Thread: [mpls-linux-general] How to separate tcp traffic from udp traffic using MPLS
Status: Beta
Brought to you by:
jleu
Menu
▾
▴
mpls-linux-general
|
From: Carlos V. <car...@ya...> - 2005-12-05 19:34:51
|
Hello,
I´m studying MPLS using the project mpls-linux to mount some testbeds networks and analyze the Traffic Engineering capabilities of MPLS. Some papers results show that the TCP traffic is affected by UDP traffic in the core of MPLS networks.
I´m trying to separate the UDP traffic from the TCP traffic using two differents LSP´s. I would like to know how can I do that using the mpls(ip route/iptables with mpls patch) command. I´m know how to create static LSP´s based on the destination IP to determine the path of packets, but I don´t know how to determine the path based on the protocol (tcp/udp).
Figure of my network topology:
LSP1(TCP) --->
_____LSRC_____
/ \
/ \
---LER A---LSRB LSRE----LER F
\ /
\_____LSRD_____/
LSP2(UDP) --->
Thanks for any help.
---------------------------------
Yahoo! doce lar. Faça do Yahoo! sua homepage. |
|
From: James R. L. <jl...@mi...> - 2005-12-05 20:21:21
|
MPLS-linux builds on the existing netfilter (iptables) infrastructure that exists in the linux kernel. After building/installing a MPLS enabled iptables you can do: iptables -A OUTPUT -p tcp -j spec_nh --spec_nh 0x8847:0x2 This maps all TCP traffic to the special nexthop 0x8847:0x2, where 0x8847 mean MPLS and 0x2 mean NHLFE with the key of 0x2. Basically if you can build an iptables rules to do what you want at L3, then you can simply add the spec_nh target and it will map to MPLS. On Mon, Dec 05, 2005 at 07:34:28PM +0000, Carlos Veiga wrote: > Hello, > =20 > I?m studying MPLS using the project mpls-linux to mount some testbeds = networks and analyze the Traffic Engineering capabilities of MPLS. Some pa= pers results show that the TCP traffic is affected by UDP traffic in the c= ore of MPLS networks. > =20 > I?m trying to separate the UDP traffic from the TCP traffic using two = differents LSP?s. I would like to know how can I do that using the mpls(ip= route/iptables with mpls patch) command. I?m know how to create static LS= P?s based on the destination IP to determine the path of packets, but I do= n?t know how to determine the path based on the protocol (tcp/udp). > =20 > =20 > Figure of my network topology: > =20 > =20 > LSP1(TCP) ---> > =20 > _____LSRC_____ =20 > / \ > / \ > ---LER A---LSRB LSRE----LER F > \ / =20 > \_____LSRD_____/ =20 > =20 > =20 > LSP2(UDP) ---> > =20 > =20 > Thanks for any help. >=20 > =09 > --------------------------------- > Yahoo! doce lar. Fa?a do Yahoo! sua homepage. --=20 James R. Leu jl...@mi... |
|
From: Carlos M. K. <ba...@gm...> - 2005-12-07 03:50:13
|
Hi.
Im trying to create 2 lsp in a fish network: one for tcp and one for icmp
(for tests). I have used courier new font to see the picture.
+------+ +------+
0| LSR2 |1----0| LSR3 |1
/ +------+ +------+ \
/ \
/ \
+-------+ +------+2 1+------+ +-------=
+
| HOST1 |0---0| LSR1 | | LSR5 |0---0| HOST2 =
|
+-------+ +------+1 2+------+ +-------=
+
\ /
\ /
\ +------+ /
X------0| LSR4 |1------X
+------+
HOST1:
sis0: inet 10.28.0.2 netmask 0xffffff00 broadcast 10.28.0.255
LSR1:
eth0:1 (alias) -> 10.28.0.1
eth1 -> 192.168.29.1
eth2 -> 192.168.28.1
LSR2:
eth0 -> 192.168.28.2
eth1 -> 192.168.28.33
LSR3:
eth0 -> 192.168.28.34
eth1 -> 192.168.28.65
LSR4:
eth0 -> 192.168.29.2
eth1 -> 192.168.29.33
LSR5:
eth0:1 (alias) -> 10.28.1.1
eth1 -> 192.168.28.66
eth2 -> 192.168.29.34
HOST2:
# ifconfig
ed0: inet 10.28.1.2 netmask 0xffffff00 broadcast 10.28.1.255
LSP A: LSR1 -> LSR2 -> LSR3 -> LSR5
LSP B: LSR1 -> LSR4 -> LSR5
The numbers are the ethernet interfaces id: 0 means eth0 (or sis0), 1
means eth1 and 2 means eth2.
All 192.168 networks have 255.255.255.224 netmask.
Ive tried the following:
lsr1:~# uname -a
Linux lsr1 2.6.9-MPLSv2-LSR1 #1 Tue Nov 22 23:06:08 BRST 2005 i686 GNU/Linu=
x
lsr1:~# cat /sys/mpls/version
1.946
lsr1:~# mpls nhlfe add key 0
Key: 0x00000002
lsr1:~# mpls nhlfe change key 0x00000002 instructions push gen 10004 nextho=
p
eth2 ipv4 192.168.28.2
lsr1:~# mpls nhlfe add key 0
Key: 0x00000003
lsr1:~# mpls nhlfe change key 0x00000003 instructions push gen 10000 nextho=
p
eth1 ipv4 192.168.29.2
lsr1:~# mpls labelspace add dev eth2 labelspace 0
lsr1:~# mpls labelspace add dev eth1 labelspace 0
lsr1:~# mpls ilm add label gen 10005
lsr1:~# mpls ilm add label gen 10001
lsr1:~# mpls nhlfe show
NHLFE entry key 0x00000003 mtu 1496 propagate_ttl
push gen 10000 set eth1 ipv4 192.168.29.2 (0 bytes, 0 pkts, 0
dropped)
NHLFE entry key 0x00000002 mtu 1496 propagate_ttl
push gen 10004 set eth2 ipv4 192.168.28.2 (0 bytes, 0 pkts, 0
dropped)
lsr1:~# mpls ilm show
ILM entry label gen 10001 labelspace 0 proto ipv4
pop peek (0 bytes, 0 pkts, 0 dropped)
ILM entry label gen 10005 labelspace 0 proto ipv4
pop peek (0 bytes, 0 pkts, 0 dropped)
lsr1:~# mpls labelspace show
LABELSPACE entry dev eth0 labelspace -1
LABELSPACE entry dev lo labelspace -1
LABELSPACE entry dev eth1 labelspace 0
LABELSPACE entry dev eth2 labelspace 0
LABELSPACE entry dev tunl0 labelspace -1
LABELSPACE entry dev atm0 labelspace -1
LABELSPACE entry dev lec0 labelspace -1
lsr1:~# ip route add 10.28.1.0/24 nexthop via 192.168.28.2 spec_nh 0x8847
0x2
lsr1:~# ip route append 10.28.1.0/24 nexthop via 192.168.29.2 spec_nh 0x884=
7
0x3
lsr1:~# iptables -A OUTPUT -p tcp -d 10.28.1.0/24 -j spec_nh --spec_nh
0x8847:0x3
lsr1:~# iptables -A OUTPUT -p icmp -d 10.28.1.0/24 -j spec_nh --spec_nh
0x8847:0x2
lsr1:~# ip route list
192.168.29.0/27 dev eth1 proto kernel scope link src 192.168.29.1
192.168.28.0/27 dev eth2 proto kernel scope link src 192.168.28.1
10.28.1.0/24 via 192.168.28.2 dev eth2 spec_nh 0x8847 0x00000002
10.28.1.0/24 via 192.168.29.2 dev eth1 spec_nh 0x8847 0x00000003
10.28.0.0/24 dev eth0 proto kernel scope link src 10.28.0.1
172.30.0.0/16 dev atm0 proto kernel scope link src 172.30.28.1
172.29.0.0/16 dev lec0 proto kernel scope link src 172.29.28.1
lsr1:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
spec_nh tcp -- 0.0.0.0/0 10.28.1.0/24 set spec_nh
0x4788:0x00000003
spec_nh icmp -- 0.0.0.0/0 10.28.1.0/24 set spec_nh
0x4788:0x00000002
At this point, I think icmp goes through LSP A and tcp goes through LSP B=
.
When I ping HOST2 (10.28.1.2) from HOST1 (10.28.0.2), tcpdump at LSR1 shows
label 10004, indicating the use of LSP A. But when I do a ssh, the label
10004 appears again, indicating that LSP B IS NOT in use.
If I flush iptables rules and delete the route through LSP A, all trafic
goes through LSP B.
Can someone see what Im doing wrong? Maybe some routes cache? Or ip route
syntax?
TIA.
On 12/5/05, James R. Leu <jl...@mi...> wrote:
> MPLS-linux builds on the existing netfilter (iptables) infrastructure
> that exists in the linux kernel.
>
> After building/installing a MPLS enabled iptables you can do:
>
> iptables -A OUTPUT -p tcp -j spec_nh --spec_nh 0x8847:0x2
>
> This maps all TCP traffic to the special nexthop 0x8847:0x2, where
> 0x8847 mean MPLS and 0x2 mean NHLFE with the key of 0x2.
>
> Basically if you can build an iptables rules to do what you want at
> L3, then you can simply add the spec_nh target and it will map to MPLS.
>
> On Mon, Dec 05, 2005 at 07:34:28PM +0000, Carlos Veiga wrote:
> > Hello,
> >
> > I?m studying MPLS using the project mpls-linux to mount some
testbeds networks and analyze the Traffic Engineering capabilities of MPLS=
.
Some papers results show that the TCP traffic is affected by UDP traffic
in the core of MPLS networks.
> >
> > I?m trying to separate the UDP traffic from the TCP traffic using
two differents LSP?s. I would like to know how can I do that using
the mpls(ip route/iptables with mpls patch) command. I?m know how to
create static LSP?s based on the destination IP to determine the path
of packets, but I don?t know how to determine the path based on
the protocol (tcp/udp).
> >
> >
> > Figure of my network topology:
> >
> >
> > LSP1(TCP) --->
> >
> > _____LSRC_____
> > / \
> > / \
> > ---LER A---LSRB LSRE----LER F
> > \ /
> > \_____LSRD_____/
> >
> >
> > LSP2(UDP) --->
> >
> >
> > Thanks for any help.
> >
> >
> > ---------------------------------
> > Yahoo! doce lar. Fa?a do Yahoo! sua homepage.
> --
> James R. Leu
> jl...@mi...
|
|
From: James R. L. <jl...@mi...> - 2005-12-07 04:05:00
|
I would get rid of the FTNs create via 'ip route'. You will still need to have a prefix in your table for that destination, but it only needs to have one next hop and doesn't need to have a spec_nh specified. This will allow iptable to do the work. My guess is that there is some confusion with both iptables and 'ip route' trying to add labels to the same packets. On Wed, Dec 07, 2005 at 01:50:05AM -0200, Carlos Marcos Kakihara wrote: > Hi. > Im trying to create 2 lsp in a fish network: one for tcp and one for ic= mp > (for tests). I have used courier new font to see the picture. >=20 > +------+ +------+ > 0| LSR2 |1----0| LSR3 |1 > / +------+ +------+ \ > / \ > / \ > +-------+ +------+2 1+------+ +-----= --+ > | HOST1 |0---0| LSR1 | | LSR5 |0---0| HOST= 2 | > +-------+ +------+1 2+------+ +-----= --+ > \ / > \ / > \ +------+ / > X------0| LSR4 |1------X > +------+ >=20 > HOST1: > sis0: inet 10.28.0.2 netmask 0xffffff00 broadcast 10.28.0.255 >=20 > LSR1: > eth0:1 (alias) -> 10.28.0.1 > eth1 -> 192.168.29.1 > eth2 -> 192.168.28.1 >=20 > LSR2: > eth0 -> 192.168.28.2 > eth1 -> 192.168.28.33 >=20 > LSR3: > eth0 -> 192.168.28.34 > eth1 -> 192.168.28.65 >=20 > LSR4: > eth0 -> 192.168.29.2 > eth1 -> 192.168.29.33 >=20 > LSR5: > eth0:1 (alias) -> 10.28.1.1 > eth1 -> 192.168.28.66 > eth2 -> 192.168.29.34 >=20 > HOST2: > # ifconfig > ed0: inet 10.28.1.2 netmask 0xffffff00 broadcast 10.28.1.255 >=20 > LSP A: LSR1 -> LSR2 -> LSR3 -> LSR5 > LSP B: LSR1 -> LSR4 -> LSR5 >=20 > The numbers are the ethernet interfaces id: 0 means eth0 (or sis0), 1 > means eth1 and 2 means eth2. > All 192.168 networks have 255.255.255.224 netmask. >=20 > Ive tried the following: >=20 > lsr1:~# uname -a > Linux lsr1 2.6.9-MPLSv2-LSR1 #1 Tue Nov 22 23:06:08 BRST 2005 i686 GNU/Li= nux > lsr1:~# cat /sys/mpls/version > 1.946 > lsr1:~# mpls nhlfe add key 0 > Key: 0x00000002 > lsr1:~# mpls nhlfe change key 0x00000002 instructions push gen 10004 next= hop > eth2 ipv4 192.168.28.2 > lsr1:~# mpls nhlfe add key 0 > Key: 0x00000003 > lsr1:~# mpls nhlfe change key 0x00000003 instructions push gen 10000 next= hop > eth1 ipv4 192.168.29.2 > lsr1:~# mpls labelspace add dev eth2 labelspace 0 > lsr1:~# mpls labelspace add dev eth1 labelspace 0 > lsr1:~# mpls ilm add label gen 10005 > lsr1:~# mpls ilm add label gen 10001 >=20 > lsr1:~# mpls nhlfe show > NHLFE entry key 0x00000003 mtu 1496 propagate_ttl > push gen 10000 set eth1 ipv4 192.168.29.2 (0 bytes, 0 pkts, 0 > dropped) > NHLFE entry key 0x00000002 mtu 1496 propagate_ttl > push gen 10004 set eth2 ipv4 192.168.28.2 (0 bytes, 0 pkts, 0 > dropped) > lsr1:~# mpls ilm show > ILM entry label gen 10001 labelspace 0 proto ipv4 > pop peek (0 bytes, 0 pkts, 0 dropped) > ILM entry label gen 10005 labelspace 0 proto ipv4 > pop peek (0 bytes, 0 pkts, 0 dropped) > lsr1:~# mpls labelspace show > LABELSPACE entry dev eth0 labelspace -1 > LABELSPACE entry dev lo labelspace -1 > LABELSPACE entry dev eth1 labelspace 0 > LABELSPACE entry dev eth2 labelspace 0 > LABELSPACE entry dev tunl0 labelspace -1 > LABELSPACE entry dev atm0 labelspace -1 > LABELSPACE entry dev lec0 labelspace -1 >=20 > lsr1:~# ip route add 10.28.1.0/24 nexthop via 192.168.28.2 spec_nh 0x8847 > 0x2 > lsr1:~# ip route append 10.28.1.0/24 nexthop via 192.168.29.2 spec_nh 0x8= 847 > 0x3 > lsr1:~# iptables -A OUTPUT -p tcp -d 10.28.1.0/24 -j spec_nh --spec_nh > 0x8847:0x3 > lsr1:~# iptables -A OUTPUT -p icmp -d 10.28.1.0/24 -j spec_nh --spec_nh > 0x8847:0x2 >=20 > lsr1:~# ip route list > 192.168.29.0/27 dev eth1 proto kernel scope link src 192.168.29.1 > 192.168.28.0/27 dev eth2 proto kernel scope link src 192.168.28.1 > 10.28.1.0/24 via 192.168.28.2 dev eth2 spec_nh 0x8847 0x00000002 > 10.28.1.0/24 via 192.168.29.2 dev eth1 spec_nh 0x8847 0x00000003 > 10.28.0.0/24 dev eth0 proto kernel scope link src 10.28.0.1 > 172.30.0.0/16 dev atm0 proto kernel scope link src 172.30.28.1 > 172.29.0.0/16 dev lec0 proto kernel scope link src 172.29.28.1 >=20 > lsr1:~# iptables -L -n > Chain INPUT (policy ACCEPT) > target prot opt source destination >=20 > Chain FORWARD (policy ACCEPT) > target prot opt source destination >=20 > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > spec_nh tcp -- 0.0.0.0/0 10.28.1.0/24 set spec_nh > 0x4788:0x00000003 > spec_nh icmp -- 0.0.0.0/0 10.28.1.0/24 set spec_nh > 0x4788:0x00000002 >=20 >=20 > At this point, I think icmp goes through LSP A and tcp goes through LSP= B. > When I ping HOST2 (10.28.1.2) from HOST1 (10.28.0.2), tcpdump at LSR1 sho= ws > label 10004, indicating the use of LSP A. But when I do a ssh, the label > 10004 appears again, indicating that LSP B IS NOT in use. > If I flush iptables rules and delete the route through LSP A, all trafic > goes through LSP B. > Can someone see what Im doing wrong? Maybe some routes cache? Or ip rou= te > syntax? >=20 > TIA. >=20 >=20 > On 12/5/05, James R. Leu <jl...@mi...> wrote: > > MPLS-linux builds on the existing netfilter (iptables) infrastructure > > that exists in the linux kernel. > > > > After building/installing a MPLS enabled iptables you can do: > > > > iptables -A OUTPUT -p tcp -j spec_nh --spec_nh 0x8847:0x2 > > > > This maps all TCP traffic to the special nexthop 0x8847:0x2, where > > 0x8847 mean MPLS and 0x2 mean NHLFE with the key of 0x2. > > > > Basically if you can build an iptables rules to do what you want at > > L3, then you can simply add the spec_nh target and it will map to MPLS. > > > > On Mon, Dec 05, 2005 at 07:34:28PM +0000, Carlos Veiga wrote: > > > Hello, > > > > > > I?m studying MPLS using the project mpls-linux to mount some > testbeds networks and analyze the Traffic Engineering capabilities of MP= LS. > Some papers results show that the TCP traffic is affected by UDP traffic > in the core of MPLS networks. > > > > > > I?m trying to separate the UDP traffic from the TCP traffic using > two differents LSP?s. I would like to know how can I do that using > the mpls(ip route/iptables with mpls patch) command. I?m know how to > create static LSP?s based on the destination IP to determine the path > of packets, but I don?t know how to determine the path based on > the protocol (tcp/udp). > > > > > > > > > Figure of my network topology: > > > > > > > > > LSP1(TCP) ---> > > > > > > _____LSRC_____ > > > / \ > > > / \ > > > ---LER A---LSRB LSRE----LER F > > > \ / > > > \_____LSRD_____/ > > > > > > > > > LSP2(UDP) ---> > > > > > > > > > Thanks for any help. > > > > > > > > > --------------------------------- > > > Yahoo! doce lar. Fa?a do Yahoo! sua homepage. > > -- > > James R. Leu > > jl...@mi... --=20 James R. Leu jl...@mi... |
|
From: Carlos M. K. <ba...@gm...> - 2005-12-07 16:39:24
|
It worked, but i had to use a FORWARD chain in iptables, because adding a
-j LOG alone onto OUTPUT chain produced no log in syslog. So, I guess that
packets are not matching the OUTPUT chain.
I also changed ip route syntax. Im using one 'ip route add' with 2
nexthop, without spec_nh values:
lsr1:~# ip route add 10.28.1.0/24 nexthop via 192.168.28.2 nexthop via
192.168.29.2
lsr1:~# iptables -A FORWARD -p icmp -d 10.28.1.0/24 -j spec_nh --spec_nh
0x8847:0x00000002
lsr1:~# iptables -A FORWARD -p tcp -d 10.28.1.0/24 -j spec_nh --spec_nh
0x8847:0x00000003
Now tcpdump shows right labels in both LSPs.
Is it ok to use the FORWARD chain?
Thank you.
On 12/7/05, James R. Leu <jl...@mi...> wrote:
>
> I would get rid of the FTNs create via 'ip route'. You will still need t=
o
> have a prefix in your table for that destination, but it only needs to
> have
> one next hop and doesn't need to have a spec_nh specified.
>
> This will allow iptable to do the work. My guess is that there is some
> confusion with both iptables and 'ip route' trying to add labels to the
> same packets.
>
> On Wed, Dec 07, 2005 at 01:50:05AM -0200, Carlos Marcos Kakihara wrote:
> > Hi.
> > Im trying to create 2 lsp in a fish network: one for tcp and one for
> icmp
> > (for tests). I have used courier new font to see the picture.
> >
> > +------+ +------+
> > 0| LSR2 |1----0| LSR3 |1
> > / +------+ +------+ \
> > / \
> > / \
> > +-------+ +------+2 1+------+
> +-------+
> > | HOST1 |0---0| LSR1 | | LSR5 |0---0|
> HOST2 |
> > +-------+ +------+1 2+------+
> +-------+
> > \ /
> > \ /
> > \ +------+ /
> > X------0| LSR4 |1------X
> > +------+
> >
> > HOST1:
> > sis0: inet 10.28.0.2 netmask 0xffffff00 broadcast 10.28.0.255
> >
> > LSR1:
> > eth0:1 (alias) -> 10.28.0.1
> > eth1 -> 192.168.29.1
> > eth2 -> 192.168.28.1
> >
> > LSR2:
> > eth0 -> 192.168.28.2
> > eth1 -> 192.168.28.33
> >
> > LSR3:
> > eth0 -> 192.168.28.34
> > eth1 -> 192.168.28.65
> >
> > LSR4:
> > eth0 -> 192.168.29.2
> > eth1 -> 192.168.29.33
> >
> > LSR5:
> > eth0:1 (alias) -> 10.28.1.1
> > eth1 -> 192.168.28.66
> > eth2 -> 192.168.29.34
> >
> > HOST2:
> > # ifconfig
> > ed0: inet 10.28.1.2 netmask 0xffffff00 broadcast 10.28.1.255
> >
> > LSP A: LSR1 -> LSR2 -> LSR3 -> LSR5
> > LSP B: LSR1 -> LSR4 -> LSR5
> >
> > The numbers are the ethernet interfaces id: 0 means eth0 (or sis0), 1
> > means eth1 and 2 means eth2.
> > All 192.168 networks have 255.255.255.224 netmask.
> >
> > Ive tried the following:
> >
> > lsr1:~# uname -a
> > Linux lsr1 2.6.9-MPLSv2-LSR1 #1 Tue Nov 22 23:06:08 BRST 2005 i686
> GNU/Linux
> > lsr1:~# cat /sys/mpls/version
> > 1.946
> > lsr1:~# mpls nhlfe add key 0
> > Key: 0x00000002
> > lsr1:~# mpls nhlfe change key 0x00000002 instructions push gen 10004
> nexthop
> > eth2 ipv4 192.168.28.2
> > lsr1:~# mpls nhlfe add key 0
> > Key: 0x00000003
> > lsr1:~# mpls nhlfe change key 0x00000003 instructions push gen 10000
> nexthop
> > eth1 ipv4 192.168.29.2
> > lsr1:~# mpls labelspace add dev eth2 labelspace 0
> > lsr1:~# mpls labelspace add dev eth1 labelspace 0
> > lsr1:~# mpls ilm add label gen 10005
> > lsr1:~# mpls ilm add label gen 10001
> >
> > lsr1:~# mpls nhlfe show
> > NHLFE entry key 0x00000003 mtu 1496 propagate_ttl
> > push gen 10000 set eth1 ipv4 192.168.29.2 (0 bytes, 0 pkts, 0
> > dropped)
> > NHLFE entry key 0x00000002 mtu 1496 propagate_ttl
> > push gen 10004 set eth2 ipv4 192.168.28.2 (0 bytes, 0 pkts, 0
> > dropped)
> > lsr1:~# mpls ilm show
> > ILM entry label gen 10001 labelspace 0 proto ipv4
> > pop peek (0 bytes, 0 pkts, 0 dropped)
> > ILM entry label gen 10005 labelspace 0 proto ipv4
> > pop peek (0 bytes, 0 pkts, 0 dropped)
> > lsr1:~# mpls labelspace show
> > LABELSPACE entry dev eth0 labelspace -1
> > LABELSPACE entry dev lo labelspace -1
> > LABELSPACE entry dev eth1 labelspace 0
> > LABELSPACE entry dev eth2 labelspace 0
> > LABELSPACE entry dev tunl0 labelspace -1
> > LABELSPACE entry dev atm0 labelspace -1
> > LABELSPACE entry dev lec0 labelspace -1
> >
> > lsr1:~# ip route add 10.28.1.0/24 nexthop via 192.168.28.2 spec_nh
> 0x8847
> > 0x2
> > lsr1:~# ip route append 10.28.1.0/24 nexthop via 192.168.29.2 spec_nh
> 0x8847
> > 0x3
> > lsr1:~# iptables -A OUTPUT -p tcp -d 10.28.1.0/24 -j spec_nh --spec_nh
> > 0x8847:0x3
> > lsr1:~# iptables -A OUTPUT -p icmp -d 10.28.1.0/24 -j spec_nh --spec_nh
> > 0x8847:0x2
> >
> > lsr1:~# ip route list
> > 192.168.29.0/27 dev eth1 proto kernel scope link src 192.168.29.1
> > 192.168.28.0/27 dev eth2 proto kernel scope link src 192.168.28.1
> > 10.28.1.0/24 via 192.168.28.2 dev eth2 spec_nh 0x8847 0x00000002
> > 10.28.1.0/24 via 192.168.29.2 dev eth1 spec_nh 0x8847 0x00000003
> > 10.28.0.0/24 dev eth0 proto kernel scope link src 10.28.0.1
> > 172.30.0.0/16 dev atm0 proto kernel scope link src 172.30.28.1
> > 172.29.0.0/16 dev lec0 proto kernel scope link src 172.29.28.1
> >
> > lsr1:~# iptables -L -n
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > spec_nh tcp -- 0.0.0.0/0 10.28.1.0/24 set spec_n=
h
> > 0x4788:0x00000003
> > spec_nh icmp -- 0.0.0.0/0 10.28.1.0/24 set spec_n=
h
> > 0x4788:0x00000002
> >
> >
> > At this point, I think icmp goes through LSP A and tcp goes through
> LSP B.
> > When I ping HOST2 (10.28.1.2) from HOST1 (10.28.0.2), tcpdump at LSR1
> shows
> > label 10004, indicating the use of LSP A. But when I do a ssh, the labe=
l
> > 10004 appears again, indicating that LSP B IS NOT in use.
> > If I flush iptables rules and delete the route through LSP A, all
> trafic
> > goes through LSP B.
> > Can someone see what Im doing wrong? Maybe some routes cache? Or ip
> route
> > syntax?
> >
> > TIA.
> >
> >
> > On 12/5/05, James R. Leu <jl...@mi...> wrote:
> > > MPLS-linux builds on the existing netfilter (iptables) infrastructure
> > > that exists in the linux kernel.
> > >
> > > After building/installing a MPLS enabled iptables you can do:
> > >
> > > iptables -A OUTPUT -p tcp -j spec_nh --spec_nh 0x8847:0x2
> > >
> > > This maps all TCP traffic to the special nexthop 0x8847:0x2, where
> > > 0x8847 mean MPLS and 0x2 mean NHLFE with the key of 0x2.
> > >
> > > Basically if you can build an iptables rules to do what you want at
> > > L3, then you can simply add the spec_nh target and it will map to
> MPLS.
> > >
> > > On Mon, Dec 05, 2005 at 07:34:28PM +0000, Carlos Veiga wrote:
> > > > Hello,
> > > >
> > > > I?m studying MPLS using the project mpls-linux to mount some
> > testbeds networks and analyze the Traffic Engineering capabilities of
> MPLS.
> > Some papers results show that the TCP traffic is affected by UDP
> traffic
> > in the core of MPLS networks.
> > > >
> > > > I?m trying to separate the UDP traffic from the TCP traffic using
> > two differents LSP?s. I would like to know how can I do that using
> > the mpls(ip route/iptables with mpls patch) command. I?m know how to
> > create static LSP?s based on the destination IP to determine the path
> > of packets, but I don?t know how to determine the path based on
> > the protocol (tcp/udp).
> > > >
> > > >
> > > > Figure of my network topology:
> > > >
> > > >
> > > > LSP1(TCP) --->
> > > >
> > > > _____LSRC_____
> > > > / \
> > > > / \
> > > > ---LER A---LSRB LSRE----LER F
> > > > \ /
> > > > \_____LSRD_____/
> > > >
> > > >
> > > > LSP2(UDP) --->
> > > >
> > > >
> > > > Thanks for any help.
>
|
|
From: James R. L. <jl...@mi...> - 2005-12-07 17:04:37
|
I've never used the FORWARD chain, but I think it will be fine. Are you generating traffic locally on the LER or is the traffic your working with being forward through the LER? That might explain the difference. On Wed, Dec 07, 2005 at 02:39:17PM -0200, Carlos Marcos Kakihara wrote: > It worked, but i had to use a FORWARD chain in iptables, because adding= a > -j LOG alone onto OUTPUT chain produced no log in syslog. So, I guess that > packets are not matching the OUTPUT chain. > I also changed ip route syntax. Im using one 'ip route add' with 2 > nexthop, without spec_nh values: >=20 > lsr1:~# ip route add 10.28.1.0/24 nexthop via 192.168.28.2 nexthop via > 192.168.29.2 > lsr1:~# iptables -A FORWARD -p icmp -d 10.28.1.0/24 -j spec_nh --spec_nh > 0x8847:0x00000002 > lsr1:~# iptables -A FORWARD -p tcp -d 10.28.1.0/24 -j spec_nh --spec_nh > 0x8847:0x00000003 >=20 > Now tcpdump shows right labels in both LSPs. > Is it ok to use the FORWARD chain? >=20 > Thank you. >=20 > On 12/7/05, James R. Leu <jl...@mi...> wrote: > > > > I would get rid of the FTNs create via 'ip route'. You will still need= to > > have a prefix in your table for that destination, but it only needs to > > have > > one next hop and doesn't need to have a spec_nh specified. > > > > This will allow iptable to do the work. My guess is that there is some > > confusion with both iptables and 'ip route' trying to add labels to the > > same packets. > > > > On Wed, Dec 07, 2005 at 01:50:05AM -0200, Carlos Marcos Kakihara wrote: > > > Hi. > > > Im trying to create 2 lsp in a fish network: one for tcp and one for > > icmp > > > (for tests). I have used courier new font to see the picture. > > > > > > +------+ +------+ > > > 0| LSR2 |1----0| LSR3 |1 > > > / +------+ +------+ \ > > > / \ > > > / \ > > > +-------+ +------+2 1+------+ > > +-------+ > > > | HOST1 |0---0| LSR1 | | LSR5 |0---0| > > HOST2 | > > > +-------+ +------+1 2+------+ > > +-------+ > > > \ / > > > \ / > > > \ +------+ / > > > X------0| LSR4 |1------X > > > +------+ > > > > > > HOST1: > > > sis0: inet 10.28.0.2 netmask 0xffffff00 broadcast 10.28.0.255 > > > > > > LSR1: > > > eth0:1 (alias) -> 10.28.0.1 > > > eth1 -> 192.168.29.1 > > > eth2 -> 192.168.28.1 > > > > > > LSR2: > > > eth0 -> 192.168.28.2 > > > eth1 -> 192.168.28.33 > > > > > > LSR3: > > > eth0 -> 192.168.28.34 > > > eth1 -> 192.168.28.65 > > > > > > LSR4: > > > eth0 -> 192.168.29.2 > > > eth1 -> 192.168.29.33 > > > > > > LSR5: > > > eth0:1 (alias) -> 10.28.1.1 > > > eth1 -> 192.168.28.66 > > > eth2 -> 192.168.29.34 > > > > > > HOST2: > > > # ifconfig > > > ed0: inet 10.28.1.2 netmask 0xffffff00 broadcast 10.28.1.255 > > > > > > LSP A: LSR1 -> LSR2 -> LSR3 -> LSR5 > > > LSP B: LSR1 -> LSR4 -> LSR5 > > > > > > The numbers are the ethernet interfaces id: 0 means eth0 (or sis0),= 1 > > > means eth1 and 2 means eth2. > > > All 192.168 networks have 255.255.255.224 netmask. > > > > > > Ive tried the following: > > > > > > lsr1:~# uname -a > > > Linux lsr1 2.6.9-MPLSv2-LSR1 #1 Tue Nov 22 23:06:08 BRST 2005 i686 > > GNU/Linux > > > lsr1:~# cat /sys/mpls/version > > > 1.946 > > > lsr1:~# mpls nhlfe add key 0 > > > Key: 0x00000002 > > > lsr1:~# mpls nhlfe change key 0x00000002 instructions push gen 10004 > > nexthop > > > eth2 ipv4 192.168.28.2 > > > lsr1:~# mpls nhlfe add key 0 > > > Key: 0x00000003 > > > lsr1:~# mpls nhlfe change key 0x00000003 instructions push gen 10000 > > nexthop > > > eth1 ipv4 192.168.29.2 > > > lsr1:~# mpls labelspace add dev eth2 labelspace 0 > > > lsr1:~# mpls labelspace add dev eth1 labelspace 0 > > > lsr1:~# mpls ilm add label gen 10005 > > > lsr1:~# mpls ilm add label gen 10001 > > > > > > lsr1:~# mpls nhlfe show > > > NHLFE entry key 0x00000003 mtu 1496 propagate_ttl > > > push gen 10000 set eth1 ipv4 192.168.29.2 (0 bytes, 0 pkts, 0 > > > dropped) > > > NHLFE entry key 0x00000002 mtu 1496 propagate_ttl > > > push gen 10004 set eth2 ipv4 192.168.28.2 (0 bytes, 0 pkts, 0 > > > dropped) > > > lsr1:~# mpls ilm show > > > ILM entry label gen 10001 labelspace 0 proto ipv4 > > > pop peek (0 bytes, 0 pkts, 0 dropped) > > > ILM entry label gen 10005 labelspace 0 proto ipv4 > > > pop peek (0 bytes, 0 pkts, 0 dropped) > > > lsr1:~# mpls labelspace show > > > LABELSPACE entry dev eth0 labelspace -1 > > > LABELSPACE entry dev lo labelspace -1 > > > LABELSPACE entry dev eth1 labelspace 0 > > > LABELSPACE entry dev eth2 labelspace 0 > > > LABELSPACE entry dev tunl0 labelspace -1 > > > LABELSPACE entry dev atm0 labelspace -1 > > > LABELSPACE entry dev lec0 labelspace -1 > > > > > > lsr1:~# ip route add 10.28.1.0/24 nexthop via 192.168.28.2 spec_nh > > 0x8847 > > > 0x2 > > > lsr1:~# ip route append 10.28.1.0/24 nexthop via 192.168.29.2 spec_nh > > 0x8847 > > > 0x3 > > > lsr1:~# iptables -A OUTPUT -p tcp -d 10.28.1.0/24 -j spec_nh --spec_nh > > > 0x8847:0x3 > > > lsr1:~# iptables -A OUTPUT -p icmp -d 10.28.1.0/24 -j spec_nh --spec_= nh > > > 0x8847:0x2 > > > > > > lsr1:~# ip route list > > > 192.168.29.0/27 dev eth1 proto kernel scope link src 192.168.29.1 > > > 192.168.28.0/27 dev eth2 proto kernel scope link src 192.168.28.1 > > > 10.28.1.0/24 via 192.168.28.2 dev eth2 spec_nh 0x8847 0x00000002 > > > 10.28.1.0/24 via 192.168.29.2 dev eth1 spec_nh 0x8847 0x00000003 > > > 10.28.0.0/24 dev eth0 proto kernel scope link src 10.28.0.1 > > > 172.30.0.0/16 dev atm0 proto kernel scope link src 172.30.28.1 > > > 172.29.0.0/16 dev lec0 proto kernel scope link src 172.29.28.1 > > > > > > lsr1:~# iptables -L -n > > > Chain INPUT (policy ACCEPT) > > > target prot opt source destination > > > > > > Chain FORWARD (policy ACCEPT) > > > target prot opt source destination > > > > > > Chain OUTPUT (policy ACCEPT) > > > target prot opt source destination > > > spec_nh tcp -- 0.0.0.0/0 10.28.1.0/24 set spec= _nh > > > 0x4788:0x00000003 > > > spec_nh icmp -- 0.0.0.0/0 10.28.1.0/24 set spec= _nh > > > 0x4788:0x00000002 > > > > > > > > > At this point, I think icmp goes through LSP A and tcp goes through > > LSP B. > > > When I ping HOST2 (10.28.1.2) from HOST1 (10.28.0.2), tcpdump at LSR1 > > shows > > > label 10004, indicating the use of LSP A. But when I do a ssh, the la= bel > > > 10004 appears again, indicating that LSP B IS NOT in use. > > > If I flush iptables rules and delete the route through LSP A, all > > trafic > > > goes through LSP B. > > > Can someone see what Im doing wrong? Maybe some routes cache? Or ip > > route > > > syntax? > > > > > > TIA. > > > > > > > > > On 12/5/05, James R. Leu <jl...@mi...> wrote: > > > > MPLS-linux builds on the existing netfilter (iptables) infrastructu= re > > > > that exists in the linux kernel. > > > > > > > > After building/installing a MPLS enabled iptables you can do: > > > > > > > > iptables -A OUTPUT -p tcp -j spec_nh --spec_nh 0x8847:0x2 > > > > > > > > This maps all TCP traffic to the special nexthop 0x8847:0x2, where > > > > 0x8847 mean MPLS and 0x2 mean NHLFE with the key of 0x2. > > > > > > > > Basically if you can build an iptables rules to do what you want at > > > > L3, then you can simply add the spec_nh target and it will map to > > MPLS. > > > > > > > > On Mon, Dec 05, 2005 at 07:34:28PM +0000, Carlos Veiga wrote: > > > > > Hello, > > > > > > > > > > I?m studying MPLS using the project mpls-linux to mount some > > > testbeds networks and analyze the Traffic Engineering capabilities of > > MPLS. > > > Some papers results show that the TCP traffic is affected by UDP > > traffic > > > in the core of MPLS networks. > > > > > > > > > > I?m trying to separate the UDP traffic from the TCP traffic usi= ng > > > two differents LSP?s. I would like to know how can I do that using > > > the mpls(ip route/iptables with mpls patch) command. I?m know how to > > > create static LSP?s based on the destination IP to determine the path > > > of packets, but I don?t know how to determine the path based on > > > the protocol (tcp/udp). > > > > > > > > > > > > > > > Figure of my network topology: > > > > > > > > > > > > > > > LSP1(TCP) ---> > > > > > > > > > > _____LSRC_____ > > > > > / \ > > > > > / \ > > > > > ---LER A---LSRB LSRE----LER F > > > > > \ / > > > > > \_____LSRD_____/ > > > > > > > > > > > > > > > LSP2(UDP) ---> > > > > > > > > > > > > > > > Thanks for any help. > > --=20 James R. Leu jl...@mi... |
|
From: Carlos M. K. <ba...@gm...> - 2005-12-07 17:37:56
|
** Sorry, Im not an ascii art expert, and html email doesnt help. :-)
HOST1 and HOST2 are outside of MPLS network, and they are generating
traffic through LSR1 and LSR5 (LERs), respectively.
All the transit LSRs have no default route and no IP forwarding (sysctl -=
w
net.ipv4.ip_forward=3D0). Only LERs have IP forwarding enabled.
Now Ill start to build some stress tests (I was very stressed already, no=
w
it is MPLS's turn ;-) ).
Thank you very much for your help.
On 12/7/05, James R. Leu <jl...@mi...> wrote:
>
> I've never used the FORWARD chain, but I think it will be fine. Are you
> generating traffic locally on the LER or is the traffic your working with
> being forward through the LER? That might explain the difference.
>
> On Wed, Dec 07, 2005 at 02:39:17PM -0200, Carlos Marcos Kakihara wrote:
> > It worked, but i had to use a FORWARD chain in iptables, because
> adding a
> > -j LOG alone onto OUTPUT chain produced no log in syslog. So, I guess
> that
> > packets are not matching the OUTPUT chain.
> > I also changed ip route syntax. Im using one 'ip route add' with 2
> > nexthop, without spec_nh values:
> >
> > lsr1:~# ip route add 10.28.1.0/24 nexthop via 192.168.28.2 nexthop via
> > 192.168.29.2
> > lsr1:~# iptables -A FORWARD -p icmp -d 10.28.1.0/24 -j spec_nh --spec_n=
h
> > 0x8847:0x00000002
> > lsr1:~# iptables -A FORWARD -p tcp -d 10.28.1.0/24 -j spec_nh --spec_nh
> > 0x8847:0x00000003
> >
> > Now tcpdump shows right labels in both LSPs.
> > Is it ok to use the FORWARD chain?
> >
> > Thank you.
> >
> > On 12/7/05, James R. Leu <jl...@mi...> wrote:
> > >
> > > I would get rid of the FTNs create via 'ip route'. You will still
> need to
> > > have a prefix in your table for that destination, but it only needs t=
o
> > > have
> > > one next hop and doesn't need to have a spec_nh specified.
> > >
> > > This will allow iptable to do the work. My guess is that there is
> some
> > > confusion with both iptables and 'ip route' trying to add labels to
> the
> > > same packets.
> > >
> > > On Wed, Dec 07, 2005 at 01:50:05AM -0200, Carlos Marcos Kakihara
> wrote:
> > > > Hi.
> > > > Im trying to create 2 lsp in a fish network: one for tcp and one
> for
> > > icmp
> > > > (for tests). I have used courier new font to see the picture.
> > > >
> > > > +------+ +------+
> > > > 0| LSR2 |1----0| LSR3 |1
> > > > / +------+ +------+ \
> > > > / \
> > > > / \
> > > > +-------+ +------+2 1+------+
> > > +-------+
> > > > | HOST1 |0---0| LSR1 | | LSR5 |0---0=
|
> > > HOST2 |
> > > > +-------+ +------+1 2+------+
> > > +-------+
> > > > \ /
> > > > \ /
> > > > \ +------+ /
> > > > X------0| LSR4 |1------X
> > > > +------+
> > > >
> > > > HOST1:
> > > > sis0: inet 10.28.0.2 netmask 0xffffff00 broadcast 10.28.0.255
> > > >
> > > > LSR1:
> > > > eth0:1 (alias) -> 10.28.0.1
> > > > eth1 -> 192.168.29.1
> > > > eth2 -> 192.168.28.1
> > > >
> > > > LSR2:
> > > > eth0 -> 192.168.28.2
> > > > eth1 -> 192.168.28.33
> > > >
> > > > LSR3:
> > > > eth0 -> 192.168.28.34
> > > > eth1 -> 192.168.28.65
> > > >
> > > > LSR4:
> > > > eth0 -> 192.168.29.2
> > > > eth1 -> 192.168.29.33
> > > >
> > > > LSR5:
> > > > eth0:1 (alias) -> 10.28.1.1
> > > > eth1 -> 192.168.28.66
> > > > eth2 -> 192.168.29.34
> > > >
> > > > HOST2:
> > > > # ifconfig
> > > > ed0: inet 10.28.1.2 netmask 0xffffff00 broadcast 10.28.1.255
> > > >
> > > > LSP A: LSR1 -> LSR2 -> LSR3 -> LSR5
> > > > LSP B: LSR1 -> LSR4 -> LSR5
> > > >
> > > > The numbers are the ethernet interfaces id: 0 means eth0 (or
> sis0), 1
> > > > means eth1 and 2 means eth2.
> > > > All 192.168 networks have 255.255.255.224 netmask.
> > > >
> > > > Ive tried the following:
> > > >
> > > > lsr1:~# uname -a
> > > > Linux lsr1 2.6.9-MPLSv2-LSR1 #1 Tue Nov 22 23:06:08 BRST 2005 i686
> > > GNU/Linux
> > > > lsr1:~# cat /sys/mpls/version
> > > > 1.946
> > > > lsr1:~# mpls nhlfe add key 0
> > > > Key: 0x00000002
> > > > lsr1:~# mpls nhlfe change key 0x00000002 instructions push gen 1000=
4
> > > nexthop
> > > > eth2 ipv4 192.168.28.2
> > > > lsr1:~# mpls nhlfe add key 0
> > > > Key: 0x00000003
> > > > lsr1:~# mpls nhlfe change key 0x00000003 instructions push gen 1000=
0
> > > nexthop
> > > > eth1 ipv4 192.168.29.2
> > > > lsr1:~# mpls labelspace add dev eth2 labelspace 0
> > > > lsr1:~# mpls labelspace add dev eth1 labelspace 0
> > > > lsr1:~# mpls ilm add label gen 10005
> > > > lsr1:~# mpls ilm add label gen 10001
> > > >
> > > > lsr1:~# mpls nhlfe show
> > > > NHLFE entry key 0x00000003 mtu 1496 propagate_ttl
> > > > push gen 10000 set eth1 ipv4 192.168.29.2 (0 bytes, 0 pkts=
,
> 0
> > > > dropped)
> > > > NHLFE entry key 0x00000002 mtu 1496 propagate_ttl
> > > > push gen 10004 set eth2 ipv4 192.168.28.2 (0 bytes, 0 pkts=
,
> 0
> > > > dropped)
> > > > lsr1:~# mpls ilm show
> > > > ILM entry label gen 10001 labelspace 0 proto ipv4
> > > > pop peek (0 bytes, 0 pkts, 0 dropped)
> > > > ILM entry label gen 10005 labelspace 0 proto ipv4
> > > > pop peek (0 bytes, 0 pkts, 0 dropped)
> > > > lsr1:~# mpls labelspace show
> > > > LABELSPACE entry dev eth0 labelspace -1
> > > > LABELSPACE entry dev lo labelspace -1
> > > > LABELSPACE entry dev eth1 labelspace 0
> > > > LABELSPACE entry dev eth2 labelspace 0
> > > > LABELSPACE entry dev tunl0 labelspace -1
> > > > LABELSPACE entry dev atm0 labelspace -1
> > > > LABELSPACE entry dev lec0 labelspace -1
> > > >
> > > > lsr1:~# ip route add 10.28.1.0/24 nexthop via 192.168.28.2 spec_nh
> > > 0x8847
> > > > 0x2
> > > > lsr1:~# ip route append 10.28.1.0/24 nexthop via 192.168.29.2spec_n=
h
> > > 0x8847
> > > > 0x3
> > > > lsr1:~# iptables -A OUTPUT -p tcp -d 10.28.1.0/24 -j spec_nh
> --spec_nh
> > > > 0x8847:0x3
> > > > lsr1:~# iptables -A OUTPUT -p icmp -d 10.28.1.0/24 -j spec_nh
> --spec_nh
> > > > 0x8847:0x2
> > > >
> > > > lsr1:~# ip route list
> > > > 192.168.29.0/27 dev eth1 proto kernel scope link src 192.168.29.=
1
> > > > 192.168.28.0/27 dev eth2 proto kernel scope link src 192.168.28.=
1
> > > > 10.28.1.0/24 via 192.168.28.2 dev eth2 spec_nh 0x8847 0x00000002
> > > > 10.28.1.0/24 via 192.168.29.2 dev eth1 spec_nh 0x8847 0x00000003
> > > > 10.28.0.0/24 dev eth0 proto kernel scope link src 10.28.0.1
> > > > 172.30.0.0/16 dev atm0 proto kernel scope link src 172.30.28.1
> > > > 172.29.0.0/16 dev lec0 proto kernel scope link src 172.29.28.1
> > > >
> > > > lsr1:~# iptables -L -n
> > > > Chain INPUT (policy ACCEPT)
> > > > target prot opt source destination
> > > >
> > > > Chain FORWARD (policy ACCEPT)
> > > > target prot opt source destination
> > > >
> > > > Chain OUTPUT (policy ACCEPT)
> > > > target prot opt source destination
> > > > spec_nh tcp -- 0.0.0.0/0 10.28.1.0/24 set
> spec_nh
> > > > 0x4788:0x00000003
> > > > spec_nh icmp -- 0.0.0.0/0 10.28.1.0/24 set
> spec_nh
> > > > 0x4788:0x00000002
> > > >
> > > >
> > > > At this point, I think icmp goes through LSP A and tcp goes
> through
> > > LSP B.
> > > > When I ping HOST2 (10.28.1.2) from HOST1 (10.28.0.2), tcpdump at
> LSR1
> > > shows
> > > > label 10004, indicating the use of LSP A. But when I do a ssh, the
> label
> > > > 10004 appears again, indicating that LSP B IS NOT in use.
> > > > If I flush iptables rules and delete the route through LSP A, all
> > > trafic
> > > > goes through LSP B.
> > > > Can someone see what Im doing wrong? Maybe some routes cache? Or
> ip
> > > route
> > > > syntax?
> > > >
> > > > TIA.
> > > >
> > > >
> > > > On 12/5/05, James R. Leu <jl...@mi...> wrote:
> > > > > MPLS-linux builds on the existing netfilter (iptables)
> infrastructure
> > > > > that exists in the linux kernel.
> > > > >
> > > > > After building/installing a MPLS enabled iptables you can do:
> > > > >
> > > > > iptables -A OUTPUT -p tcp -j spec_nh --spec_nh 0x8847:0x2
> > > > >
> > > > > This maps all TCP traffic to the special nexthop 0x8847:0x2, wher=
e
> > > > > 0x8847 mean MPLS and 0x2 mean NHLFE with the key of 0x2.
> > > > >
> > > > > Basically if you can build an iptables rules to do what you want
> at
> > > > > L3, then you can simply add the spec_nh target and it will map to
> > > MPLS.
> > > > >
> > > > > On Mon, Dec 05, 2005 at 07:34:28PM +0000, Carlos Veiga wrote:
> > > > > > Hello,
> > > > > >
> > > > > > I?m studying MPLS using the project mpls-linux to mount some
> > > > testbeds networks and analyze the Traffic Engineering capabilities
> of
> > > MPLS.
> > > > Some papers results show that the TCP traffic is affected by UDP
> > > traffic
> > > > in the core of MPLS networks.
> > > > > >
> > > > > > I?m trying to separate the UDP traffic from the TCP traffic
> using
> > > > two differents LSP?s. I would like to know how can I do that using
> > > > the mpls(ip route/iptables with mpls patch) command. I?m know how
> to
> > > > create static LSP?s based on the destination IP to determine the
> path
> > > > of packets, but I don?t know how to determine the path based on
> > > > the protocol (tcp/udp).
> > > > > >
> > > > > >
> > > > > > Figure of my network topology:
> > > > > >
> > > > > >
> > > > > > LSP1(TCP) --->
> > > > > >
> > > > > > _____LSRC_____
> > > > > > / \
> > > > > > / \
> > > > > > ---LER A---LSRB LSRE----LER F
> > > > > > \ /
> > > > > > \_____LSRD_____/
> > > > > >
> > > > > >
> > > > > > LSP2(UDP) --->
> > > > > >
> > > > > >
> > > > > > Thanks for any help.
>
|
|
From: James R. L. <jl...@mi...> - 2005-12-07 17:44:43
|
If you are going to do performance tests make sure to use a kernel MPLS debugging turned off. Let me know if you need details. On Wed, Dec 07, 2005 at 03:37:49PM -0200, Carlos Marcos Kakihara wrote: > ** Sorry, Im not an ascii art expert, and html email doesnt help. :-) > HOST1 and HOST2 are outside of MPLS network, and they are generating > traffic through LSR1 and LSR5 (LERs), respectively. > All the transit LSRs have no default route and no IP forwarding (sysctl= -w > net.ipv4.ip_forward=3D0). Only LERs have IP forwarding enabled. > Now Ill start to build some stress tests (I was very stressed already, = now > it is MPLS's turn ;-) ). >=20 > Thank you very much for your help. >=20 > On 12/7/05, James R. Leu <jl...@mi...> wrote: > > > > I've never used the FORWARD chain, but I think it will be fine. Are you > > generating traffic locally on the LER or is the traffic your working wi= th > > being forward through the LER? That might explain the difference. > > > > On Wed, Dec 07, 2005 at 02:39:17PM -0200, Carlos Marcos Kakihara wrote: > > > It worked, but i had to use a FORWARD chain in iptables, because > > adding a > > > -j LOG alone onto OUTPUT chain produced no log in syslog. So, I guess > > that > > > packets are not matching the OUTPUT chain. > > > I also changed ip route syntax. Im using one 'ip route add' with 2 > > > nexthop, without spec_nh values: > > > > > > lsr1:~# ip route add 10.28.1.0/24 nexthop via 192.168.28.2 nexthop via > > > 192.168.29.2 > > > lsr1:~# iptables -A FORWARD -p icmp -d 10.28.1.0/24 -j spec_nh --spec= _nh > > > 0x8847:0x00000002 > > > lsr1:~# iptables -A FORWARD -p tcp -d 10.28.1.0/24 -j spec_nh --spec_= nh > > > 0x8847:0x00000003 > > > > > > Now tcpdump shows right labels in both LSPs. > > > Is it ok to use the FORWARD chain? > > > > > > Thank you. > > > > > > On 12/7/05, James R. Leu <jl...@mi...> wrote: > > > > > > > > I would get rid of the FTNs create via 'ip route'. You will still > > need to > > > > have a prefix in your table for that destination, but it only needs= to > > > > have > > > > one next hop and doesn't need to have a spec_nh specified. > > > > > > > > This will allow iptable to do the work. My guess is that there is > > some > > > > confusion with both iptables and 'ip route' trying to add labels to > > the > > > > same packets. > > > > > > > > On Wed, Dec 07, 2005 at 01:50:05AM -0200, Carlos Marcos Kakihara > > wrote: > > > > > Hi. > > > > > Im trying to create 2 lsp in a fish network: one for tcp and one > > for > > > > icmp > > > > > (for tests). I have used courier new font to see the picture. > > > > > > > > > > +------+ +------+ > > > > > 0| LSR2 |1----0| LSR3 |1 > > > > > / +------+ +------+ \ > > > > > / \ > > > > > / \ > > > > > +-------+ +------+2 1+------+ > > > > +-------+ > > > > > | HOST1 |0---0| LSR1 | | LSR5 |0--= -0| > > > > HOST2 | > > > > > +-------+ +------+1 2+------+ > > > > +-------+ > > > > > \ / > > > > > \ / > > > > > \ +------+ / > > > > > X------0| LSR4 |1------X > > > > > +------+ > > > > > > > > > > HOST1: > > > > > sis0: inet 10.28.0.2 netmask 0xffffff00 broadcast 10.28.0.255 > > > > > > > > > > LSR1: > > > > > eth0:1 (alias) -> 10.28.0.1 > > > > > eth1 -> 192.168.29.1 > > > > > eth2 -> 192.168.28.1 > > > > > > > > > > LSR2: > > > > > eth0 -> 192.168.28.2 > > > > > eth1 -> 192.168.28.33 > > > > > > > > > > LSR3: > > > > > eth0 -> 192.168.28.34 > > > > > eth1 -> 192.168.28.65 > > > > > > > > > > LSR4: > > > > > eth0 -> 192.168.29.2 > > > > > eth1 -> 192.168.29.33 > > > > > > > > > > LSR5: > > > > > eth0:1 (alias) -> 10.28.1.1 > > > > > eth1 -> 192.168.28.66 > > > > > eth2 -> 192.168.29.34 > > > > > > > > > > HOST2: > > > > > # ifconfig > > > > > ed0: inet 10.28.1.2 netmask 0xffffff00 broadcast 10.28.1.255 > > > > > > > > > > LSP A: LSR1 -> LSR2 -> LSR3 -> LSR5 > > > > > LSP B: LSR1 -> LSR4 -> LSR5 > > > > > > > > > > The numbers are the ethernet interfaces id: 0 means eth0 (or > > sis0), 1 > > > > > means eth1 and 2 means eth2. > > > > > All 192.168 networks have 255.255.255.224 netmask. > > > > > > > > > > Ive tried the following: > > > > > > > > > > lsr1:~# uname -a > > > > > Linux lsr1 2.6.9-MPLSv2-LSR1 #1 Tue Nov 22 23:06:08 BRST 2005 i686 > > > > GNU/Linux > > > > > lsr1:~# cat /sys/mpls/version > > > > > 1.946 > > > > > lsr1:~# mpls nhlfe add key 0 > > > > > Key: 0x00000002 > > > > > lsr1:~# mpls nhlfe change key 0x00000002 instructions push gen 10= 004 > > > > nexthop > > > > > eth2 ipv4 192.168.28.2 > > > > > lsr1:~# mpls nhlfe add key 0 > > > > > Key: 0x00000003 > > > > > lsr1:~# mpls nhlfe change key 0x00000003 instructions push gen 10= 000 > > > > nexthop > > > > > eth1 ipv4 192.168.29.2 > > > > > lsr1:~# mpls labelspace add dev eth2 labelspace 0 > > > > > lsr1:~# mpls labelspace add dev eth1 labelspace 0 > > > > > lsr1:~# mpls ilm add label gen 10005 > > > > > lsr1:~# mpls ilm add label gen 10001 > > > > > > > > > > lsr1:~# mpls nhlfe show > > > > > NHLFE entry key 0x00000003 mtu 1496 propagate_ttl > > > > > push gen 10000 set eth1 ipv4 192.168.29.2 (0 bytes, 0 pk= ts, > > 0 > > > > > dropped) > > > > > NHLFE entry key 0x00000002 mtu 1496 propagate_ttl > > > > > push gen 10004 set eth2 ipv4 192.168.28.2 (0 bytes, 0 pk= ts, > > 0 > > > > > dropped) > > > > > lsr1:~# mpls ilm show > > > > > ILM entry label gen 10001 labelspace 0 proto ipv4 > > > > > pop peek (0 bytes, 0 pkts, 0 dropped) > > > > > ILM entry label gen 10005 labelspace 0 proto ipv4 > > > > > pop peek (0 bytes, 0 pkts, 0 dropped) > > > > > lsr1:~# mpls labelspace show > > > > > LABELSPACE entry dev eth0 labelspace -1 > > > > > LABELSPACE entry dev lo labelspace -1 > > > > > LABELSPACE entry dev eth1 labelspace 0 > > > > > LABELSPACE entry dev eth2 labelspace 0 > > > > > LABELSPACE entry dev tunl0 labelspace -1 > > > > > LABELSPACE entry dev atm0 labelspace -1 > > > > > LABELSPACE entry dev lec0 labelspace -1 > > > > > > > > > > lsr1:~# ip route add 10.28.1.0/24 nexthop via 192.168.28.2 spec_nh > > > > 0x8847 > > > > > 0x2 > > > > > lsr1:~# ip route append 10.28.1.0/24 nexthop via 192.168.29.2spec= _nh > > > > 0x8847 > > > > > 0x3 > > > > > lsr1:~# iptables -A OUTPUT -p tcp -d 10.28.1.0/24 -j spec_nh > > --spec_nh > > > > > 0x8847:0x3 > > > > > lsr1:~# iptables -A OUTPUT -p icmp -d 10.28.1.0/24 -j spec_nh > > --spec_nh > > > > > 0x8847:0x2 > > > > > > > > > > lsr1:~# ip route list > > > > > 192.168.29.0/27 dev eth1 proto kernel scope link src 192.168.2= 9.1 > > > > > 192.168.28.0/27 dev eth2 proto kernel scope link src 192.168.2= 8.1 > > > > > 10.28.1.0/24 via 192.168.28.2 dev eth2 spec_nh 0x8847 0x00000002 > > > > > 10.28.1.0/24 via 192.168.29.2 dev eth1 spec_nh 0x8847 0x00000003 > > > > > 10.28.0.0/24 dev eth0 proto kernel scope link src 10.28.0.1 > > > > > 172.30.0.0/16 dev atm0 proto kernel scope link src 172.30.28.1 > > > > > 172.29.0.0/16 dev lec0 proto kernel scope link src 172.29.28.1 > > > > > > > > > > lsr1:~# iptables -L -n > > > > > Chain INPUT (policy ACCEPT) > > > > > target prot opt source destination > > > > > > > > > > Chain FORWARD (policy ACCEPT) > > > > > target prot opt source destination > > > > > > > > > > Chain OUTPUT (policy ACCEPT) > > > > > target prot opt source destination > > > > > spec_nh tcp -- 0.0.0.0/0 10.28.1.0/24 set > > spec_nh > > > > > 0x4788:0x00000003 > > > > > spec_nh icmp -- 0.0.0.0/0 10.28.1.0/24 set > > spec_nh > > > > > 0x4788:0x00000002 > > > > > > > > > > > > > > > At this point, I think icmp goes through LSP A and tcp goes > > through > > > > LSP B. > > > > > When I ping HOST2 (10.28.1.2) from HOST1 (10.28.0.2), tcpdump at > > LSR1 > > > > shows > > > > > label 10004, indicating the use of LSP A. But when I do a ssh, the > > label > > > > > 10004 appears again, indicating that LSP B IS NOT in use. > > > > > If I flush iptables rules and delete the route through LSP A, a= ll > > > > trafic > > > > > goes through LSP B. > > > > > Can someone see what Im doing wrong? Maybe some routes cache? Or > > ip > > > > route > > > > > syntax? > > > > > > > > > > TIA. > > > > > > > > > > > > > > > On 12/5/05, James R. Leu <jl...@mi...> wrote: > > > > > > MPLS-linux builds on the existing netfilter (iptables) > > infrastructure > > > > > > that exists in the linux kernel. > > > > > > > > > > > > After building/installing a MPLS enabled iptables you can do: > > > > > > > > > > > > iptables -A OUTPUT -p tcp -j spec_nh --spec_nh 0x8847:0x2 > > > > > > > > > > > > This maps all TCP traffic to the special nexthop 0x8847:0x2, wh= ere > > > > > > 0x8847 mean MPLS and 0x2 mean NHLFE with the key of 0x2. > > > > > > > > > > > > Basically if you can build an iptables rules to do what you want > > at > > > > > > L3, then you can simply add the spec_nh target and it will map = to > > > > MPLS. > > > > > > > > > > > > On Mon, Dec 05, 2005 at 07:34:28PM +0000, Carlos Veiga wrote: > > > > > > > Hello, > > > > > > > > > > > > > > I?m studying MPLS using the project mpls-linux to mount some > > > > > testbeds networks and analyze the Traffic Engineering capabiliti= es > > of > > > > MPLS. > > > > > Some papers results show that the TCP traffic is affected by UDP > > > > traffic > > > > > in the core of MPLS networks. > > > > > > > > > > > > > > I?m trying to separate the UDP traffic from the TCP traffic > > using > > > > > two differents LSP?s. I would like to know how can I do that usi= ng > > > > > the mpls(ip route/iptables with mpls patch) command. I?m know how > > to > > > > > create static LSP?s based on the destination IP to determine the > > path > > > > > of packets, but I don?t know how to determine the path based on > > > > > the protocol (tcp/udp). > > > > > > > > > > > > > > > > > > > > > Figure of my network topology: > > > > > > > > > > > > > > > > > > > > > LSP1(TCP) ---> > > > > > > > > > > > > > > _____LSRC_____ > > > > > > > / \ > > > > > > > / \ > > > > > > > ---LER A---LSRB LSRE----LER F > > > > > > > \ / > > > > > > > \_____LSRD_____/ > > > > > > > > > > > > > > > > > > > > > LSP2(UDP) ---> > > > > > > > > > > > > > > > > > > > > > Thanks for any help. > > --=20 James R. Leu jl...@mi... |
|
From: Carlos M. K. <ba...@gm...> - 2005-12-07 17:48:04
|
Humm.. I did an 'echo 0 > /sys/mpls/debug' at all nodes. There is something else? On 12/7/05, James R. Leu <jl...@mi...> wrote: > > If you are going to do performance tests make sure to use a kernel > MPLS debugging turned off. Let me know if you need details. > |
|
From: James R. L. <jl...@mi...> - 2005-12-07 18:46:48
|
You will want to recompile your kernel to not include the debug code at all. On Wed, Dec 07, 2005 at 03:47:59PM -0200, Carlos Marcos Kakihara wrote: > Humm.. I did an 'echo 0 > /sys/mpls/debug' at all nodes. There is > something else? >=20 > On 12/7/05, James R. Leu <jl...@mi...> wrote: > > > > If you are going to do performance tests make sure to use a kernel > > MPLS debugging turned off. Let me know if you need details. > > --=20 James R. Leu jl...@mi... |
|
From: Bob B. <bob...@gm...> - 2005-12-07 19:15:14
|
On 12/7/05, James R. Leu <jl...@mi...> wrote: > You will want to recompile your kernel to not include the debug code > at all. > In kernel source code ... include/net/mpls.h: (about line 57) comment out these two #defines and the debug code will be omited, as opposed to just not sent to debug logs. /* Comment this to suppress MPLS_DEBUG calls */ #define MPLS_ENABLE_DEBUG 1 /* Comment this to suppress TRACING enter/exit functions */ #define MPLS_ENABLE_DEBUG_FUNC 1 I suppose enabling debug could be added to the Makefile/Kconfig system as a selectable option, but this way is not too difficult. :) HTH, -- -Bob |
|
From: Bob B. <bob...@gm...> - 2005-12-07 21:08:41
|
>
> I suppose enabling debug could be added to the Makefile/Kconfig system
Here's a little something I gen'd up while waiting on another thread
WARNING -- not tested at all!
diff -uprN -X dontdiff kernel/include/net/mpls.h kernel-bb/include/net/mpls=
.h
--- kernel/include/net/mpls.h 2005-12-07 10:08:49.000000000 -0500
+++ kernel-bb/include/net/mpls.h 2005-12-07 15:51:52.000000000 -0500
@@ -59,6 +59,15 @@ extern struct dst_ops mpls_dst_ops;
/* Comment this to suppress TRACING enter/exit functions */
#define MPLS_ENABLE_DEBUG_FUNC 1
+/* Override driver debugging from Kconfig option:
+ * MPLS_DISABLE_DEBUG
+ */
+#ifdef MPLS_DISABLE_DEBUG
+#undefine MPLS_ENABLE_DEBUG
+#undefine MPLS_ENABLE_DEBUG_FUNC
+#endif
+
+
#ifdef MPLS_ENABLE_DEBUG
#define MPLS_DEBUG(f, a...) \
{ \
diff -uprN -X dontdiff kernel/net/Kconfig kernel-bb/net/Kconfig
--- kernel/net/Kconfig 2005-12-07 10:08:49.000000000 -0500
+++ kernel-bb/net/Kconfig 2005-12-07 15:53:38.000000000 -0500
@@ -96,6 +96,17 @@ config MPLS_TUNNEL
If unsure, say N.
+config MPLS_DISABLE_DEBUG
+ boolean "MPLS: Disable Debug"
+ depends on MPLS
+ default n
+ ---help---
+ This option allows to disable the inclusion of debugging code in
+ the MPLS driver. The mpls.h file has the actual DEBUG #defines,
+ but saying Y here, will force them off.
+
+ If you feel the need for speed, say Y.
+
if INET
source "net/ipv4/Kconfig"
source "net/ipv6/Kconfig"
diff -uprN -X dontdiff kernel/net/mpls/Makefile kernel-bb/net/mpls/Makefile
--- kernel/net/mpls/Makefile 2005-12-07 10:08:49.000000000 -0500
+++ kernel-bb/net/mpls/Makefile 2005-12-07 15:54:00.000000000 -0500
@@ -9,3 +9,7 @@ mpls-y :=3D af_mpls.o mpls_if.o mpls_ilm.o
obj-$(CONFIG_MPLS) +=3D mpls.o
obj-$(CONFIG_MPLS_TUNNEL) +=3D mpls_tunnel.o
+
+ifeq ($(CONFIG_MPLS_DISABLE_DEBUG),y)
+EXTRA_CFLAGS +=3D -DMPLS_DISABLE_DEBUG
+endif
--
-Bob
|
|
From: James R. L. <jl...@mi...> - 2005-12-07 21:35:55
|
Nice work :-)
On Wed, Dec 07, 2005 at 04:08:33PM -0500, Bob Beers wrote:
> >
> > I suppose enabling debug could be added to the Makefile/Kconfig system
>=20
> Here's a little something I gen'd up while waiting on another thread
> WARNING -- not tested at all!
>=20
> diff -uprN -X dontdiff kernel/include/net/mpls.h kernel-bb/include/net/mp=
ls.h
> --- kernel/include/net/mpls.h 2005-12-07 10:08:49.000000000 -0500
> +++ kernel-bb/include/net/mpls.h 2005-12-07 15:51:52.000000000 -05=
00
> @@ -59,6 +59,15 @@ extern struct dst_ops mpls_dst_ops;
> /* Comment this to suppress TRACING enter/exit functions */
> #define MPLS_ENABLE_DEBUG_FUNC 1
>=20
> +/* Override driver debugging from Kconfig option:
> + * MPLS_DISABLE_DEBUG
> + */
> +#ifdef MPLS_DISABLE_DEBUG
> +#undefine MPLS_ENABLE_DEBUG
> +#undefine MPLS_ENABLE_DEBUG_FUNC
> +#endif
> +
> +
> #ifdef MPLS_ENABLE_DEBUG
> #define MPLS_DEBUG(f, a...) \
> { \
> diff -uprN -X dontdiff kernel/net/Kconfig kernel-bb/net/Kconfig
> --- kernel/net/Kconfig 2005-12-07 10:08:49.000000000 -0500
> +++ kernel-bb/net/Kconfig 2005-12-07 15:53:38.000000000 -0500
> @@ -96,6 +96,17 @@ config MPLS_TUNNEL
>=20
> If unsure, say N.
>=20
> +config MPLS_DISABLE_DEBUG
> + boolean "MPLS: Disable Debug"
> + depends on MPLS
> + default n
> + ---help---
> + This option allows to disable the inclusion of debugging code in
> + the MPLS driver. The mpls.h file has the actual DEBUG #defines,
> + but saying Y here, will force them off.
> +
> + If you feel the need for speed, say Y.
> +
> if INET
> source "net/ipv4/Kconfig"
> source "net/ipv6/Kconfig"
> diff -uprN -X dontdiff kernel/net/mpls/Makefile kernel-bb/net/mpls/Makefi=
le
> --- kernel/net/mpls/Makefile 2005-12-07 10:08:49.000000000 -0500
> +++ kernel-bb/net/mpls/Makefile 2005-12-07 15:54:00.000000000 -0500
> @@ -9,3 +9,7 @@ mpls-y :=3D af_mpls.o mpls_if.o mpls_ilm.o
>=20
> obj-$(CONFIG_MPLS) +=3D mpls.o
> obj-$(CONFIG_MPLS_TUNNEL) +=3D mpls_tunnel.o
> +
> +ifeq ($(CONFIG_MPLS_DISABLE_DEBUG),y)
> +EXTRA_CFLAGS +=3D -DMPLS_DISABLE_DEBUG
> +endif
>=20
>=20
> --
> -Bob
--=20
James R. Leu
jl...@mi...
|
|
From: Carlos M. K. <ba...@gm...> - 2005-12-08 10:26:38
|
Ill try it. ;-)
Many thanks for all help.
On 12/7/05, Bob Beers <bob...@gm...> wrote:
>
> >
> > I suppose enabling debug could be added to the Makefile/Kconfig system
>
> Here's a little something I gen'd up while waiting on another thread
> WARNING -- not tested at all!
>
> diff -uprN -X dontdiff kernel/include/net/mpls.h
> kernel-bb/include/net/mpls.h
> --- kernel/include/net/mpls.h 2005-12-07 10:08:49.000000000 -0500
> +++ kernel-bb/include/net/mpls.h 2005-12-07 15:51:52.000000000-050=
0
> @@ -59,6 +59,15 @@ extern struct dst_ops mpls_dst_ops;
> /* Comment this to suppress TRACING enter/exit functions */
> #define MPLS_ENABLE_DEBUG_FUNC 1
>
> +/* Override driver debugging from Kconfig option:
> + * MPLS_DISABLE_DEBUG
> + */
> +#ifdef MPLS_DISABLE_DEBUG
> +#undefine MPLS_ENABLE_DEBUG
> +#undefine MPLS_ENABLE_DEBUG_FUNC
> +#endif
> +
> +
> #ifdef MPLS_ENABLE_DEBUG
> #define MPLS_DEBUG(f, a...) \
> { \
> diff -uprN -X dontdiff kernel/net/Kconfig kernel-bb/net/Kconfig
> --- kernel/net/Kconfig 2005-12-07 10:08:49.000000000 -0500
> +++ kernel-bb/net/Kconfig 2005-12-07 15:53:38.000000000 -0500
> @@ -96,6 +96,17 @@ config MPLS_TUNNEL
>
> If unsure, say N.
>
> +config MPLS_DISABLE_DEBUG
> + boolean "MPLS: Disable Debug"
> + depends on MPLS
> + default n
> + ---help---
> + This option allows to disable the inclusion of debugging code i=
n
> + the MPLS driver. The mpls.h file has the actual DEBUG #defines=
,
> + but saying Y here, will force them off.
> +
> + If you feel the need for speed, say Y.
> +
> if INET
> source "net/ipv4/Kconfig"
> source "net/ipv6/Kconfig"
> diff -uprN -X dontdiff kernel/net/mpls/Makefile
> kernel-bb/net/mpls/Makefile
> --- kernel/net/mpls/Makefile 2005-12-07 10:08:49.000000000 -0500
> +++ kernel-bb/net/mpls/Makefile 2005-12-07 15:54:00.000000000 -0500
> @@ -9,3 +9,7 @@ mpls-y :=3D af_mpls.o mpls_if.o mpls_ilm.o
>
> obj-$(CONFIG_MPLS) +=3D mpls.o
> obj-$(CONFIG_MPLS_TUNNEL) +=3D mpls_tunnel.o
> +
> +ifeq ($(CONFIG_MPLS_DISABLE_DEBUG),y)
> +EXTRA_CFLAGS +=3D -DMPLS_DISABLE_DEBUG
> +endif
>
> --
> -Bob
>
|
Thanks for helping keep SourceForge clean.
X