-
Notifications
You must be signed in to change notification settings - Fork 7
Dynamic SCT
In order to protect the CPU from being flooded with traffic it has to process, Switchdev provides a mechanism to limit traffic that gets processed by the CPU - dynamic (runtime) Secure Control Traffic (SCT) configuration.
The limitation is done per-group in packets-per-second (pps) resolution value. There is an initial configuration that is applied by the driver upon initiation. This configuration can be revised by the user.
| Traffic type | TC (queue) | Rate (pps) |
|---|---|---|
| BGP (routing protocol) | 7 | 1000 |
| All-Routers MC (used by BGP) | 7 | 100 |
| STP BPDU | 7 | 200 |
| LACP | 7 | 200 |
| VRRP | 7 | 200 |
| OSPF | 7 | 1000 |
| ISIS | 7 | 1000 |
| LLDP | 6 | 200 |
| 802.1X PAE | 6 | 200 |
| CDP | 6 | 200 |
| SSH | 5 | 1000 |
| Telnet | 5 | 200 |
| DHCP BC | 4 | 100 |
| ICMP | 4 | 100 |
| ARP reply to me | 4 | 300 |
| ARP BC | 4 | 100 |
| IGMP | 4 | 400 |
| IP to My address | 2 | 10000 |
| IP BC | 2 | 100 |
| IP route default | 1 | 400 |
| All other | 0 | 100 |
| ACL default trap | 0-7 | 4000 |
The Prestera Driver implements a set of temporary debugfs interfaces that provide a userspace interface to configure rate limiting (pps) of a specified packet type/group. These interface settings are located under root of debugfs mounted point, under ‘prestera/sct/’ subfolder.
ls /sys/kernel/debug/prestera/sct/
all_unspecified_cpu_opcodes sct_igmp
sct_acl_trap_queue_0 sct_ip_bc
sct_acl_trap_queue_1 sct_ip_to_me
sct_acl_trap_queue_2 sct_isis
sct_acl_trap_queue_3 sct_lacp
sct_acl_trap_queue_4 sct_lldp
sct_acl_trap_queue_5 sct_nat
sct_acl_trap_queue_6 sct_ospf
sct_acl_trap_queue_7 sct_special_ip4_icmp_redirect
sct_arp_intervention sct_special_ip4_mtu_exceed
sct_arp_to_me sct_special_ip4_options_in_ip_hdr
sct_bgp sct_special_ip4_zero_ttl
sct_bgp_all_routers_mc sct_ssh
sct_cdp sct_stp
sct_default_route sct_telnet
sct_dhcp sct_vrrp
sct_icmp
NOTE: /sys/kernel/debug in this example is shown only because it's the most used mount-point of debugfs.
Setting a custom rate of a group:
echo 200 > /sys/kernel/debug/prestera/sct/sct_ssh
cat /sys/kernel/debug/prestera/sct/sct_ssh
sct_ssh: 200 (pps)
Set ‘0’ value to the specified file interface to disable SCT limiting.
The mechanism in which the static traps are policed is as follows: The timeline is split into windows, and each window is 1/100 for Aldrin2 device, and 1/10 for any other device, per second. The Driver counts packets in a window and if they hit a set limit - any excess packets will be dropped during that window.
For example: if a packet type has a limit of 200 pps, then only 20 packets of that type would be allowed in each window. And because there are 10 windows in a second, the total rate would be 20 * 10 = 200 pps. But if packets are sent in quick bursts (e.g., 1000 packets at line rate), then all of the packets get counted towards a single window and only 20 packets are trapped to CPU.
- 65K is a maximum ('unlimited') SCT value user can set.
- Setting SCT group limit value equal to zero automatically 'disables' (sets 65K_) limit value.
Network Configurations
- Switch Port
- Layer 2
- Layer 3
- Dynamic SCT
- Quality of Service (QoS)
- Access Control Lists (ACL)
- Network Address Translation (NAT)
- Debugging Tools and and Methods
- Resources and Releases
- Marvell® Switchdev Slim (Single-CPU) mode guide