John,
from your packet trace:
00:01:47:426336: ip4-input-no-checksum
TCP: 10.8.200.1 -> 10.8.200.2
tos 0x00, ttl 64, length 52, checksum 0x96b0
fragment id 0x0000, flags DONT_FRAGMENT
TCP: 80 -> 18995
seq. 0x732f1a24 ack 0x702b5a27
flags 0x12 SYN ACK, tcp header: 32 bytes
window 29200, checksum 0xb6b3
00:01:47:426337: nat44-out2in
NAT44_OUT2IN: sw_if_index 6, next index 1, session index 1
You can't use src 10.8.200.2 because packets entering wan0 are out to
in, hence nat44_out2in, will have src of 10.8.200.1.
Packets before nat44_out2in will have dst of 10.8.200.2.
Hence your policer session will not work.
from your packet trace:
00:01:47:426338: loop5-output
loop5
IP4: de:ad:00:00:00:05 -> c0:56:27:90:3f:fc
TCP: 10.8.200.1 -> 10.155.6.109
tos 0x00, ttl 63, length 52, checksum 0x58b3
fragment id 0x0000, flags DONT_FRAGMENT
TCP: 80 -> 50051
Again, l2 src 08:25:a1:cb:40:55 won't work because packets after NAT
are leaving out of loop5 with src de:ad:00:00:00:05.
My hunch is this might work:
classify session policer-hit-next policy1 table-index 1 match l2 src
de:ad:00:00:00:05
set policer classify interface loop5 l2-table 1
Hope this helps.
On Tue, Apr 16, 2019 at 8:28 PM John Pearson <johnpearson...@gmail.com> wrote:
>
> Hi all,
>
> I am using NAT44 and am trying to limit upload and download bandwidth
> separately on wan0.
>
> setup:
> file server <--> [wan0] VPP [loop5] <--> client
>
> Info:
> file server
> ip address: 10.8.200.1
> mac: a0:36:9f:9b:e2:e2
>
> wan0
> ip addr: 10.8.200.2
> gateway: 10.8.200.1
> mac: 08:25:a1:cb:40:55
>
> loop5
> ip addr: 10.155.6.1
> mac: de:ad:00:00:00:05
>
> client
> ip addr: 10.155.6.109
> mac: c0:56:27:90:3f:fc
>
> vpp.conf
>
> set int state wan0 up
> set int ip address wan0 10.8.200.2/24
> ip route add 0.0.0.0/0 via 10.8.200.1
>
> set int state lan0 up
>
> create loopback interface instance 5
> set int l2 bridge loop5 5 bvi
> set int ip address loop5 10.155.6.1/24
> set int state loop5 up
> set int l2 bridge lan0 5
>
> nat44 add interface address wan0
> set interface nat44 in loop5 out wan0
>
> Packet trace of 2 packets: https://pastebin.com/PZLMpG1i
>
> What I tried:
>
> configure policer name policy1 type 1r2c cir 500 cb 5000 rate kbps
> conform-action transmit exceed-action drop
> classify table mask l3 ip4 src
> classify session policer-hit-next policy1 table-index 0 match l3 ip4 src
> 10.8.200.2
> set policer classify interface wan0 ip4-table 0
>
> -------------
>
> configure policer name policy1 type 1r2c cir 500 cb 5000 rate kbps
> conform-action transmit exceed-action drop
> classify table mask l2 src
> classify session policer-hit-next policy1 table-index 1 match l2 src
> 08:25:a1:cb:40:55
> set policer classify interface wan0 l2-table 0
>
> Please let me know where I am making a mistake.
>
> Thanks!
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12802): https://lists.fd.io/g/vpp-dev/message/12802
> Mute This Topic: https://lists.fd.io/mt/31208381/675621
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [carlitonu...@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12820): https://lists.fd.io/g/vpp-dev/message/12820
Mute This Topic: https://lists.fd.io/mt/31208381/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
