John, from your packet trace:
00:01:47:426336: ip4-input-no-checksum TCP: 10.8.200.1 -> 10.8.200.2 tos 0x00, ttl 64, length 52, checksum 0x96b0 fragment id 0x0000, flags DONT_FRAGMENT TCP: 80 -> 18995 seq. 0x732f1a24 ack 0x702b5a27 flags 0x12 SYN ACK, tcp header: 32 bytes window 29200, checksum 0xb6b3 00:01:47:426337: nat44-out2in NAT44_OUT2IN: sw_if_index 6, next index 1, session index 1 You can't use src 10.8.200.2 because packets entering wan0 are out to in, hence nat44_out2in, will have src of 10.8.200.1. Packets before nat44_out2in will have dst of 10.8.200.2. Hence your policer session will not work. from your packet trace: 00:01:47:426338: loop5-output loop5 IP4: de:ad:00:00:00:05 -> c0:56:27:90:3f:fc TCP: 10.8.200.1 -> 10.155.6.109 tos 0x00, ttl 63, length 52, checksum 0x58b3 fragment id 0x0000, flags DONT_FRAGMENT TCP: 80 -> 50051 Again, l2 src 08:25:a1:cb:40:55 won't work because packets after NAT are leaving out of loop5 with src de:ad:00:00:00:05. My hunch is this might work: classify session policer-hit-next policy1 table-index 1 match l2 src de:ad:00:00:00:05 set policer classify interface loop5 l2-table 1 Hope this helps. On Tue, Apr 16, 2019 at 8:28 PM John Pearson <johnpearson...@gmail.com> wrote: > > Hi all, > > I am using NAT44 and am trying to limit upload and download bandwidth > separately on wan0. > > setup: > file server <--> [wan0] VPP [loop5] <--> client > > Info: > file server > ip address: 10.8.200.1 > mac: a0:36:9f:9b:e2:e2 > > wan0 > ip addr: 10.8.200.2 > gateway: 10.8.200.1 > mac: 08:25:a1:cb:40:55 > > loop5 > ip addr: 10.155.6.1 > mac: de:ad:00:00:00:05 > > client > ip addr: 10.155.6.109 > mac: c0:56:27:90:3f:fc > > vpp.conf > > set int state wan0 up > set int ip address wan0 10.8.200.2/24 > ip route add 0.0.0.0/0 via 10.8.200.1 > > set int state lan0 up > > create loopback interface instance 5 > set int l2 bridge loop5 5 bvi > set int ip address loop5 10.155.6.1/24 > set int state loop5 up > set int l2 bridge lan0 5 > > nat44 add interface address wan0 > set interface nat44 in loop5 out wan0 > > Packet trace of 2 packets: https://pastebin.com/PZLMpG1i > > What I tried: > > configure policer name policy1 type 1r2c cir 500 cb 5000 rate kbps > conform-action transmit exceed-action drop > classify table mask l3 ip4 src > classify session policer-hit-next policy1 table-index 0 match l3 ip4 src > 10.8.200.2 > set policer classify interface wan0 ip4-table 0 > > ------------- > > configure policer name policy1 type 1r2c cir 500 cb 5000 rate kbps > conform-action transmit exceed-action drop > classify table mask l2 src > classify session policer-hit-next policy1 table-index 1 match l2 src > 08:25:a1:cb:40:55 > set policer classify interface wan0 l2-table 0 > > Please let me know where I am making a mistake. > > Thanks! > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > > View/Reply Online (#12802): https://lists.fd.io/g/vpp-dev/message/12802 > Mute This Topic: https://lists.fd.io/mt/31208381/675621 > Group Owner: vpp-dev+ow...@lists.fd.io > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [carlitonu...@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#12820): https://lists.fd.io/g/vpp-dev/message/12820 Mute This Topic: https://lists.fd.io/mt/31208381/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-