Subject: RARE user and assistance email list
List archive
- From: mc36 <>
- To: ,
- Cc: "" <>, "Rafael S. Guimaraes" <>
- Subject: Re: [RARE-users] [freertr] Fwd: Access-list by using Freertr/Tofino ASIC
- Date: Thu, 11 Aug 2022 15:59:53 +0200
well, and reading through the p4 code real quickly, i just noticed that it
don't have a counter attached....
(yeahhh, if i recall correctly, frederic added the counters only those tables
that time out without a traffic, like nat,
flow inspection, bridge mac addresses, etc) here is a sample which have a
counter attached:
https://github.com/rare-freertr/freeRtr/blob/master/misc/p4bf/include/ig_ctl_nat.p4#L29
the rest of the dataplanes btw do report up on all matching, so if you have
some spare time, feel free to add some to the tofino code... :)
until that, you could be able to spot if you succeeded pbring the traffic
purely by the ping rtt times:
the longer path should give you bigger rtt whereas the shorter path should
give you lower rtt...
br,
cs
On 8/11/22 15:25, mc36 wrote:
hi,
my bad, i also missed out a very important part of the puzzle from my
explanation:
so the thing is that, once the given pbr rule cannot be expressed,
there won't be any ace programmed to the hardware as it cannot point
to a valid p4 function to get executed upon matching;
https://github.com/rare-freertr/freeRtr/blob/master/misc/p4bf/include/ig_ctl_pbr.p4#L108
please see below the hardware's run-time equivalent of the same...
and since the packets seemingly match to some routing entry, the acic route
them
without giving them up to freerouter, that's why you were not able to see
them in
the debug fwd packet... btw, when it comes to a dataplane, this command
basically
can only show you the control (routing protocol) and exception (ttl<2)
packets...
br,
cs
AMS0001#tna-bfshell
bfshell> bfrt_python
In [1]: bfrt
bfrt> bf_router_GEANT_TESTBED
bfrt.bf_router_GEANT_TESTBED> pipe
bfrt.bf_router_GEANT_TESTBED.pipe> ig_ctl
bfrt.bf_router_GEANT_TESTBED.pipe.ig_ctl> ig_ctl_pbr
bfrt.bf_router_GEANT_TESTBED.pipe.ig_ctl.ig_ctl_pbr> tbl_ipv4_pbr
bfrt.bf_router_GEANT_TESTBED.pipe.ig_ctl.ig_ctl_pbr.tbl_ipv4_pbr> dump
----------------------------------------------------------------> dump()
----- tbl_ipv4_pbr Dump Start -----
Default Entry:
Entry data (action : NoAction):
Table pipe.ig_ctl.ig_ctl_pbr.tbl_ipv4_pbr has no entries.
----- tbl_ipv4_pbr Dump End -----
bfrt.bf_router_GEANT_TESTBED.pipe.ig_ctl.ig_ctl_pbr.tbl_ipv4_pbr>
On 8/11/22 15:02, Everson Borges wrote:
Thanks, Csaba! I am taking notes of this tip :), it will be very useful.
But I think I did not explain it correctly in the previous email. Our biggest difficulty is regarding the traffic classification because once in Tofino, the ACL didn't work as expected. In my lab at home via p4emu, it worked.
So, do you know why the traffic is not going through the ACLs? When I run the command
"display access-list polka4" the counters appear as zero.
sequence 10 permit 17 10.1.101.101 255.255.255.255 all 10.2.101.101
255.255.255.255 all tos 32
sequence 20 permit 6 10.1.101.101 255.255.255.255 all 10.2.101.101
255.255.255.255 all tos 32
sequence 30 permit 1 10.1.101.101 255.255.255.255 all 10.2.101.101
255.255.255.255 all tos 32
Best regards,
Everson
Em qui., 11 de ago. de 2022 s 09:19, mc36 < <>>
escreveu:
my bad, after tring this out on my homenet, i found that what i've
suggested beforehand was almost the same config...
here is the one that works out to the dataplanes and performs the
encapsulation as configured:
vrf def polkav
exit
serv p4 p4
export-vrf polkav
exit
int tun1122
vrf for polkav
ipv4 address 10.11.22.1 0.0.0.0
<------------------- all zeroes euuals to the default
route btw... :)
exit
ipv4 pbr CORE sequence 10 polka4 polkav
^^^^^^^ that is, no nexthop specified, just the new vrf, and you just
allow pure ip routing to match to the tunnel's default route... :)
br,
cs
On 8/11/22 10:52, mc36 wrote:
>
>
>
> -------- Forwarded Message --------
> Subject: Re: Access-list by using Freertr/Tofino ASIC
> Date: Thu, 11 Aug 2022 10:51:36 +0200
> From: mc36 < <>>
> To: Everson Borges < <>>,
rafaelsg < <>>
>
> hi,
>
> as discussed before briefly, there is no such a knob as pbr2polka
in the dataplanes yet as they try to provide as minimal is they need...
>
> AMS0001#show running-config | include pbr
> ipv4 pbr CORE sequence 10 polka4 CORE nexthop 10.11.22.2
>
> AMS0001#
>
> what they can provide are the following:
>
> mc36@noti:~$ cat /nfs/own/web/src/misc/p4lang/forwarder.py | grep
pbr4
> if cmds[0] ==
"pbr4norm":
> if cmds[0] ==
"pbr4vrf":
> if cmds[0] ==
"pbr4hop":
> if cmds[0] ==
"pbr4lab":
> mc36@noti:~$
>
> here, as polka will provide a tunnel interface, the best you can
do to place it to a fresh new vrf:
>
> vrf def polkav
> exit
> serv p4 p4
> export-vrf polkav
> exit
> int tun1122
> vrf for polkav
> ipv4 address 10.11.22.1 255.255.255.0
> exit
> ipv4 pbr CORE sequence 10 polka4 polkav nexthop 10.11.22.2
>
> this will have the same effect, but expressed in a dataplane
friendly way...
>
> br,
> cs
>
>
>
>
> On 8/10/22 17:06, Everson Borges wrote:
>>
>> Hi Csaba, how are you? I hope you are well. :)
>>
>>
>> I am trying to run Freertr/Tofino and PolKa at the RARE Testbed
and am facing some problems/doubts about it.
>>
>> As you can see in the attached Figure, we are trying to ping from host 10.1.101.101 to 10.2.101.101. We have set up an access list as described below. However, we are not
seeing
>> the packet being classified by the access-list in the routers
(AMS and FRA).
>>
>> sequence 10 permit 17 10.1.101.101 255.255.255.255 all
10.2.101.101 255.255.255.255 all tos 32
>> sequence 20 permit 6 10.1.101.101 255.255.255.255 all
10.2.101.101 255.255.255.255 all tos 32
>> sequence 30 permit 1 10.1.101.101 255.255.255.255 all
10.2.101.101 255.255.255.255 all tos 32
>>
>> We pinged by using the following command:
>> Screen Shot 2022-08-10 at 12.00.59.png
>>
>> After pinging, we tried to see the packet coming at the Amsterdam
router by using the following command:
>>
>> AMS0001#display access-list polka4
>>
>> However, we are not seeing the counter being incremented in the
access list. In my home lab, it works.
>>
>> Do you have any idea what is going on? Is
there a command that we can expose the incoming traffic in the routers, such as
tcpdump?
>>
>> Best regards,
>> --
>> Att.
>> Everson Scherrer Borges
>
>
>
>
>
--
Att.
Everson Scherrer Borges
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#491): https://groups.io/g/freertr/message/491
Mute This Topic: https://groups.io/mt/92957675/6006518
Group Owner:
Unsubscribe: https://groups.io/g/freertr/unsub []
-=-=-=-=-=-=-=-=-=-=-=-
- Re: [RARE-users] [freertr] Fwd: Access-list by using Freertr/Tofino ASIC, mc36, 08/11/2022
- Re: [RARE-users] [freertr] Fwd: Access-list by using Freertr/Tofino ASIC, Everson Borges, 08/11/2022
- Re: [RARE-users] [freertr] Fwd: Access-list by using Freertr/Tofino ASIC, mc36, 08/11/2022
- Message not available
- Re: [RARE-users] [freertr] Fwd: Access-list by using Freertr/Tofino ASIC, mc36, 08/11/2022
- Re: [RARE-users] [freertr] Fwd: Access-list by using Freertr/Tofino ASIC, Everson Borges, 08/11/2022
- Re: [RARE-users] [freertr] Fwd: Access-list by using Freertr/Tofino ASIC, mc36, 08/11/2022
- Re: [RARE-users] [freertr] Fwd: Access-list by using Freertr/Tofino ASIC, Everson Borges, 08/11/2022
Archive powered by MHonArc 2.6.19.