[c-nsp] GRE tunnels on 7600 Sup 3B and large UDP

Peter J. Welcher pjw at netcraftsmen.net
Wed Apr 20 10:41:15 EDT 2005 

We're considering use of pt-pt GRE tunnels to control multicast 
propagation in a MAN LAN service. (Long story
as to why: basically trying to use rate limiting to protect against 
oversubscribing lower speed egress bandwidth
due to present lack of SP QoS in the MAN).

The platform is a 7600 w/ 720 engine, Sup 3B running native IOS 
12.2(18)SXD3. FWIW, the Cisco docs have all sorts
of caveats about QoS, GRE tunnels, etc. and hardware switching that seem 
a bit out of date, so knowing exactly what is
and isn't supported is a bit awkward. We've tried going the SE route but 
the answers we're getting are not technically
satisfactory. We're probably going to kick something off via TAC but are 
trying to get this resolved more quickly.

Anyway...

Testing shows that large UDP packets are getting process switched, so 
that about 20 Mbps of UDP will
kill the switch CPU (100% utilization).

TCP performance is great for our testing, hardware switched, but that's 
apparently due to small NIC MTU
on the receiver. We're using TTCP for testing, and got 990 Mbps of TCP 
and small UDP packets going on the MAN
Gig link.

We're hesitant therefore to configure GRE tunnels, since a vanilla 
Windows box with an UDP traffic generator
could easily trigger a DoS in the 7600 core network. One thought was we 
could PBR all UDP > 1476 say to Null0. Maybe
do the same for defense against large TCP packets as well. We're ending 
up leaning towards just not trying
to use GRE at all.

Am I missing something, or does this DoS potential mean that GRE tunnels 
on the 7600 are pretty much something
one doesn't want to use due to uncontrollable risk? Another debatable 
(which may apply to many vendors) is whether
hardware tunnel encapsulation does any good if fragmentation isn't 
handled efficiently.

HTH

-------------------------------------------------------
Dr. Peter J. Welcher     
CCIE #1773, CCSI 94014, CCIP
Chesapeake NetCraftsmen, LLC

EMAIL: pjw at netcraftsmen.net OR p.welcher at att.net
CELL PHONE: (443) 995-4859
Home Office: (410) 626-7735 or 7122
http://www.netcraftsmen.net/welcher
e-FAX: (208) 567-2310

Chesapeake NetCraftsmen is a consulting company
dedicated to quality. Our highly experienced staff
has deep consulting and training experience, including
10 CCIE's. Our expertise includes high-end routing and
switching, design, IP Telephony, VoIP, QoS, MPLS,
network management, security, IP multicast,
and course and lab development.
-------------------------------------------------------

More information about the cisco-nsp mailing list