RARE user and assistance email list

[mc36 <>]

anyway, frederic just added the acl counter reporting, this is what i see 
when i ran

java -Xmx512m -jar rtr.jar test tester p4lang-acl05 other p4lang301.ini wait

which executed http://sources.nop.hu/cfg/crypt-acl05.tst with an emulated 
tofino:

r1#show access-list test4
 sequence 10 deny 1 2.2.2.104 255.255.255.255 all 2.2.2.106 255.255.255.255 
all
  match=tx=0+0(0+0) rx=0+860(0+10) drp=0+0(0+0) accessed=00:00:58 ago, 
00:00:00 timeout
 sequence 20 permit all any all any all
  match=tx=0+0(0+0) rx=1216+1264697(19+1180) drp=0+0(0+0) accessed=00:00:29 
ago, 00:00:00 timeout

r1#show access-list test6
 sequence 10 deny 58 4321::104 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all 
4321::106 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff all
  match=tx=0+0(0+0) rx=0+860(0+10) drp=0+0(0+0) accessed=00:01:07 ago, 
00:00:00 timeout
 sequence 20 permit all any all any all
  match=tx=0+0(0+0) rx=1544+1265113(23+1184) drp=0+0(0+0) accessed=00:00:07 
ago, 00:00:00 timeout
                          ^^^^^^^^^^  ^^^^^^  these are the reported hw 
counters!!!!
r1#


On 2/21/22 16:14, mc36 wrote:
> hi,
> imho the issue is that your switch is still in the p4lab profile which does 
> not have bridging support in the tofino.bin...
> first of all, try to switch the profile somehow (alex will tell you how to do 
> that on your version) hten start with the
> bare minimum:
> bridge 1
>    mac-le
> int sdn1.1001
>    bridge-gr 1
> int sdn7.1001
>    bridge-gr 1
> and check if the mac table is populated, and the sw+hw notation of counters 
> appear...
> this one is particularly important because in your current setup i only saw 
> sw counters in the morning...
> then if you reached that state, you could add the counting acls, one per 
> subinterface....
> regards,
> cs
>
> On 2/21/22 12:15, Maria Del Carmen Misa Moreira wrote:
> > Hi Csaba,
> >
> > I'm testing things and keep learning, I will explain you something that I'm 
> > seeing...
> >
> > 1. If I have 'interface bvi1' just with 'no shutdown' but on sdn1.1001 and sdn7.1001 both with 'bridge-group 1' and 'bridge-filter ipv6in acl_permit_all' and 'bridge-filter 
> > ipv6out acl_permit_all' I can only see the mac addr of sdn7.1001 but not for sdn1.1001 or bvi1. So the problem here is that the counters for 'show access-list acl_permit_all' and 
> > 'show bridge 1' are not increasing when I'm pinging between the routers.
> >
> > 2. But, if I add into 'interface bvi1' the following (I know that you tell me to don't do it jaja): 'vrf forwarding', 'ipv6 address 1234:2::1 ffff:ffff::', 'ipv6 access-group-in 
> > acl_permit_all', 'ipv6 enable' now I'm able to see all the mac address interfaces for sdn7.1001, sdn1.1001 and bvi1 and NOW the counters for 'show access-list acl_permit_all' and 
> > 'show bridge 1' are being increased when I'm pinging.
> >
> > Anyway, I don't have a ping in both situations but I was wondering if I need to add something in the first case because not all the mac addresses on the interfaces are learned as 
> > in the 2nd case for example.
> >
> > Regards,
> > Carmen Misa
> >
> >
> > > On 21/02/2022 08:59 mc36 <> wrote:
> > >
> > > https://letsmeet.hu/carmen
> > >
> > >
> > > On 2/21/22 08:58, Maria Del Carmen Misa Moreira wrote:
> > > > Hi Csaba,
> > > >
> > > > I'm free from now until 16h for the VC, just send a me link when you're 
> > > > available.
> > > >
> > > >
> > > >
> > > >
> > > > > On 19/02/2022 09:53 mc36 <> wrote:
> > > > >
> > > > > okk, so i did the code duplication with this commit:
> > > > > https://github.com/mc36/freeRouter/commit/e832c62068a5f3dce0dc11e75ebd4c1150d05625
> > > > > so from now, you'll be able to count the acl hits on the bridged interfaces 
> > > > > too...
> > > > > if you're brave enough and would get involved, you can write the counter 
> > > > > reports
> > > > > yourself, you can use the flowspec for a sample... otherwise frederic will do 
> > > > > it...
> > > > > regards,
> > > > > cs
> > > > >
> > > > >
> > > > > On 2/18/22 19:24, mc36 wrote:
> > > > > > yesss... so this second example was sent to show you a bad example too....
> > > > > > to have pure layer2 bridging (and not a fake layer2 over the arp entries)
> > > > > > please use the two examples with the bridge acls:
> > > > > > http://sources.nop.hu/cfg/p4lang-acl11.tst
> > > > > > http://sources.nop.hu/cfg/p4lang-acl12.tst
> > > > > > these dont have addressing on the bvi resulting in layer2 propagated to the 
> > > > > > dataplane...
> > > > > > regards,
> > > > > > cs
> > > > > >
> > > > > >
> > > > > > On 2/18/22 19:07, Maria Del Carmen Misa Moreira wrote:
> > > > > > > Well in this examples under bvi1 there is a vrf and IPv4/6, there are fake 
> > > > > > > like in loopback11 and loopback22 in the previous test
> > > > > > >
> > > > > > > int bvi1
> > > > > > >          vrf for v1
> > > > > > >          ipv4 addr 1.1.2.1 255.255.255.0
> > > > > > >          ipv6 addr 1234:2::1 ffff:ffff::
> > > > > > >          ipv6 ena
> > > > > > >          exit
> > > > > > >
> > > > > > >
> > > > > > > > On 18/02/2022 18:37 mc36 <> wrote:
> > > > > > > >
> > > > > > > > please dont... if you configure a vrf and ip to the bvi
> > > > > > > > then it'll see that you're trying to do layer3 over local bridge ports
> > > > > > > > and will result at dataplane in routing entries and not layer2...
> > > > > > > > this one is an example of this specific behavior:
> > > > > > > > http://sources.nop.hu/cfg/p4lang-rout019.tst
> > > > > > > > regards,
> > > > > > > > cs
> > > > > > > >
> > > > > > > > On 2/18/22 18:31, Maria Del Carmen Misa Moreira wrote:
> > > > > > > > > Well vrf is need at least for the 'interface bvi1' that belongs to 'brigde 
> > > > > > > > > 1', if I understand correctly
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > On 18/02/2022 18:18 mc36 <> wrote:
> > > > > > > > > >
> > > > > > > > > > so to use the bridge, better nuke the vrf, isis, basically everything 
> > > > > > > > > > completely...
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On 2/18/22 18:16, Maria Del Carmen Misa Moreira wrote:
> > > > > > > > > > > Hi Csaba,
> > > > > > > > > > >
> > > > > > > > > > > Quick question: if I set on one interface the 'bridge-group' it make sense to 
> > > > > > > > > > > have on the same interface ISIS or LLDP? I'm reading that both are Layer 2 
> > > > > > > > > > > protocols but ISIS
> > > > > > > > > > > will advertise the network that is reachable via that interface but if that 
> > > > > > > > > > > interface is going to act as bridge maybe this is illogical.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > > On 18/02/2022 17:07 mc36 <> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > hi,
> > > > > > > > > > > > okk for the monday...
> > > > > > > > > > > > regards,
> > > > > > > > > > > > cs
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On 2/18/22 17:06, Maria Del Carmen Misa Moreira wrote:
> > > > > > > > > > > > > Hi Csaba,
> > > > > > > > > > > > >
> > > > > > > > > > > > > Okey thanks. I'm going to take a look to bridges and your examples.
> > > > > > > > > > > > > We can talk on Monday morning, I'm free all the morning.
> > > > > > > > > > > > > Mmm I see the point, we need to use DPDK but since P4 switch is connected to 
> > > > > > > > > > > > > other 2 Juniper routers we cannot use it... I think.
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > > On 18/02/2022 16:57 mc36 <> wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > hi,
> > > > > > > > > > > > > > any time could work to disucc online...
> > > > > > > > > > > > > > to be layer2 transparent, we can do bridging, and we support acls on bridge 
> > > > > > > > > > > > > > ports...
> > > > > > > > > > > > > > here are the tests covering these:
> > > > > > > > > > > > > > http://sources.nop.hu/cfg/p4lang-acl11.tst
> > > > > > > > > > > > > > http://sources.nop.hu/cfg/p4lang-acl12.tst
> > > > > > > > > > > > > > the bad news is that currently the tofino cannot report hit counters for 
> > > > > > > > > > > > > > these without code replication...
> > > > > > > > > > > > > > we have an open ticket for that at intel connected academy, and they're 
> > > > > > > > > > > > > > working on it...
> > > > > > > > > > > > > > the good news is that the dpdk code already reports the hit counters on 
> > > > > > > > > > > > > > these...
> > > > > > > > > > > > > > regards,
> > > > > > > > > > > > > > cs
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On 2/18/22 16:05, Maria Del Carmen Misa Moreira wrote:
> > > > > > > > > > > > > > > Hi Csaba,
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > If you have 15 minutes I would like to explain to you the new test that I 
> > > > > > > > > > > > > > > need to prepare for the next LHCONE meeting [next 29th of March]. Basically, 
> > > > > > > > > > > > > > > the idea is to
> > > > > > > > > > > > > > > emulate the
> > > > > > > > > > > > > > > connection between Tier1's and the P4 switch will need to be transparent at Layer 3 but I think that this is probably not possible using this policy-based routing... 
> > > > > > > > > > > > > > > We need
> > > > > > > > > > > > > > > something like 'Policy-based Switching' just using mac address and not IPs as 
> > > > > > > > > > > > > > > the next-hops. One time you told me about bridges on freertr and maybe this 
> > > > > > > > > > > > > > > could be a
> > > > > > > > > > > > > > > solution, let
> > > > > > > > > > > > > > > me your thoughts :) you are the super expert here and my support
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Cheers,
> > > > > > > > > > > > > > > Carmen Misa