05:00, Carlito Nueno <carlitonu...@gmail.com> wrote:
>
> Thanks John.
>
> Routing between VLANs is working. But I can't get the ACLs quite
> right. I am trying to block all communication between device A
> (192.168.3.16) on VLAN 3 and device B (192.168.2.181) on VLAN 2.
>
> vat# acl_add_replace ipv4 deny src 192.168.3.16/32 dst 192.168.2.181/32
> vat# acl_dump
> vl_api_acl_details_t_handler:194: acl_index: 1, count: 1
> tag {}
> ipv4 action 0 src 192.168.3.16/32 dst 192.168.2.181/32 proto 0
> sport 0-65535 dport 0-65535 tcpflags 0 mask 0
>
> # VLAN on subinterface GigabitEthernet0/14/0.2
> vat# acl_interface_set_acl_list sw_if_index 11 input 1 output 1
>
> # VLAN on subinterface GigabitEthernet0/14/0.3
> vat# acl_interface_set_acl_list sw_if_index 14 input 1 output 1
>
> vat# acl_interface_list_dump
> vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 11,
> count: 2, n_input: 1
> input 1
> output 1
> vl_api_acl_interface_list_details_t_handler:153: sw_if_index: 14,
> count: 2, n_input: 1
> input 1
> output 1
>
> I am still able to ping from 192.168.3.16 to 192.168.2.181 after above
> commands.
>
> Thanks
>
> On Thu, Apr 19, 2018 at 3:55 PM, John Lo (loj) <l...@cisco.com> wrote:
>
> One more comment - unless there are more VLAN 1 and VLAN 2 sub-interfaces
> you need to put into BDs 1 and 2, then you may just configure IP addresses
> on the sub-interfaces to route directly, as suggested by Andrew. It would be
> a lot more efficient than going through two BDs and route via BVIs. -John
>
>
> -----Original Message-----
>
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of John Lo (loj)
>
> Sent: Thursday, April 19, 2018 4:48 PM
>
> To: carlito nueno <carlitonu...@gmail.com>; Andrew Yourtchenko
> <ayour...@gmail.com>
>
> Cc: vpp-dev@lists.fd.io
>
> Subject: Re: [vpp-dev] VLAN to VLAN
>
>
> The config looks correct and should work, assuming the following:
>
> 1. The devices connected to GigabitEthernet0/14/0.2 have IP addresses in the
> 192.168.2.1/24 subnet with default gateway set to that of the BVI IP address
> of 192.168.2.1.
>
> 2. The devices connected to GigabitEthernet0/14/0.3 have IP addresses in the
> 192.168.3.1/24 subnet with default gateway set to that of the BVI IP address
> of 192.168.3.1.
>
>
> One improvement is to put the BVI interfaces into their own VRF by setting
> loop0 and loop1 into a specific ip table to not use the global routing
> table. For example, set the following before assigning IP address to loop0
> and loop1:
>
> set int ip table loop0 4
>
> set int ip table loop1 4
>
> This will make the routing between BD-VLANs 2 and 3 private and more secure.
>
>
> Regards,
>
> John
>
>
> -----Original Message-----
>
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of carlito nueno
>
> Sent: Thursday, April 19, 2018 4:15 PM
>
> To: Andrew Yourtchenko <ayour...@gmail.com>
>
> Cc: vpp-dev@lists.fd.io
>
> Subject: Re: [vpp-dev] VLAN to VLAN
>
>
> My current VLAN config:
>
>
> loopback create
>
> set int l2 bridge loop1 2 bvi
>
> set int ip address loop1 192.168.2.1/24
>
> set int state loop1 up
>
>
> create sub GigabitEthernet0/14/0 2
>
> set int l2 bridge GigabitEthernet0/14/0.2 2 set int l2 tag-rewrite
> GigabitEthernet0/14/0.2 pop 1 set int state GigabitEthernet0/14/0.2 up
>
>
>
> loopback create
>
> set int l2 bridge loop2 3 bvi
>
> set int ip address loop2 192.168.3.1/24
>
> set int state loop2 up
>
>
> create sub GigabitEthernet0/14/0 3
>
> set int l2 bridge GigabitEthernet0/14/0.3 3 set int l2 tag-rewrite
> GigabitEthernet0/14/0.3 pop 1 set int state GigabitEthernet0/14/0.3 up
>
>
>
> So this should route traffic between VLAN 2 and VLAN 3, correct?
>
>
> Thanks
>
>
> On Thu, Apr 19, 2018 at 12:52 PM, Andrew Yourtchenko <ayour...@gmail.com>
> wrote:
>
>
> hi Carlito,
>
>
> you can configure subinterfaces with tags and assign the ip addresses
>
> so the VPP does routing and then either use vnet ACLs or acl plugin to
>
> restrict the traffic.
>
>
> —a
>
>
> On 19 Apr 2018, at 21:07, Dave Barach <dbar...@cisco.com> wrote:
>
>
> Begin forwarded message:
>
>
> From: Carlito Nueno <carlitonu...@gmail.com>
>
> Date: April 19, 2018 at 9:03:51 AM HST
>
> To: dbar...@cisco.com
>
> Subject: VLAN to VLAN
>
>
> Hi Dave,
>
>
> How can I enable VLAN to VLAN communication? I want to have devices on
>
> one VLAN talk to devices on another VLAN, if possible constrain the
>
> devices by MAC or IP address.
>
>
> For example, only device with MAC (aa:aa:bb:80:90) or IP address
>
> (192.168.2.20) on VLAN 100 can talk to devices on VLAN 200
>
> (192.168.3.0/24).
>
>
> Thanks
>
>
>
>
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links:
You receive all messages sent to this group.
View/Reply Online (#9014): https://lists.fd.io/g/vpp-dev/message/9014
View All Messages In Topic (8): https://lists.fd.io/g/vpp-dev/topic/17639114
Mute This Topic: https://lists.fd.io/mt/17639114/21656
New Topic: https://lists.fd.io/g/vpp-dev/post
Change Your Subscription: https://lists.fd.io/g/vpp-dev/editsub/21656
Group Home: https://lists.fd.io/g/vpp-dev
Contact Group Owner: vpp-dev+ow...@lists.fd.io
Terms of Service: https://lists.fd.io/static/tos
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub
-=-=-=-=-=-=-=-=-=-=-=-
