aboutsummaryrefslogtreecommitdiffstats
path: root/docs/gettingstarted/progressivevpp/nat.rst
blob: 52f2a7674933034e49911233bccaf67d79402626 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159

.. _nat:

.. toctree::

Network Address Translation
===========================

Skills to be Learned
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

#. Abusing networks namespaces for fun and profit
#. Configuring nat address
#. Configuring nat inside and outside interfaces

FD.io VPP command learned in this exercise
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

#. `nat44 add interface address
   <https://fd.io/docs/vpp/master/cli-reference/clis/clicmd_src_plugins_nat_nat44-ed.html#nat44-add-interface-address>`__
#. `set interface nat44
   <https://fd.io/docs/vpp/master/cli-reference/clis/clicmd_src_plugins_nat_nat44-ed.html#set-interface-nat44>`__

Topology
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. figure:: /_images/NAT_Topology.jpg
   :alt: NAT Topology

   NAT Topology

Initial state
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Unlike previous exercises, for this one you want to start tabula rasa.

Note: You will lose all your existing config in your FD.io VPP instances!

To clear existing config from previous exercises run:

.. code-block:: console

   ps -ef | grep vpp | awk '{print $2}'| xargs sudo kill
   $ sudo ip link del dev vpp1host
   $ sudo ip link del dev vpp1vpp2

Install vpp-plugins
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

NAT is supported by a plugin, so the respective package needs to be installed

.. code-block:: console

   $ sudo apt-get install vpp-plugin-core

Create FD.io VPP  instance
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Create one FD.io VPP instance named vpp1.

Confirm nat44 plugin is present:

.. code-block:: console

    # vppctl -s /run/vpp/cli-vpp1.sock show plugins | egrep nat44
    57. nat44_ei_plugin.so                       24.02-rc0~124-g2ab902f28         IPv4 Endpoint-Independent NAT (NAT44 EI)

Please note that earlier versions if VPP and this document referred to the
``snat`` plugin, which `was renamed <https://www.mail-archive.com/vpp-dev@lists.fd.io/msg03299.html>`__.

Create veth interfaces
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

#. Create a veth interface with one end named ``vpp1outside`` and the other
   named ``vpp1outsidehost``
#. Assign IP address 10.10.1.1/24 to ``vpp1outsidehost``
#. Create a veth interface with one end named ``vpp1inside`` and the other
   named ``vpp1insidehost``
#. Assign IP address 10.10.2.1/24 to ``vpp1insidehost``

Because we'd like to be able to route \*via\* our vpp instance to an
interface on the same host, we are going to put ``vpp1insidehost`` into a
network namespace

Create a new network namespace 'inside'

.. code-block:: console

    $ sudo ip netns add inside

Move interface vpp1inside into the 'inside' namespace:

.. code-block:: console

    $ sudo ip link set dev vpp1insidehost up netns inside

Assign an ip address to ``vpp1insidehost``

.. code-block:: console

    $ sudo ip netns exec inside ip addr add 10.10.2.1/24 dev vpp1insidehost

Create a route inside the ``netns``:

.. code-block:: console

    $ sudo ip netns exec inside ip route add 10.10.1.0/24 via 10.10.2.2

Configure vpp outside interface
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

#. Create a vpp host interface connected to vpp1outside
#. Assign ip address 10.10.1.2/24
#. Create a vpp host interface connected to vpp1inside
#. Assign ip address 10.10.2.2/24

Configure nat44
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Enable the nat44 plugin

.. code-block:: console

   vpp# nat44 plugin enable

Configure nat44 to use the address of host-vpp1outside

.. code-block:: console

   vpp# nat44 add interface address host-vpp1outside

Configure nat44 inside and outside interfaces

.. code-block:: console

   vpp# set interface nat44 in host-vpp1inside out host-vpp1outside

Prepare to Observe NAT
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Observing NAT in this configuration is interesting. To do so, vagrant
ssh a second time into your VM and run:

.. code-block:: console

   $ sudo tcpdump -s 0 -i vpp1outsidehost

Also enable tracing on vpp1

Ping via NAT
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. code-block:: console

   $ sudo ip netns exec inside ping -c 3 10.10.1.1

Confirm NAT
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Examine the ``tcpdump`` output and vpp1 trace to confirm NAT occurred.