[c-nsp] Outbound drops on 6748

Dean Smith dean at eatworms.org.uk
Sat Jan 28 14:51:48 EST 2012 

The ACE is in bridging mode on the client side of the appliance and its pure
HTTP.

The Appliance has just one connected interface to the switch - so everything
comes in and out on the same port (i.e. traffic and packets are therefore
basically symmetric on that interface) . So the ACE is actually only sending
the HTTP requests, but the appliances are receiving the larger return flows
from a shared 10Gb/s.

Dean

-----Original Message-----
From: Matthew Huff [mailto:mhuff at ox.com] 
Sent: 28 January 2012 19:33
To: Dean Smith; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Outbound drops on 6748

Is the ACE blade setup as a SLB on a stick, or is it doing bridging? Looks
like the ACE is sending bursts faster than the 6748 blade can serialize the
output on 1GB Ethernet. What type of traffic is the ACE load balancing? UDP
voip/video or just http?



> -----Original Message-----
> From: Dean Smith [mailto:dean at eatworms.org.uk]
> Sent: Saturday, January 28, 2012 2:27 PM
> To: Matthew Huff; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Outbound drops on 6748
> 
> Its user web browsing (no multicast) and  the flow is :-
> 
> Clients -> ACE (load Balance)-> 6748 -> Appliance -> 6748 -> 6708 -> 
> Upstream Router (10Gb/s ASR) -> Internet
> 
> So yes the traffic arriving on the appliance port is requests from the 
> ACE and return traffic from a 10Gb/s ASR port
> 
> Dean
> 
> ----Original Message-----
> From: Matthew Huff [mailto:mhuff at ox.com]
> Sent: 28 January 2012 15:45
> To: 'Dean Smith'; 'cisco-nsp at puck.nether.net'
> Subject: RE: [c-nsp] Outbound drops on 6748
> 
> What is the type of data? Is it bursty? Is the data coming from an 
> bigger pipe upstream?
> 
> You are likely hitting microbursts. The traffic levels you state are 
> measured over an interval (30 seconds minimum probably). During peak 
> activity you can easy overrun the buffers on the 6748 if your upstream 
> data is coming from > 1gb and/or multicast. Since the 6748 has the 
> deepest buffer of any linecards of the 6500, you might have to look at 
> an Arista or Cisco 30xx aggregation switch that can handle the
microbursts.
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net 
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dean Smith
> > Sent: Saturday, January 28, 2012 6:40 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Outbound drops on 6748
> >
> > We have some web security appliances connected via 1Gb/s copper  to
> > 6748 Line cards in a Cat 6513 with Sup720. The appliance 
> > manufacturer assures us the appliances can cope with traffic well 
> > above 800Mb/s (The traffic is always equal in both directions)
> >
> >
> >
> > We have previously seen traffic levels > 500Mb/s for a period 
> > without any issue. However more recently we have seen elevated 
> > response times to the appliances as the bandwidth approaches 
> > 400Mb/s. Investigations show we're seeing outbound drops now as we 
> > approach those speeds. We have qos enabled on the chassis but these 
> > particular ports have up till now been left at default queue 
> > setting. All the traffic is in queue 0 which currently only has 50% 
> > of the queues. We have now amended that to 90% but will have to wait 
> > until the next peak in traffic
> to judge the impact.
> >
> >
> >
> > However I'm a little unsure why we previously saw no issue @ 500Mb/s 
> > but do now @ 400Mb/s. Nothing has changed on the appliances - 
> > however we did remove some other redundant 6148A cards to allow the 
> > switch to operate in full DFC mode. I don't have outbound 
> > errors/drops from before the cards were removed but response times 
> > certainly didn't show the
> increase.
> >
> >
> >
> > Is it likely/possible that when operating in CFC mode the 
> > chassis/CFC was effectively buffering the packets better before 
> > hitting the switchport.but now they're arriving directly via DFC the 
> > individual port buffers are struggling ?. If that theory doesn't 
> > hold water..any
> other suggestions ?
> >
> >
> >
> > What bi-directional throughput is reasonable to expect from a 6748 port
?
> >
> >
> >
> > (If it makes any difference the chassis build has 1x original ACE, 
> > 3xFWSM,
> > 2x6704 ,1x6708 and 2x6748+ 1 xSup720. All the line cards now have 
> > DFC 3B (or 3C for 6708) where appropriate)
> >
> >
> >
> > Thanks
> >
> > Dean
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list