blob: f51a4ad90392a2e0e0df02879c96e50f92b7282b [file] [log] [blame]
John DeNiscoc8e7f412018-08-03 11:02:24 -04001.. _sourceNAT:
2
3.. toctree::
4
5Source NAT
6==========
7
8Skills to be Learned
9^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
10
11#. Abusing networks namespaces for fun and profit
12#. Configuring snat address
13#. Configuring snat inside and outside interfaces
14
15FD.io VPP command learned in this exercise
16^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
17
18#. `snat add interface
19 address <https://docs.fd.io/vpp/17.04/clicmd_src_plugins_snat.html#clicmd_snat_add_interface_address>`__
20#. `set interface
21 snat <https://docs.fd.io/vpp/17.04/clicmd_src_plugins_snat.html#clicmd_set_interface_snat>`__
22
23Topology
24^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
25
26.. figure:: /_images/SNAT_Topology.jpg
27 :alt: SNAT Topology
28
29 SNAT Topology
30
31Initial state
32^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
33
34Unlike previous exercises, for this one you want to start tabula rasa.
35
36Note: You will lose all your existing config in your FD.io VPP instances!
37
38To clear existing config from previous exercises run:
39
40.. code-block:: console
41
42 ps -ef | grep vpp | awk '{print $2}'| xargs sudo kill
43 $ sudo ip link del dev vpp1host
44 $ sudo ip link del dev vpp1vpp2
45
46Install vpp-plugins
47^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
48
49Snat is supported by a plugin, so vpp-plugins need to be installed
50
51.. code-block:: console
52
53 $ sudo apt-get install vpp-plugins
54
55Create FD.io VPP instance
56^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
57
58Create one FD.io VPP instance named vpp1.
59
60Confirm snat plugin is present:
61
62.. code-block:: console
63
64 vpp# show plugins
65 Plugin path is: /usr/lib/vpp_plugins
66 Plugins loaded:
67 1.ioam_plugin.so
68 2.ila_plugin.so
69 3.acl_plugin.so
70 4.flowperpkt_plugin.so
71 5.snat_plugin.so
72 6.libsixrd_plugin.so
73 7.lb_plugin.so
74
75Create veth interfaces
76^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
77
78#. Create a veth interface with one end named vpp1outside and the other
79 named vpp1outsidehost
80#. Assign IP address 10.10.1.1/24 to vpp1outsidehost
81#. Create a veth interface with one end named vpp1inside and the other
82 named vpp1insidehost
83#. Assign IP address 10.10.2.1/24 to vpp1outsidehost
84
85Because we'd like to be able to route \*via\* our vpp instance to an
86interface on the same host, we are going to put vpp1insidehost into a
87network namespace
88
89Create a new network namespace 'inside'
90
91.. code-block:: console
92
93 $ sudo ip netns add inside
94
95Move interface vpp1inside into the 'inside' namespace:
96
97.. code-block:: console
98
99 $ sudo ip link set dev vpp1insidehost up netns inside
100
101Assign an ip address to vpp1insidehost
102
103.. code-block:: console
104
105 $ sudo ip netns exec inside ip addr add 10.10.2.1/24 dev vpp1insidehost
106
107Create a route inside the netns:
108
109.. code-block:: console
110
111 $ sudo ip netns exec inside ip route add 10.10.1.0/24 via 10.10.2.2
112
113Configure vpp outside interface
114^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
115
116#. Create a vpp host interface connected to vpp1outside
117#. Assign ip address 10.10.1.2/24
118#. Create a vpp host interface connected to vpp1inside
119#. Assign ip address 10.10.2.2/24
120
121Configure snat
122^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
123
124Configure snat to use the address of host-vpp1outside
125
126.. code-block:: console
127
128 vpp# snat add interface address host-vpp1outside
129
130Configure snat inside and outside interfaces
131
132.. code-block:: console
133
134 vpp# set interface snat in host-vpp1inside out host-vpp1outside
135
136Prepare to Observe Snat
137^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
138
139Observing snat in this configuration is interesting. To do so, vagrant
140ssh a second time into your VM and run:
141
142.. code-block:: console
143
144 $ sudo tcpdump -s 0 -i vpp1outsidehost
145
146Also enable tracing on vpp1
147
148Ping via snat
149^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
150
151.. code-block:: console
152
153 $ sudo ip netns exec inside ping -c 1 10.10.1.1
154
155Confirm snat
156^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
157
158Examine the tcpdump output and vpp1 trace to confirm snat occurred.
159