summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xrelease_notes.asciidoc7
-rwxr-xr-xtrex_book.asciidoc209
2 files changed, 215 insertions, 1 deletions
diff --git a/release_notes.asciidoc b/release_notes.asciidoc
index 254d6bb1..ff314335 100755
--- a/release_notes.asciidoc
+++ b/release_notes.asciidoc
@@ -20,6 +20,13 @@ ifdef::backend-docbook[]
endif::backend-docbook[]
+
+== Release 1.86 ==
+
+* NAT Cisco ASA support
+** Add support for learning using TCP-ACK field see more here link:trex_manual.html#_nat_support[here] and link:trex_manual.html#_trex_with_asa_5585[here]
+* More stateless support
+
== Release 1.85 ==
* Upgrade to DPDK 2.2.0
diff --git a/trex_book.asciidoc b/trex_book.asciidoc
index 63ab7294..d826b4a4 100755
--- a/trex_book.asciidoc
+++ b/trex_book.asciidoc
@@ -717,7 +717,11 @@ TRex(0) -| |-TRex(1)
=== NAT support
TRex can learn dynamic NAT/PAT translation. To enable this feature add `--learn-mode <val>` to the command line.
-In mode 2, this is done by adding an IPv4 option header with TRex info (8 bytes long 0x10 id) to the first packet of the flow. In mode 2, this is done by embedding NAT info in the ACK of the first TCP SYN.
+In mode 2, this is done by adding an IPv4 option header with TRex info (8 bytes long 0x10 id) to the first packet of the flow.
+In mode 1, this is done by embedding NAT info in the ACK of the first TCP SYN.
+In Mode 1 there is a limitation that only UDP from inside to outside are supported. UDP with both sides, for example DNS won't be supported in this mode.
+This mode was added to support Cisco ASA that in default drop any
+
*Example:*::
@@ -1390,3 +1394,206 @@ $sudo ./nvmupdate64e
You might need a power cycle and to run this command a few times to get the latest firmware
+=== TRex with ASA 5585
+
+Running TRex aginst ASA 5585 has some limitation
+
+* There is a need to disable TCP sequence randomization using the command `set connection random-sequence-number disable`
+* ASA can't forward ipv4 options so there is a need to use --learn-mode 1 in case of NAT. In this mode UDP with two directions are not supported
+* Client side traffic goes from TenGigabitEthernet0/8 server side from TenGigabitEthernet0/9
+* Latency should be tested using ICMP with `--l-pkt-mode 2`
+
+
+==== ASA 5585 sample configuration
+
+[source,bash]
+----
+ciscoasa# show running-config
+: Saved
+
+:
+: Serial Number: JAD194801KX
+: Hardware: ASA5585-SSP-10, 6144 MB RAM, CPU Xeon 5500 series 2000 MHz, 1 CPU (4 cores)
+:
+ASA Version 9.5(2)
+!
+hostname ciscoasa
+enable password 8Ry2YjIyt7RRXU24 encrypted
+passwd 2KFQnbNIdI.2KYOU encrypted
+names
+!
+interface Management0/0
+ management-only
+ nameif management
+ security-level 100
+ ip address 10.56.216.106 255.255.255.0
+!
+interface TenGigabitEthernet0/8
+ nameif inside
+ security-level 100
+ ip address 15.0.0.1 255.255.255.0
+!
+interface TenGigabitEthernet0/9
+ nameif outside
+ security-level 0
+ ip address 40.0.0.1 255.255.255.0
+!
+boot system disk0:/asa952-smp-k8.bin
+ftp mode passive
+pager lines 24
+logging asdm informational
+mtu management 1500
+mtu inside 9000
+mtu outside 9000
+no failover
+no monitor-interface service-module
+icmp unreachable rate-limit 1 burst-size 1
+no asdm history enable
+arp outside 40.0.0.2 90e2.baae.87d1
+arp inside 15.0.0.2 90e2.baae.87d0
+arp timeout 14400
+no arp permit-nonconnected
+route management 0.0.0.0 0.0.0.0 10.56.216.1 1
+route inside 16.0.0.0 255.0.0.0 15.0.0.2 1
+route outside 48.0.0.0 255.0.0.0 40.0.0.2 1
+timeout xlate 3:00:00
+timeout pat-xlate 0:00:30
+timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
+timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
+timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
+timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
+timeout tcp-proxy-reassembly 0:01:00
+timeout floating-conn 0:00:00
+user-identity default-domain LOCAL
+http server enable
+http 192.168.1.0 255.255.255.0 management
+no snmp-server location
+no snmp-server contact
+crypto ipsec security-association pmtu-aging infinite
+crypto ca trustpool policy
+telnet 0.0.0.0 0.0.0.0 management
+telnet timeout 5
+ssh stricthostkeycheck
+ssh timeout 5
+ssh key-exchange group dh-group1-sha1
+console timeout 0
+!
+tls-proxy maximum-session 1000
+!
+threat-detection basic-threat
+threat-detection statistics access-list
+no threat-detection statistics tcp-intercept
+dynamic-access-policy-record DfltAccessPolicy
+!
+class-map icmp-class
+ match default-inspection-traffic
+class-map inspection_default
+ match default-inspection-traffic
+class-map no-tcp-seq-rand
+ match any
+!
+!
+policy-map type inspect dns preset_dns_map
+ parameters
+ message-length maximum client auto
+ message-length maximum 512
+policy-map no-tcp-seq-rand
+ class no-tcp-seq-rand
+ set connection random-sequence-number disable #<1>
+policy-map icmp_policy
+ class icmp-class
+ inspect icmp
+policy-map global_policy
+ class inspection_default
+ inspect dns preset_dns_map
+ inspect ftp
+ inspect h323 h225
+ inspect h323 ras
+ inspect rsh
+ inspect rtsp
+ inspect esmtp
+ inspect sqlnet
+ inspect skinny
+ inspect sunrpc
+ inspect xdmcp
+ inspect sip
+ inspect netbios
+ inspect tftp
+ inspect ip-options
+!
+service-policy global_policy global
+service-policy no-tcp-seq-rand interface inside
+service-policy icmp_policy interface outside
+prompt hostname context
+!
+jumbo-frame reservation
+!
+no call-home reporting anonymous
+: end
+ciscoasa#
+----
+<1> Disable TCP sequence randomization
+
+==== TRex command example
+
+Using this command we send simple HTTP traffic with NAT learn mode and delay of 1 sec at start up
+We added the delay because it seems ASA drop the first packets.
+Latency is configured to ICMP with learn mode and learn mode to TCP-ACK mode.
+
+[source,bash]
+----
+$sudo ./t-rex-64 -f cap2/http_simple.yaml -d 1000 -l 1000 --l-pkt-mode 2 -m 1000 --learn-mode 1 -k 1
+----
+
+This is more realistic traffic for Enterprise (we removed from SFR the UDP traffic that has two sides as it is not supported right now)
+
+[source,bash]
+----
+$sudo ./t-rex-64 -f avl/sfr_delay_10_1g_asa_nat.yaml -d 1000 --cfg /etc/trex_cfg4.yaml -l 1000 --l-pkt-mode 2 -m 4 --learn-verify --learn-mode 1 -k 1
+----
+
+The TRex output
+
+[source,bash]
+----
+-Per port stats table
+ ports | 0 | 1
+ -----------------------------------------------------------------------------------------
+ opackets | 106347896 | 118369678
+ obytes | 33508291818 | 118433748567
+ ipackets | 118378757 | 106338782
+ ibytes | 118434305375 | 33507698915
+ ierrors | 0 | 0
+ oerrors | 0 | 0
+ Tx Bw | 656.26 Mbps | 2.27 Gbps
+
+-Global stats enabled
+ Cpu Utilization : 18.4 % 31.7 Gb/core
+ Platform_factor : 1.0
+ Total-Tx : 2.92 Gbps Nat_time_out : 9103 #<1>
+ Total-Rx : 2.92 Gbps Nat_no_fid : 0
+ Total-PPS : 542.29 Kpps Total_nat_active: 7
+ Total-CPS : 8.30 Kcps Total_nat_open : 3465246
+
+ Expected-PPS : 539.85 Kpps Nat_learn_errors: 0
+ Expected-CPS : 8.29 Kcps
+ Expected-BPS : 2.90 Gbps
+
+ Active-flows : 7860 Clients : 255 Socket-util : 0.0489 %
+ Open-flows : 3481234 Servers : 5375 Socket : 7860 Socket/Clients : 30.8
+ drop-rate : 0.00 bps
+ current time : 425.1 sec
+ test duration : 574.9 sec
+
+-Latency stats enabled
+ Cpu Utilization : 0.3 %
+ if| tx_ok , rx_ok , rx ,error, average , max , Jitter , max window
+ | , , check, , latency(usec),latency (usec) ,(usec) ,
+ ----------------------------------------------------------------------------------------------------------------
+ 0 | 420510, 420495, 0, 1, 58 , 1555, 14 | 240 257 258 258 219 930 732 896 830 472 190 207 729
+ 1 | 420496, 420509, 0, 1, 51 , 1551, 13 | 234 253 257 258 214 926 727 893 826 468 187 204 724
+----
+<1> this counter should be zero
+
+
+