9 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
11 #. Abusing networks namespaces for fun and profit
12 #. Configuring snat address
13 #. Configuring snat inside and outside interfaces
15 FD.io VPP command learned in this exercise
16 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
18 #. `snat add interface
19 address <https://docs.fd.io/vpp/17.04/clicmd_src_plugins_snat.html#clicmd_snat_add_interface_address>`__
21 snat <https://docs.fd.io/vpp/17.04/clicmd_src_plugins_snat.html#clicmd_set_interface_snat>`__
24 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
26 .. figure:: /_images/SNAT_Topology.jpg
32 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
34 Unlike previous exercises, for this one you want to start tabula rasa.
36 Note: You will lose all your existing config in your FD.io VPP instances!
38 To clear existing config from previous exercises run:
40 .. code-block:: console
42 ps -ef | grep vpp | awk '{print $2}'| xargs sudo kill
43 $ sudo ip link del dev vpp1host
44 $ sudo ip link del dev vpp1vpp2
47 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
49 Snat is supported by a plugin, so vpp-plugins need to be installed
51 .. code-block:: console
53 $ sudo apt-get install vpp-plugins
55 Create FD.io VPP instance
56 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
58 Create one FD.io VPP instance named vpp1.
60 Confirm snat plugin is present:
62 .. code-block:: console
65 Plugin path is: /usr/lib/vpp_plugins
70 4.flowperpkt_plugin.so
75 Create veth interfaces
76 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
78 #. Create a veth interface with one end named vpp1outside and the other
80 #. Assign IP address 10.10.1.1/24 to vpp1outsidehost
81 #. Create a veth interface with one end named vpp1inside and the other
83 #. Assign IP address 10.10.2.1/24 to vpp1outsidehost
85 Because we'd like to be able to route \*via\* our vpp instance to an
86 interface on the same host, we are going to put vpp1insidehost into a
89 Create a new network namespace 'inside'
91 .. code-block:: console
93 $ sudo ip netns add inside
95 Move interface vpp1inside into the 'inside' namespace:
97 .. code-block:: console
99 $ sudo ip link set dev vpp1insidehost up netns inside
101 Assign an ip address to vpp1insidehost
103 .. code-block:: console
105 $ sudo ip netns exec inside ip addr add 10.10.2.1/24 dev vpp1insidehost
107 Create a route inside the netns:
109 .. code-block:: console
111 $ sudo ip netns exec inside ip route add 10.10.1.0/24 via 10.10.2.2
113 Configure vpp outside interface
114 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
116 #. Create a vpp host interface connected to vpp1outside
117 #. Assign ip address 10.10.1.2/24
118 #. Create a vpp host interface connected to vpp1inside
119 #. Assign ip address 10.10.2.2/24
122 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
124 Configure snat to use the address of host-vpp1outside
126 .. code-block:: console
128 vpp# snat add interface address host-vpp1outside
130 Configure snat inside and outside interfaces
132 .. code-block:: console
134 vpp# set interface snat in host-vpp1inside out host-vpp1outside
136 Prepare to Observe Snat
137 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
139 Observing snat in this configuration is interesting. To do so, vagrant
140 ssh a second time into your VM and run:
142 .. code-block:: console
144 $ sudo tcpdump -s 0 -i vpp1outsidehost
146 Also enable tracing on vpp1
149 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
151 .. code-block:: console
153 $ sudo ip netns exec inside ping -c 1 10.10.1.1
156 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
158 Examine the tcpdump output and vpp1 trace to confirm snat occurred.