Re: Extreme BlackDiamond

[Andy Walden <andy () tigerteam net>]

On Mon, 13 Oct 2003, Mikael Abrahamsson wrote:

> On Sun, 12 Oct 2003, Andy Walden wrote:
>
> > Actually, as far as I know, all switches and routers use the CPU to
> > process ICMP. It is a control protocol and the safest option is to ensure
> > the vendor has implemented some sort of CPU rate-limiting so it can't be
> > overwhelmed.
>
> I don't know of anyone else who *routes* ICMP. Yes, ICMP packets destined
> for the router, but Extreme actually CPU route all ICMP packets passing
> thru.

I'm not 100% sure what your trying to say above, but all I'm refering to
is packets destined towards the device itself.

> > This is the kicker and real question: does it require the CPU to forward
> > regular traffic? I believe the answer is yes, the Extreme is a flow-based
> > architecture and the first packet of each unique flow (however it is
> > defined) will need to be processed by the CPU. This is why the problems
>
> Yes, exactly what I'm saying. Flow here is defined as a destination IP
> number.

Maybe, maybe not. It could be more granular then that, which would allow
for addition functionality based on other fields in the IP header. Every
additional field it uses to define a flow increase the number of packets
that reach the CPU expotentially. Destination could be enough though with
the way some viruses scan address space at a rapid pace all creating new
destination flows.

Also, the original question was about switching. For layer-2 flows with
unique MAC addresses reach the CPU as well? Probably.


> > described above occur. The alternative is a packet-based architecure and
> > does not rely on the CPU for forwarding. It doesn't take a lot of packets
> > to overwhelm any CPU.
>
> Quite, 10kpps is enough, if even that.

Have you tested this? I'm always interested in different vendor's flow
setup rates.

> > > They do everything in hardware when it comes to access lists, QoS etc.
> > > Either it does it in ASIC without performance impact or not at all.
> >
> > Assuming the CPU doesn't have to process the first packet before it
> > reaches the ACL, QoS policy, etc..
>
> Well, actually I believe ACLs are processed on ingress before being punted
> to the CPU even though the flow hasnt been set up yet. This is the
> observation I have seen so far anyway, but I am not 100% sure.

I'm not sure this would make sense. How would the device know to drop or
forward the packet if a flow, even if it is a drop flow, hasn't been
created?

> I can understand how a virus like Welchia can affect a flow-based
> architecture like Extremes. I was under the impression that CEF enabled
> Cisco gear wouldnt have this problem, but Cisco has instructions on their
> webpage on how deal with it and cites CPU usage as the reason. With CEF I
> thought the CPU wasn't involved? CEF is perhaps differently implemented on
> different plattforms?

CEF certainly can limit the amount the CPU is used, and DCEF even more.
I'm not sure that Extreme has an equivilant feature though.

andy
--
PGP Key Available at http://www.tigerteam.net/andy/pgp