Difference between revisions of "VPP/Progressive VPP Tutorial"
(→Action: Create vpp instance) |
(→Source NAT) |
||
Line 948: | Line 948: | ||
== Source NAT == | == Source NAT == | ||
+ | |||
+ | === Skills to be Learned === | ||
+ | |||
+ | # Abusing networks namespaces for fun and profit | ||
+ | # Configuring snat address | ||
+ | # Configuring snat inside and outside interfaces | ||
+ | |||
+ | === vpp command learned in this exercise === | ||
+ | # [https://docs.fd.io/vpp/17.04/clicmd_src_plugins_snat.html#clicmd_snat_add_interface_address snat add interface address] | ||
+ | # [https://docs.fd.io/vpp/17.04/clicmd_src_plugins_snat.html#clicmd_set_interface_snat set interface snat] | ||
=== Initial state === | === Initial state === |
Revision as of 16:36, 31 January 2017
Contents
- 1 Exercise: Setting up your environment
- 2 Exercise: Install vpp
- 3 Exercise: vpp basics
- 4 Exercise: Create an Interface
- 4.1 Skills to be Learned
- 4.2 vpp command learned in this exercise
- 4.3 Initial State
- 4.4 Action: Create veth interfaces on host
- 4.5 Action: Create vpp host- interface
- 4.6 Action: Add trace
- 4.7 Action: Ping from host to vpp
- 4.8 Action: Examine Trace of ping from host to vpp
- 4.9 Action: Clear trace buffer
- 4.10 Action: ping from vpp to host
- 4.11 Action: Examine Trace of ping from vpp to host
- 4.12 Action: Examine arp tables
- 4.13 Action: Examine routing table
- 5 Exercise: Connecting two vpp instances
- 5.1 Skills to be Learned
- 5.2 Initial state
- 5.3 Running a second vpp instances
- 5.4 Create veth interface on host to connect the two vpp instances
- 5.5 Create vpp host interfaces
- 5.6 Running a second vpp instances
- 5.7 Create veth interface on host to connect the two vpp instances
- 5.8 Create vpp host interfaces
- 5.9 Ping from vpp1 to vpp2
- 6 Exercise: Routing
- 7 Exercise: Switching
- 7.1 Skills to be Learned
- 7.2 vpp command learned in this exercise
- 7.3 Initial state
- 7.4 Action: Run vpp instances
- 7.5 Action: Connect vpp1 to host
- 7.6 Action: Connect vpp1 to vpp2
- 7.7 Action: Configure Bridge Domain on vpp1
- 7.8 Action: Configure loopback interface on vpp2
- 7.9 Action: Configure bridge domain on vpp2
- 7.10 Action: Ping from host to vpp and vpp to host
- 7.11 Action: Examine l2 fib
- 8 Source NAT
- 8.1 Skills to be Learned
- 8.2 vpp command learned in this exercise
- 8.3 Initial state
- 8.4 Action: Install vpp-plugins
- 8.5 Action: Create vpp instance
- 8.6 Action: Create veth interfaces
- 8.7 Action: Configure vpp outside interface
- 8.8 Action: Configure snat
- 8.9 Action: Prepare to Observe Snat
- 8.10 Action: Ping via snat
- 8.11 Action: Confirm snat
Exercise: Setting up your environment
All of these exercises are designed to be performed on an Ubuntu 16.04 (Xenial) box.
If you have an Ubuntu 16.04 box on which you have sudo, you can feel free to use that.
If you do not, a Vagrantfile is provided to setup a basic Ubuntu 16.04 box for you
Vagrant Set up
Action: Install Virtualbox
If you do not already have virtualbox on your laptop (or if it is not up to date), please download and install it:
https://www.virtualbox.org/wiki/Downloads
Action: Install Vagrant
If you do not already have Vagrant on your laptop (or if it is not up to date), please download it:
https://www.vagrantup.com/downloads.html
Action: Create a Vagrant Directory
Create a directory on your laptop:
mkdir fdio-tutorial cd fdio-tutorial/
Create a Vagrantfile containing:
# -*- mode: ruby -*- # vi: set ft=ruby : Vagrant.configure(2) do |config| config.vm.box = "puppetlabs/ubuntu-16.04-64-nocm" config.vm.box_check_update = false vmcpu=(ENV['VPP_VAGRANT_VMCPU'] || 2) vmram=(ENV['VPP_VAGRANT_VMRAM'] || 4096) config.ssh.forward_agent = true config.vm.provider "virtualbox" do |vb| vb.customize ["modifyvm", :id, "--ioapic", "on"] vb.memory = "#{vmram}" vb.cpus = "#{vmcpu}" #support for the SSE4.x instruction is required in some versions of VB. vb.customize ["setextradata", :id, "VBoxInternal/CPUM/SSE4.1", "1"] vb.customize ["setextradata", :id, "VBoxInternal/CPUM/SSE4.2", "1"] end end
Action: Vagrant Up
Bring up your Vagrant VM:
vagrant up
Action: ssh to Vagrant VM
vagrant ssh
Exercise: Install vpp
Skills to be learned
- Learn how to install vpp binary packges using apt-get.
Note: This tutorial is using a special packaging of vpp called vpp_lite that allows you to run multiple vpp processes simultaneously. We will be building topologies of these vpp processes to allow us to perform labs which require multiple instances of 'routers' or 'switches'. Because of this, we will be getting our vpp packages from a slightly non-standard apt repository.
The installation mechanism is very similar to the standard Install VPP from Binary Packages instructions.
Action: Add key for apt repo
curl -L https://packagecloud.io/fdio/tutorial/gpgkey | sudo apt-key add -
Action: Add repo to apt sources.list.d
With your favorite text editor (and sudo), create a file:
/etc/apt/sources.list.d/fdio_tutorial.list
containing
deb https://packagecloud.io/fdio/tutorial/ubuntu/ xenial main deb-src https://packagecloud.io/fdio/tutorial/ubuntu/ xenial main
Action: apt-get install vpp
Run
sudo apt-get update sudo apt-get install vpp
Exercise: vpp basics
Skills to be Learned
By the end of the exerise you should be able to:
- Run a vpp instance in a mode which allows multiple vpp processes to run
- Issue vpp commands from the unix shell
- Run a vpp shell and issue it commands
vpp command learned in this exercise
Action: Run vpp
vpp runs in userspace. In a production environment you will often run it with DPDK to connect to real NICs or vhost to connect to VMs. In those circumstances you usually run a single instance of vpp.
For purposes of this tutorial, it is going to be extremely useful to run multiple instances of vpp, and connect them to each other to form a topology. Fortunately, vpp supports this.
When running multiple vpp instances, each instance needs to have specified a 'name' or 'prefix'. In the example below, the 'name' or 'prefix' is "vpp1"
sudo vpp api-segment { prefix vpp1 }
Example Output:
unix_physmem_init: use huge pages vlib_plugin_early_init:230: plugin path /usr/lib/vpp_plugins 0: api_main_init:52: vam 6acb60
Action: Using vppctl to send commands to vpp
You can send vpp commands with a utility calledvppctl.
When running vppctl against a named version of vpp, you will need to run:
sudo vppctl -p ${name} ${cmd}
So to run 'show ver' against the vpp instance named vpp1 you would run:
sudo vppctl -p vpp1 show ver
Output:
vpp v17.04-rc0~177-g006eb47 built by ubuntu on fdio-ubuntu1604-sevt at Mon Jan 30 18:30:12 UTC 2017
Action: Using vppctl to start a vpp shell
You can also use vppctl to launch a vpp shell with which you can run multiple vpp commands interactively by running:
sudo vppctl -p ${name}
which will give you a command prompt.
Try doing show ver that way:
sudo vppctl -p vpp1 vpp1# show ver
Output:
vpp v17.04-rc0~177-g006eb47 built by ubuntu on fdio-ubuntu1604-sevt at Mon Jan 30 18:30:12 UTC 2017 vpp1#
Exercise: Create an Interface
Skills to be Learned
- Create a veth interface in Linux host
- Assign an IP address to one end of the veth interface in the Linux host
- Create a vpp host-interface that connected to one end of a veth interface via AF_PACKET
- Add an ip address to a vpp interface
- Setup a 'trace'
- View a 'trace'
- Clear a 'trace'
- Verify using ping from host
- Ping from vpp
- Examine Arp Table
- Examine ip fib
vpp command learned in this exercise
- create host-interface
- set int state
- set int ip address
- show hardware
- show int
- show int addr
- trace add
- clear trace
- ping
- show ip arp
- show ip fib
Initial State
The initial state here is presumed to be the final state from the exercise VPP Basics
Action: Create veth interfaces on host
In Linux, there is a type of interface call 'veth'. Think of a 'veth' interface as being an interface that has two ends to it (rather than one).
Create a veth interface with one end named vpp1out and the other named vpp1host
sudo ip link add name vpp1out type veth peer name vpp1host
Turn up both ends:
sudo ip link set dev vpp1out up sudo ip link set dev vpp1host up
Assign an IP address
sudo ip addr add 10.10.1.1/24 dev vpp1host
Display the result:
sudo ip addr show vpp1host
Example Output:
10: vpp1host@vpp1out: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 5e:97:e3:41:aa:b8 brd ff:ff:ff:ff:ff:ff inet 10.10.1.1/24 scope global vpp1host valid_lft forever preferred_lft forever inet6 fe80::5c97:e3ff:fe41:aab8/64 scope link valid_lft forever preferred_lft forever
Action: Create vpp host- interface
Create a host interface attached to vpp1out.
sudo vppctl -p vpp1 create host-interface name vpp1out
Output:
host-vpp1out
Confirm the interface:
sudo vppctl -p vpp1 show hardware
Example Output:
Name Idx Link Hardware host-vpp1out 1 up host-vpp1out Ethernet address 02:fe:48:ec:d5:a7 Linux PACKET socket interface local0 0 down local0 local
Turn up the interface:
sudo vppctl -p vpp1 set int state host-vpp1out up
Confirm the interface is up:
sudo vppctl -p vpp1 show int
Name Idx State Counter Count host-vpp1out 1 up local0 0 down
Assign ip address 10.10.1.2/24
sudo vppctl -p vpp1 set int ip address host-vpp1out 10.10.1.2/24
Confirm the ip address is assigned:
sudo vppctl -p vpp1 show int addr
host-vpp1out (up): 10.10.1.2/24 local0 (dn):
Action: Add trace
sudo vppctl -p vpp1 trace add af-packet-input 10
Action: Ping from host to vpp
ping -c 1 10.10.1.2
PING 10.10.1.2 (10.10.1.2) 56(84) bytes of data. 64 bytes from 10.10.1.2: icmp_seq=1 ttl=64 time=0.557 ms --- 10.10.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.557/0.557/0.557/0.000 ms
Action: Examine Trace of ping from host to vpp
sudo vppctl -p vpp1 show trace
------------------- Start of thread 0 vpp_main ------------------- Packet 1 00:09:30:397798: af-packet-input af_packet: hw_if_index 1 next-index 4 tpacket2_hdr: status 0x20000001 len 42 snaplen 42 mac 66 net 80 sec 0x588fd3ac nsec 0x375abde7 vlan 0 vlan_tpid 0 00:09:30:397906: ethernet-input ARP: fa:13:55:ac:d9:50 -> ff:ff:ff:ff:ff:ff 00:09:30:397912: arp-input request, type ethernet/IP4, address size 6/4 fa:13:55:ac:d9:50/10.10.1.1 -> 00:00:00:00:00:00/10.10.1.2 00:09:30:398191: host-vpp1out-output host-vpp1out ARP: 02:fe:48:ec:d5:a7 -> fa:13:55:ac:d9:50 reply, type ethernet/IP4, address size 6/4 02:fe:48:ec:d5:a7/10.10.1.2 -> fa:13:55:ac:d9:50/10.10.1.1 Packet 2 00:09:30:398227: af-packet-input af_packet: hw_if_index 1 next-index 4 tpacket2_hdr: status 0x20000001 len 98 snaplen 98 mac 66 net 80 sec 0x588fd3ac nsec 0x37615060 vlan 0 vlan_tpid 0 00:09:30:398295: ethernet-input IP4: fa:13:55:ac:d9:50 -> 02:fe:48:ec:d5:a7 00:09:30:398298: ip4-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x9b46 fragment id 0x894c, flags DONT_FRAGMENT ICMP echo_request checksum 0x83c 00:09:30:398300: ip4-lookup fib 0 dpo-idx 5 flow hash: 0x00000000 ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x9b46 fragment id 0x894c, flags DONT_FRAGMENT ICMP echo_request checksum 0x83c 00:09:30:398303: ip4-local ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x9b46 fragment id 0x894c, flags DONT_FRAGMENT ICMP echo_request checksum 0x83c 00:09:30:398305: ip4-icmp-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x9b46 fragment id 0x894c, flags DONT_FRAGMENT ICMP echo_request checksum 0x83c 00:09:30:398307: ip4-icmp-echo-request ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x9b46 fragment id 0x894c, flags DONT_FRAGMENT ICMP echo_request checksum 0x83c 00:09:30:398317: ip4-load-balance fib 0 dpo-idx 10 flow hash: 0x0000000e ICMP: 10.10.1.2 -> 10.10.1.1 tos 0x00, ttl 64, length 84, checksum 0xbef3 fragment id 0x659f, flags DONT_FRAGMENT ICMP echo_reply checksum 0x103c 00:09:30:398318: ip4-rewrite tx_sw_if_index 1 dpo-idx 2 : ipv4 via 10.10.1.1 host-vpp1out: IP4: 02:fe:48:ec:d5:a7 -> fa:13:55:ac:d9:50 flow hash: 0x00000000 IP4: 02:fe:48:ec:d5:a7 -> fa:13:55:ac:d9:50 ICMP: 10.10.1.2 -> 10.10.1.1 tos 0x00, ttl 64, length 84, checksum 0xbef3 fragment id 0x659f, flags DONT_FRAGMENT ICMP echo_reply checksum 0x103c 00:09:30:398320: host-vpp1out-output host-vpp1out IP4: 02:fe:48:ec:d5:a7 -> fa:13:55:ac:d9:50 ICMP: 10.10.1.2 -> 10.10.1.1 tos 0x00, ttl 64, length 84, checksum 0xbef3 fragment id 0x659f, flags DONT_FRAGMENT ICMP echo_reply checksum 0x103c
Action: Clear trace buffer
sudo vppctl -p vpp1 clear trace
Action: ping from vpp to host
sudo vppctl -p vpp1 ping 10.10.1.1
64 bytes from 10.10.1.1: icmp_seq=1 ttl=64 time=.0865 ms 64 bytes from 10.10.1.1: icmp_seq=2 ttl=64 time=.0914 ms 64 bytes from 10.10.1.1: icmp_seq=3 ttl=64 time=.0943 ms 64 bytes from 10.10.1.1: icmp_seq=4 ttl=64 time=.0959 ms 64 bytes from 10.10.1.1: icmp_seq=5 ttl=64 time=.0858 ms Statistics: 5 sent, 5 received, 0% packet loss
Action: Examine Trace of ping from vpp to host
sudo vppctl -p vpp1 show trace
------------------- Start of thread 0 vpp_main ------------------- Packet 1 00:12:47:155326: af-packet-input af_packet: hw_if_index 1 next-index 4 tpacket2_hdr: status 0x20000001 len 98 snaplen 98 mac 66 net 80 sec 0x588fd471 nsec 0x161c61ad vlan 0 vlan_tpid 0 00:12:47:155331: ethernet-input IP4: fa:13:55:ac:d9:50 -> 02:fe:48:ec:d5:a7 00:12:47:155334: ip4-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2604 fragment id 0x3e8f ICMP echo_reply checksum 0x1a83 00:12:47:155335: ip4-lookup fib 0 dpo-idx 5 flow hash: 0x00000000 ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2604 fragment id 0x3e8f ICMP echo_reply checksum 0x1a83 00:12:47:155336: ip4-local ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2604 fragment id 0x3e8f ICMP echo_reply checksum 0x1a83 00:12:47:155339: ip4-icmp-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2604 fragment id 0x3e8f ICMP echo_reply checksum 0x1a83 00:12:47:155342: ip4-icmp-echo-reply ICMP echo id 17572 seq 1 00:12:47:155349: error-drop ip4-icmp-input: unknown type Packet 2 00:12:48:155330: af-packet-input af_packet: hw_if_index 1 next-index 4 tpacket2_hdr: status 0x20000001 len 98 snaplen 98 mac 66 net 80 sec 0x588fd472 nsec 0x1603e95b vlan 0 vlan_tpid 0 00:12:48:155337: ethernet-input IP4: fa:13:55:ac:d9:50 -> 02:fe:48:ec:d5:a7 00:12:48:155341: ip4-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2565 fragment id 0x3f2e ICMP echo_reply checksum 0x7405 00:12:48:155343: ip4-lookup fib 0 dpo-idx 5 flow hash: 0x00000000 ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2565 fragment id 0x3f2e ICMP echo_reply checksum 0x7405 00:12:48:155344: ip4-local ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2565 fragment id 0x3f2e ICMP echo_reply checksum 0x7405 00:12:48:155346: ip4-icmp-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2565 fragment id 0x3f2e ICMP echo_reply checksum 0x7405 00:12:48:155348: ip4-icmp-echo-reply ICMP echo id 17572 seq 2 00:12:48:155351: error-drop ip4-icmp-input: unknown type Packet 3 00:12:49:155331: af-packet-input af_packet: hw_if_index 1 next-index 4 tpacket2_hdr: status 0x20000001 len 98 snaplen 98 mac 66 net 80 sec 0x588fd473 nsec 0x15eb77ef vlan 0 vlan_tpid 0 00:12:49:155337: ethernet-input IP4: fa:13:55:ac:d9:50 -> 02:fe:48:ec:d5:a7 00:12:49:155341: ip4-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x249e fragment id 0x3ff5 ICMP echo_reply checksum 0xf446 00:12:49:155343: ip4-lookup fib 0 dpo-idx 5 flow hash: 0x00000000 ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x249e fragment id 0x3ff5 ICMP echo_reply checksum 0xf446 00:12:49:155345: ip4-local ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x249e fragment id 0x3ff5 ICMP echo_reply checksum 0xf446 00:12:49:155349: ip4-icmp-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x249e fragment id 0x3ff5 ICMP echo_reply checksum 0xf446 00:12:49:155350: ip4-icmp-echo-reply ICMP echo id 17572 seq 3 00:12:49:155354: error-drop ip4-icmp-input: unknown type Packet 4 00:12:50:155335: af-packet-input af_packet: hw_if_index 1 next-index 4 tpacket2_hdr: status 0x20000001 len 98 snaplen 98 mac 66 net 80 sec 0x588fd474 nsec 0x15d2ffb6 vlan 0 vlan_tpid 0 00:12:50:155341: ethernet-input IP4: fa:13:55:ac:d9:50 -> 02:fe:48:ec:d5:a7 00:12:50:155346: ip4-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2437 fragment id 0x405c ICMP echo_reply checksum 0x5b6e 00:12:50:155347: ip4-lookup fib 0 dpo-idx 5 flow hash: 0x00000000 ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2437 fragment id 0x405c ICMP echo_reply checksum 0x5b6e 00:12:50:155350: ip4-local ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2437 fragment id 0x405c ICMP echo_reply checksum 0x5b6e 00:12:50:155351: ip4-icmp-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x2437 fragment id 0x405c ICMP echo_reply checksum 0x5b6e 00:12:50:155353: ip4-icmp-echo-reply ICMP echo id 17572 seq 4 00:12:50:155356: error-drop ip4-icmp-input: unknown type Packet 5 00:12:51:155324: af-packet-input af_packet: hw_if_index 1 next-index 4 tpacket2_hdr: status 0x20000001 len 98 snaplen 98 mac 66 net 80 sec 0x588fd475 nsec 0x15ba8726 vlan 0 vlan_tpid 0 00:12:51:155331: ethernet-input IP4: fa:13:55:ac:d9:50 -> 02:fe:48:ec:d5:a7 00:12:51:155335: ip4-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x23cc fragment id 0x40c7 ICMP echo_reply checksum 0xedb3 00:12:51:155337: ip4-lookup fib 0 dpo-idx 5 flow hash: 0x00000000 ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x23cc fragment id 0x40c7 ICMP echo_reply checksum 0xedb3 00:12:51:155338: ip4-local ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x23cc fragment id 0x40c7 ICMP echo_reply checksum 0xedb3 00:12:51:155341: ip4-icmp-input ICMP: 10.10.1.1 -> 10.10.1.2 tos 0x00, ttl 64, length 84, checksum 0x23cc fragment id 0x40c7 ICMP echo_reply checksum 0xedb3 00:12:51:155343: ip4-icmp-echo-reply ICMP echo id 17572 seq 5 00:12:51:155346: error-drop ip4-icmp-input: unknown type Packet 6 00:12:52:175185: af-packet-input af_packet: hw_if_index 1 next-index 4 tpacket2_hdr: status 0x20000001 len 42 snaplen 42 mac 66 net 80 sec 0x588fd476 nsec 0x16d05dd0 vlan 0 vlan_tpid 0 00:12:52:175195: ethernet-input ARP: fa:13:55:ac:d9:50 -> 02:fe:48:ec:d5:a7 00:12:52:175200: arp-input request, type ethernet/IP4, address size 6/4 fa:13:55:ac:d9:50/10.10.1.1 -> 00:00:00:00:00:00/10.10.1.2 00:12:52:175214: host-vpp1out-output host-vpp1out ARP: 02:fe:48:ec:d5:a7 -> fa:13:55:ac:d9:50 reply, type ethernet/IP4, address size 6/4 02:fe:48:ec:d5:a7/10.10.1.2 -> fa:13:55:ac:d9:50/10.10.1.1
After examinging the trace, clear it again.
Action: Examine arp tables
sudo vppctl -p vpp1 show ip arp
Time IP4 Flags Ethernet Interface 570.4092 10.10.1.1 D fa:13:55:ac:d9:50 host-vpp1out
Action: Examine routing table
sudo vppctl -p vpp1 show ip fib
ipv4-VRF:0, fib_index 0, flow hash: src dst sport dport proto 0.0.0.0/0 unicast-ip4-chain [@0]: dpo-load-balance: [index:0 buckets:1 uRPF:0 to:[0:0]] [0] [@0]: dpo-drop ip4 0.0.0.0/32 unicast-ip4-chain [@0]: dpo-load-balance: [index:1 buckets:1 uRPF:1 to:[0:0]] [0] [@0]: dpo-drop ip4 10.10.1.1/32 unicast-ip4-chain [@0]: dpo-load-balance: [index:10 buckets:1 uRPF:9 to:[5:420] via:[1:84]] [0] [@5]: ipv4 via 10.10.1.1 host-vpp1out: IP4: 02:fe:48:ec:d5:a7 -> fa:13:55:ac:d9:50 10.10.1.0/24 unicast-ip4-chain [@0]: dpo-load-balance: [index:8 buckets:1 uRPF:7 to:[0:0]] [0] [@4]: ipv4-glean: host-vpp1out 10.10.1.2/32 unicast-ip4-chain [@0]: dpo-load-balance: [index:9 buckets:1 uRPF:8 to:[6:504]] [0] [@2]: dpo-receive: 10.10.1.2 on host-vpp1out 224.0.0.0/4 unicast-ip4-chain [@0]: dpo-load-balance: [index:3 buckets:1 uRPF:3 to:[0:0]] [0] [@0]: dpo-drop ip4 240.0.0.0/4 unicast-ip4-chain [@0]: dpo-load-balance: [index:2 buckets:1 uRPF:2 to:[0:0]] [0] [@0]: dpo-drop ip4 255.255.255.255/32 unicast-ip4-chain [@0]: dpo-load-balance: [index:4 buckets:1 uRPF:4 to:[0:0]] [0] [@0]: dpo-drop ip4
Exercise: Connecting two vpp instances
Skills to be Learned
You should be able to perform this exercise with the following skills learned in previous exercises:
- Create a veth interface in Linux host
- Create a vpp host-interface that connected to one end of a veth interface via AF_PACKET
- Add an ip address to a vpp interface
- Ping from vpp
Initial state
The initial state here is presumed to be the final state from the exercise Create an Interface
Running a second vpp instances
You should already have a vpp instance running named: vpp1.
Run a second vpp instance named: vpp2.
Create veth interface on host to connect the two vpp instances
Create a veth interface on the Linux host with one end named vpp1vpp2 and the other named vpp2vpp1.
Don't assign an ip address to either end on the host.
Create vpp host interfaces
Create a host interface on vpp1 connected to vpp1vpp2. Assign it the address 10.10.2.1/24
Create a host interface on vpp2 connected to vpp2vpp1. Assign it the address 10.10.2.2/24
Running a second vpp instances
Run a second instanced of vpp named vpp2.
Create veth interface on host to connect the two vpp instances
Using skills from the previous exercise, create a veth interface on the host with one end named vpp1vpp2 and the other named vpp2vpp1. Don't assign an ip address to either end on the host.
Create vpp host interfaces
Using skills from the previous exercise, create a host interface on vpp1 connected to vpp1vpp2. Assign it the address 10.10.2.1/30 Using skills from the previous exercise, create a host interface on vpp2 connected to vpp2vpp1. Assign it the address 10.10.2.2/30
Ping from vpp1 to vpp2
Ping 10.10.2.2 from vpp1
Ping 10.10.2.1 from vpp2
Exercise: Routing
Skills to be Learned
In this exercise you will learn these new skills:
- Add route to Linux Host routing table
- Add route to vpp routing table
And revisit the old ones:
- Examine vpp routing table
- Enable trace on vpp1 and vpp2
- ping from host to vpp
- Examine and clear trace on vpp1 and vpp2
- ping from vpp to host
- Examine and clear trace on vpp1 and vpp2
vpp command learned in this exercise
Initial State
The initial state here is presumed to be the final state from the exercise Connecting two vpp instances
Action: Setup host route
sudo ip route add 10.10.2.0/24 via 10.10.1.2 ip route
default via 10.0.2.2 dev enp0s3 10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 10.10.1.0/24 dev vpp1host proto kernel scope link src 10.10.1.1 10.10.2.0/24 via 10.10.1.2 dev vpp1host
Setup return route on vpp2
sudo vppctl -p vpp2 ip route add 10.10.1.0/24 via 10.10.2.1
Ping from host through vpp1 to vpp2
- Setup a trace on vpp1 and vpp2
- Ping 10.10.2.2 from the host
- Examine the trace on vpp1 and vpp2
- Clear the trace on vpp1 and vpp2
Ping from vpp2 through vpp1 to host
- Setup the trace on vpp1 and vpp2
- Ping 10.10.1.1 from vpp2
- Examine the trace on vpp1 and vpp2
- Clear the trace on vpp1 and vpp2
Exercise: Switching
Skills to be Learned
- Associate an interface with a bridge domain
- Create a loopback interaface
- Create a BVI (Bridge Virtual Interface) for a bridge domain
- Examine a bridge domain
vpp command learned in this exercise
Initial state
Unlike previous exercises, for this one you want to start tabula rasa.
Note: You will lose all your existing config in your vpp instances!
To clear existing config from previous exercises run:
ps -ef | grep vpp | awk '{print $2}'| xargs sudo kill sudo ip link del dev vpp1host sudo ip link del dev vpp1vpp2
Action: Run vpp instances
- Run a vpp instance named vpp1
- Run a vpp instance named vpp2
Action: Connect vpp1 to host
- Create a veth with one end named vpp1host and the other named vpp1out.
- Connect vpp1out to vpp1
- Add ip address 10.10.1.1/24 on vpphost
Action: Connect vpp1 to vpp2
- Create a veth with one end named vpp1vpp2 and the other named vpp2vpp1.
- Connect vpp1vpp2 to vpp1.
- Connect vpp2vpp2 to vpp1.
Action: Configure Bridge Domain on vpp1
Check to see what bridge domains already exist, and select the first bridge domain number not in use:
sudo vppctl -p vpp1 show bridge-domain
ID Index Learning U-Forwrd UU-Flood Flooding ARP-Term BVI-Intf 0 0 off off off off off local0
In the example above, there is bridge domain ID '0' already, so we will create bridge domain 1.
Add host-vpp1out to bridge domain ID 1
sudo vppctl -p vpp1 set interface l2 bridge host-vpp1out 1
Add host-vpp1vpp2 to bridge domain ID1
sudo vppctl -p vpp1 set int l2 bridge host-vpp1vpp2 1
Examine bridge domain 1:
sudo vppctl -p vpp1 show bridge-domain 1 detail
ID Index Learning U-Forwrd UU-Flood Flooding ARP-Term BVI-Intf 1 1 on on on on off N/A Interface Index SHG BVI TxFlood VLAN-Tag-Rewrite host-vpp1out 1 0 - * none host-vpp1vpp2 2 0 - * none
Action: Configure loopback interface on vpp2
sudo vppctl -p vpp2 create loopback interface
loop0
Add the ip address 10.10.1.2/24 to vpp2 interface loop0. Set the state of interface loop0 on vpp2 to 'up'
Action: Configure bridge domain on vpp2
Check to see the first available bridge domain ID (it will be 1 in this case)
Add interface loop0 as a bvi interface to bridge domain 1
sudo vppctl -p vpp2 set int l2 bridge loop0 1 bvi
Add interface vpp2vpp1 to bridge domain 1
sudo vppctl -p vpp2 set int l2 bridge host-vpp2vpp1 1
Examine the bridge domain and interfaces.
Action: Ping from host to vpp and vpp to host
- Add trace on vpp1 and vpp2
- ping from host to 10.10.1.2
- Examine and clear trace on vpp1 and vpp2
- ping from vpp2 to 10.10.1.1
- Examine and clear trace on vpp1 and vpp2
Action: Examine l2 fib
sudo vppctl -p vpp1 show l2fib verbose
Mac Address BD Idx Interface Index static filter bvi Mac Age (min) de:ad:00:00:00:00 1 host-vpp1vpp2 2 0 0 0 disabled c2:f6:88:31:7b:8e 1 host-vpp1out 1 0 0 0 disabled 2 l2fib entries
sudo vppctl -p vpp2 show l2fib verbose
Mac Address BD Idx Interface Index static filter bvi Mac Age (min) de:ad:00:00:00:00 1 loop0 2 1 0 1 disabled c2:f6:88:31:7b:8e 1 host-vpp2vpp1 1 0 0 0 disabled 2 l2fib entries
Source NAT
Skills to be Learned
- Abusing networks namespaces for fun and profit
- Configuring snat address
- Configuring snat inside and outside interfaces
vpp command learned in this exercise
Initial state
Unlike previous exercises, for this one you want to start tabula rasa.
Note: You will lose all your existing config in your vpp instances!
To clear existing config from previous exercises run:
ps -ef | grep vpp | awk '{print $2}'| xargs sudo kill sudo ip link del dev vpp1host sudo ip link del dev vpp1vpp2
Action: Install vpp-plugins
Snat is supported by a plugin, so vpp-plugins need to be installed
sudo apt-get install vpp-plugins
Action: Create vpp instance
Create one vpp instance named vpp1.
Confirm snat plugin is present:
sudo vppctl -p vpp1 show plugins
Plugin path is: /usr/lib/vpp_plugins Plugins loaded: 1.ioam_plugin.so 2.ila_plugin.so 3.acl_plugin.so 4.flowperpkt_plugin.so 5.snat_plugin.so 6.libsixrd_plugin.so 7.lb_plugin.so
Action: Create veth interfaces
- Create a veth interface with one end named vpp1outside and the other named vpp1outsidehost
- Assign IP address 10.10.1.1/24 to vpp1outsidehost
- Create a veth interface with one end named vpp1inside and the other named vpp1insidehost
- Assign IP address 10.10.2.1/24 to vpp1outsidehost
Because we'd like to be able to route *via* our vpp instance to an interface on the same host, we are going to put vpp1insidehost into a network namespace
Create a new network namespace 'inside'
sudo ip netns add inside
Move interface vpp1inside into the 'inside' namespace:
sudo ip link set dev vpp1insidehost up netns inside
Assign an ip address to vpp1insidehost
sudo ip netns exec inside ip addr add 10.10.2.1/24 dev vpp1insidehost
Create a route inside the netns:
sudo ip netns exec inside ip route add 10.10.1.0/24 via 10.10.2.2
Action: Configure vpp outside interface
- Create a vpp host interface connected to vpp1outside
- Assign ip address 10.10.1.2/24
- Create a vpp host interface connected to vpp1inside
- Assign ip address 10.10.2.2/24
Action: Configure snat
Configure snat to use the address of host-vpp1outside
sudo vppctl -p vpp1 snat add interface address host-vpp1outside
Configure snat inside and outside interfaces
sudo vppctl -p vpp1 set interface snat in host-vpp1inside out host-vpp1outside
Action: Prepare to Observe Snat
Observing snat in this configuration is interesting. To do so, vagrant ssh a second time into your VM and run:
sudo tcpdump -s 0 -i vpp1outsidehost
Also enable tracing on vpp1
Action: Ping via snat
sudo ip netns exec inside ping -c 1 10.10.1.1
Action: Confirm snat
Examine the tcpdump output and vpp1 trace to confirm snat occurred.