generated from just-the-docs/just-the-docs-template
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Dynamic Secure Control Traffic
Signed-off-by: Royal Simpson Pinto <[email protected]> verify: iperf outputs Signed-off-by: Royal Simpson Pinto <[email protected]>
- Loading branch information
1 parent
bf0243d
commit 69fa4d5
Showing
1 changed file
with
203 additions
and
0 deletions.
There are no files selected for viewing
203 changes: 203 additions & 0 deletions
203
...gurations/TrafficControlAndPolicingSubCategories/DynamicSecureControlTraffic.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,203 @@ | ||
--- | ||
title: Dynamic Secure Control Traffic | ||
grand_parent: Network Configuration | ||
parent: Traffic Control and Policing | ||
nav_order: 4 | ||
layout: default | ||
--- | ||
|
||
# Dynamic Secure Control Traffic | ||
|
||
Dynamic Secure Control Traffic (SCT) configuration is crucial in protecting the CPU from being overwhelmed by the traffic it must process. This mechanism limits the amount of traffic processed by the CPU by configuring limits on a per-group basis using packets-per-second (pps) values. | ||
|
||
## Initial SCT Values | ||
|
||
An initial configuration is set by the driver upon initiation, but users can revise this configuration. | ||
|
||
The initial SCT values for various traffic types are as follows: | ||
|
||
| Traffic Type | TC (Queue) | Rate (pps) | | ||
| :------------------: | :--------: | :--------: | | ||
| BGP | 7 | 1000 | | ||
| All-Routers MC (BGP) | 7 | 100 | | ||
| STP BPDU | 7 | 200 | | ||
| LACP | 7 | 200 | | ||
| VRRP | 7 | 200 | | ||
| OSPF | 7 | 1000 | | ||
| ISIS | 7 | 1000 | | ||
| LLDP | 6 | 200 | | ||
| 802.1X PAE | 6 | 200 | | ||
| CDP | 6 | 200 | | ||
| SSH | 5 | 1000 | | ||
| Telnet | 5 | 200 | | ||
| DHCP BC | 4 | 100 | | ||
| ICMP | 4 | 100 | | ||
| ARP reply to me | 4 | 300 | | ||
| ARP BC | 4 | 100 | | ||
| IGMP | 4 | 400 | | ||
| IP to My address | 2 | 10000 | | ||
| IP BC | 2 | 100 | | ||
| IP route default | 1 | 400 | | ||
| All other | 0 | 100 | | ||
| ACL default trap | 0-7 | 4000 | | ||
|
||
## User Configuration | ||
|
||
Users can configure rate limiting (pps) for specified packet types/groups through a set of temporary debugfs interfaces. These interfaces are located under the root of the debugfs mount point, within the `prestera/sct/` subfolder. | ||
|
||
### Reading Configuration | ||
|
||
To read the current SCT configuration, use the `ls` command: | ||
|
||
``` | ||
ls /sys/kernel/debug/prestera/sct/ | ||
``` | ||
|
||
This command will list the available SCT files: | ||
|
||
``` | ||
all_unspecified_cpu_opcodes | ||
sct_acl_trap_queue_4 | ||
sct_arp_to_me | ||
sct_dhcp | ||
sct_isis | ||
sct_special_ip4_icmp_redirect | ||
sct_stp | ||
sct_acl_trap_queue_0 | ||
sct_acl_trap_queue_5 sct_bgp | ||
sct_icmp | ||
sct_lacp sct_special_ip4_mtu_exceed | ||
sct_telnet | ||
sct_acl_trap_queue_1 | ||
sct_acl_trap_queue_6 | ||
sct_bgp_all_routers_mc | ||
sct_igmp | ||
sct_lldp | ||
sct_special_ip4_options_in_ip_hdr | ||
sct_vrrp | ||
sct_acl_trap_queue_2 | ||
sct_acl_trap_queue_7 | ||
sct_cdp | ||
sct_ip_bc | ||
sct_nat | ||
sct_special_ip4_zero_ttl | ||
sct_acl_trap_queue_3 | ||
sct_arp_intervention | ||
sct_default_route | ||
sct_ip_to_me | ||
sct_ospf | ||
sct_ssh | ||
``` | ||
|
||
### Writing Configuration | ||
|
||
To set a custom rate for a specific group, use the `echo` command. For example, to set the SCT rate for SSH traffic to 200 pps: | ||
|
||
``` | ||
echo 200 > /sys/kernel/debug/prestera/sct/sct_ssh | ||
``` | ||
|
||
To verify the new setting, use the `cat` command: | ||
|
||
``` | ||
cat /sys/kernel/debug/prestera/sct/sct_ssh | ||
``` | ||
|
||
Output: | ||
|
||
``` | ||
sct_ssh: 200 (pps) | ||
``` | ||
|
||
### Disabling SCT | ||
|
||
To disable SCT for a specific group, set its value to `0`. This action automatically sets the value to `65535` (disabling the limit): | ||
|
||
``` | ||
echo 0 > /sys/kernel/debug/prestera/sct/sct_ssh | ||
``` | ||
|
||
To verify the setting, use the `cat` command: | ||
|
||
``` | ||
cat /sys/kernel/debug/prestera/sct/sct_ssh | ||
``` | ||
|
||
Output: | ||
|
||
``` | ||
sct_ssh: 65535 (pps) | ||
``` | ||
|
||
### Notes | ||
|
||
- The maximum SCT value that can be set is `65K` pps. | ||
- Setting an SCT group limit value to zero effectively disables the limit by setting it to `65535`. | ||
|
||
## Verify Configuration | ||
|
||
Let's say you want to limit SSH traffic to different pps values and test it using iperf on the same machine: | ||
|
||
### Enable SCT for SSH: | ||
|
||
``` | ||
echo <new_limit> > /sys/kernel/debug/prestera/sct/sct_ssh | ||
``` | ||
|
||
Example: | ||
|
||
``` | ||
# Limit SSH traffic to 200 pps | ||
echo 200 > /sys/kernel/debug/prestera/sct/sct_ssh | ||
``` | ||
|
||
### Start iperf Server for SSH Traffic: | ||
|
||
``` | ||
iperf -s -p 23 | ||
``` | ||
|
||
### Start iperf Client: | ||
|
||
``` | ||
iperf -c 127.0.0.1 -p 23 | ||
``` | ||
|
||
Output- | ||
|
||
``` | ||
------------------------------------------------------------ | ||
Client connecting to 127.0.0.1, TCP port 23 | ||
TCP window size: 2.50 MByte (default) | ||
------------------------------------------------------------ | ||
[ 3] local 127.0.0.1 port 43796 connected with 127.0.0.1 port 23 | ||
[ ID] Interval Transfer Bandwidth | ||
[ 3] 0.0-10.0 sec 11.7 GBytes 10.0 Gbits/sec | ||
``` | ||
|
||
By following this approach, we can efficiently test a range of SCT limits for SSH traffic and provide valuable information on optimizing SCT configurations based on specific requirements and network environments. | ||
|
||
### Test Results: | ||
|
||
Here's a summary of the observed bandwidth for each SCT limit: | ||
|
||
| SCT Limit (pps) | Observed Bandwidth (Gbps) | | ||
| :-------------: | :-----------------------: | | ||
| 100 | 9.94 | | ||
| 200 | 10.5 | | ||
| 300 | 10.7 | | ||
| 400 | 10.8 | | ||
| 500 | 10.0 | | ||
| 600 | 10.3 | | ||
| 700 | 9.83 | | ||
| 800 | 10.4 | | ||
| 900 | 11.0 | | ||
| 1000 | 10.0 | | ||
|
||
### Analysis: | ||
|
||
- Lower SCT limits (e.g., 100-500 pps) appear to have a minimal impact on bandwidth, with fluctuations within a relatively narrow range. | ||
- Higher SCT limits (e.g., 600-900 pps) result in slightly higher bandwidth, peaking at around 11.0 Gbps at 900 pps. | ||
- At the highest SCT limit tested (1000 pps), the observed bandwidth decreases slightly to 10.0 Gbps. | ||
|
||
Based on the observed results, users can select SCT limits that strike a balance between traffic control and maximizing network throughput according to their specific requirements. |