John DeNisco | c8e7f41 | 2018-08-03 11:02:24 -0400 | [diff] [blame] | 1 | .. _sourceNAT: |
| 2 | |
| 3 | .. toctree:: |
| 4 | |
| 5 | Source NAT |
| 6 | ========== |
| 7 | |
| 8 | Skills to be Learned |
| 9 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 10 | |
| 11 | #. Abusing networks namespaces for fun and profit |
| 12 | #. Configuring snat address |
| 13 | #. Configuring snat inside and outside interfaces |
| 14 | |
| 15 | FD.io VPP command learned in this exercise |
| 16 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 17 | |
| 18 | #. `snat add interface |
| 19 | address <https://docs.fd.io/vpp/17.04/clicmd_src_plugins_snat.html#clicmd_snat_add_interface_address>`__ |
| 20 | #. `set interface |
| 21 | snat <https://docs.fd.io/vpp/17.04/clicmd_src_plugins_snat.html#clicmd_set_interface_snat>`__ |
| 22 | |
| 23 | Topology |
| 24 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 25 | |
| 26 | .. figure:: /_images/SNAT_Topology.jpg |
| 27 | :alt: SNAT Topology |
| 28 | |
| 29 | SNAT Topology |
| 30 | |
| 31 | Initial state |
| 32 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 33 | |
| 34 | Unlike previous exercises, for this one you want to start tabula rasa. |
| 35 | |
| 36 | Note: You will lose all your existing config in your FD.io VPP instances! |
| 37 | |
| 38 | To clear existing config from previous exercises run: |
| 39 | |
| 40 | .. code-block:: console |
| 41 | |
| 42 | ps -ef | grep vpp | awk '{print $2}'| xargs sudo kill |
| 43 | $ sudo ip link del dev vpp1host |
| 44 | $ sudo ip link del dev vpp1vpp2 |
| 45 | |
| 46 | Install vpp-plugins |
| 47 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 48 | |
| 49 | Snat is supported by a plugin, so vpp-plugins need to be installed |
| 50 | |
| 51 | .. code-block:: console |
| 52 | |
| 53 | $ sudo apt-get install vpp-plugins |
| 54 | |
| 55 | Create FD.io VPP instance |
| 56 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 57 | |
| 58 | Create one FD.io VPP instance named vpp1. |
| 59 | |
| 60 | Confirm snat plugin is present: |
| 61 | |
| 62 | .. code-block:: console |
| 63 | |
| 64 | vpp# show plugins |
| 65 | Plugin path is: /usr/lib/vpp_plugins |
| 66 | Plugins loaded: |
| 67 | 1.ioam_plugin.so |
| 68 | 2.ila_plugin.so |
| 69 | 3.acl_plugin.so |
| 70 | 4.flowperpkt_plugin.so |
| 71 | 5.snat_plugin.so |
| 72 | 6.libsixrd_plugin.so |
| 73 | 7.lb_plugin.so |
| 74 | |
| 75 | Create veth interfaces |
| 76 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 77 | |
| 78 | #. Create a veth interface with one end named vpp1outside and the other |
| 79 | named vpp1outsidehost |
| 80 | #. Assign IP address 10.10.1.1/24 to vpp1outsidehost |
| 81 | #. Create a veth interface with one end named vpp1inside and the other |
| 82 | named vpp1insidehost |
| 83 | #. Assign IP address 10.10.2.1/24 to vpp1outsidehost |
| 84 | |
| 85 | Because we'd like to be able to route \*via\* our vpp instance to an |
| 86 | interface on the same host, we are going to put vpp1insidehost into a |
| 87 | network namespace |
| 88 | |
| 89 | Create a new network namespace 'inside' |
| 90 | |
| 91 | .. code-block:: console |
| 92 | |
| 93 | $ sudo ip netns add inside |
| 94 | |
| 95 | Move interface vpp1inside into the 'inside' namespace: |
| 96 | |
| 97 | .. code-block:: console |
| 98 | |
| 99 | $ sudo ip link set dev vpp1insidehost up netns inside |
| 100 | |
| 101 | Assign an ip address to vpp1insidehost |
| 102 | |
| 103 | .. code-block:: console |
| 104 | |
| 105 | $ sudo ip netns exec inside ip addr add 10.10.2.1/24 dev vpp1insidehost |
| 106 | |
| 107 | Create a route inside the netns: |
| 108 | |
| 109 | .. code-block:: console |
| 110 | |
| 111 | $ sudo ip netns exec inside ip route add 10.10.1.0/24 via 10.10.2.2 |
| 112 | |
| 113 | Configure vpp outside interface |
| 114 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 115 | |
| 116 | #. Create a vpp host interface connected to vpp1outside |
| 117 | #. Assign ip address 10.10.1.2/24 |
| 118 | #. Create a vpp host interface connected to vpp1inside |
| 119 | #. Assign ip address 10.10.2.2/24 |
| 120 | |
| 121 | Configure snat |
| 122 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 123 | |
| 124 | Configure snat to use the address of host-vpp1outside |
| 125 | |
| 126 | .. code-block:: console |
| 127 | |
| 128 | vpp# snat add interface address host-vpp1outside |
| 129 | |
| 130 | Configure snat inside and outside interfaces |
| 131 | |
| 132 | .. code-block:: console |
| 133 | |
| 134 | vpp# set interface snat in host-vpp1inside out host-vpp1outside |
| 135 | |
| 136 | Prepare to Observe Snat |
| 137 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 138 | |
| 139 | Observing snat in this configuration is interesting. To do so, vagrant |
| 140 | ssh a second time into your VM and run: |
| 141 | |
| 142 | .. code-block:: console |
| 143 | |
| 144 | $ sudo tcpdump -s 0 -i vpp1outsidehost |
| 145 | |
| 146 | Also enable tracing on vpp1 |
| 147 | |
| 148 | Ping via snat |
| 149 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 150 | |
| 151 | .. code-block:: console |
| 152 | |
| 153 | $ sudo ip netns exec inside ping -c 1 10.10.1.1 |
| 154 | |
| 155 | Confirm snat |
| 156 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 157 | |
| 158 | Examine the tcpdump output and vpp1 trace to confirm snat occurred. |
| 159 | |