documentation:examples:dropping_packets_at_high_rate
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
documentation:examples:dropping_packets_at_high_rate [2020/02/07 15:04] – [Using Chelsio's TCAM firewall] olivier | documentation:examples:dropping_packets_at_high_rate [2020/02/07 16:31] – [Performance impact] olivier | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Dropping packets at high rate ====== | ====== Dropping packets at high rate ====== | ||
- | ===== Goal ===== | + | ===== Objective |
{{: | {{: | ||
Line 10: | Line 10: | ||
The configuration file of an IPFW in standard mode is this one: | The configuration file of an IPFW in standard mode is this one: | ||
- | | + | |
- | | + | |
- | | + | |
< | < | ||
Line 33: | Line 33: | ||
The configuration file of an IPFW-at-NIC-level is this one: | The configuration file of an IPFW-at-NIC-level is this one: | ||
- | | + | |
- | | + | |
- | | + | |
- | | + | |
< | < | ||
Line 64: | Line 64: | ||
* FreeBSD 13.0-CURRENT r357572 | * FreeBSD 13.0-CURRENT r357572 | ||
- | Here is the rate of inet4 packets-per-second forwarded while dropping | + | Here is the rate of inet4 (legitimate) |
< | < | ||
x ipfw-standard | x ipfw-standard | ||
Line 85: | Line 85: | ||
(Student' | (Student' | ||
</ | </ | ||
+ | |||
+ | On the 14Mpps of legitimate traffic, this generic (ie: supported by multi drivers) software firewall is still able to forward 12Mpps while droping 42Mpps of denied | ||
===== Using Chelsio' | ===== Using Chelsio' | ||
Line 93: | Line 95: | ||
Example with only one Chelsio (t5nex0) with 2 ports (0 and 1) | Example with only one Chelsio (t5nex0) with 2 ports (0 and 1) | ||
< | < | ||
- | # grep t5nex / | + | # grep t.nex / |
t5nex0: <Chelsio T580-LP-CR> | t5nex0: <Chelsio T580-LP-CR> | ||
cxl0: <port 0> on t5nex0 | cxl0: <port 0> on t5nex0 | ||
Line 116: | Line 118: | ||
echo "Need Chelsio nexus name (examble: t5nex0)" | echo "Need Chelsio nexus name (examble: t5nex0)" | ||
echo "List of Nexus detected:" | echo "List of Nexus detected:" | ||
- | grep t5nex / | + | grep t.nex / |
exit 1 | exit 1 | ||
fi | fi | ||
Line 165: | Line 167: | ||
To improve the TCAM performance for a filtering usage, all unused " | To improve the TCAM performance for a filtering usage, all unused " | ||
- | + | For that we need to download a [[https:// | |
- | For that we need to download a [[https:// | + | |
< | < | ||
# fetch -o / | # fetch -o / | ||
# sed -i "" | # sed -i "" | ||
- | # sed -i "" | + | # sed -i "" |
# sed -i "" | # sed -i "" | ||
# sed -i "" | # sed -i "" | ||
# echo ' | # echo ' | ||
# cxgbetool t5nex0 loadcfg / | # cxgbetool t5nex0 loadcfg / | ||
+ | # reboot | ||
</ | </ | ||
Line 182: | Line 184: | ||
12 | 12 | ||
</ | </ | ||
- | We confirm that server|hash are at 0, | + | We confirm that regions |
Now the packet drop rate by the TCAM firewall match the generator' | Now the packet drop rate by the TCAM firewall match the generator' | ||
Line 198: | Line 200: | ||
</ | </ | ||
- | And the firewall able to forward all packets without being too busy in the same time: | + | And the firewall |
< | < | ||
[root@firewall]~# | [root@firewall]~# | ||
Line 210: | Line 212: | ||
| | ||
| | ||
+ | |||
[root@firewall]~# | [root@firewall]~# | ||
| |
documentation/examples/dropping_packets_at_high_rate.txt · Last modified: 2024/02/09 09:42 by olivier