North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Extreme BlackDiamond
On Mon, 13 Oct 2003, Mikael Abrahamsson wrote: > On Sun, 12 Oct 2003, Andy Walden wrote: > > > Actually, as far as I know, all switches and routers use the CPU to > > process ICMP. It is a control protocol and the safest option is to ensure > > the vendor has implemented some sort of CPU rate-limiting so it can't be > > overwhelmed. > > I don't know of anyone else who *routes* ICMP. Yes, ICMP packets destined > for the router, but Extreme actually CPU route all ICMP packets passing > thru. I'm not 100% sure what your trying to say above, but all I'm refering to is packets destined towards the device itself. > > This is the kicker and real question: does it require the CPU to forward > > regular traffic? I believe the answer is yes, the Extreme is a flow-based > > architecture and the first packet of each unique flow (however it is > > defined) will need to be processed by the CPU. This is why the problems > > Yes, exactly what I'm saying. Flow here is defined as a destination IP > number. Maybe, maybe not. It could be more granular then that, which would allow for addition functionality based on other fields in the IP header. Every additional field it uses to define a flow increase the number of packets that reach the CPU expotentially. Destination could be enough though with the way some viruses scan address space at a rapid pace all creating new destination flows. Also, the original question was about switching. For layer-2 flows with unique MAC addresses reach the CPU as well? Probably. > > described above occur. The alternative is a packet-based architecure and > > does not rely on the CPU for forwarding. It doesn't take a lot of packets > > to overwhelm any CPU. > > Quite, 10kpps is enough, if even that. Have you tested this? I'm always interested in different vendor's flow setup rates. > > > They do everything in hardware when it comes to access lists, QoS etc. > > > Either it does it in ASIC without performance impact or not at all. > > > > Assuming the CPU doesn't have to process the first packet before it > > reaches the ACL, QoS policy, etc.. > > Well, actually I believe ACLs are processed on ingress before being punted > to the CPU even though the flow hasnt been set up yet. This is the > observation I have seen so far anyway, but I am not 100% sure. I'm not sure this would make sense. How would the device know to drop or forward the packet if a flow, even if it is a drop flow, hasn't been created? > I can understand how a virus like Welchia can affect a flow-based > architecture like Extremes. I was under the impression that CEF enabled > Cisco gear wouldnt have this problem, but Cisco has instructions on their > webpage on how deal with it and cites CPU usage as the reason. With CEF I > thought the CPU wasn't involved? CEF is perhaps differently implemented on > different plattforms? CEF certainly can limit the amount the CPU is used, and DCEF even more. I'm not sure that Extreme has an equivilant feature though. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
|