Dynamic SCT - Marvell-switching/switchdev-prestera GitHub Wiki
In order to protect the CPU from being flooded with traffic it has to process, Switchdev provides a mechanism to limit traffic that gets processed by the CPU - dynamic (runtime) Secure Control Traffic (SCT) configuration.
The limitation is done per-group in packets-per-second (pps) resolution value. There is an initial configuration that is applied by the driver upon initiation. This configuration can be revised by the user.
SCT init values
| Traffic type | TC (queue) | Rate (pps) |
|---|---|---|
| BGP (routing protocol) | 7 | 1000 |
| All-Routers MC (used by BGP) | 7 | 100 |
| STP BPDU | 7 | 200 |
| LACP | 7 | 200 |
| VRRP | 7 | 200 |
| OSPF | 7 | 1000 |
| ISIS | 7 | 1000 |
| LLDP | 6 | 200 |
| 802.1X PAE | 6 | 200 |
| CDP | 6 | 200 |
| SSH | 5 | 1000 |
| Telnet | 5 | 200 |
| DHCP BC | 4 | 100 |
| ICMP | 4 | 100 |
| ARP reply to me | 4 | 300 |
| ARP BC | 4 | 100 |
| IGMP | 4 | 400 |
| IP to My address | 2 | 10000 |
| IP BC | 2 | 100 |
| IP route default | 1 | 400 |
| All other | 0 | 100 |
| ACL default trap | 0-7 | 4000 |
User configuration (temporary debugfs interface for rate configuration)
The Prestera Driver implements a set of temporary debugfs interfaces that provide a userspace interface to configure rate limiting (pps) of a specified packet type/group. These interface settings are located under root of debugfs mounted point, under ‘prestera/sct/’ subfolder.
Reading SCT configuration
ls /sys/kernel/debug/prestera/sct/
all_unspecified_cpu_opcodes sct_igmp
sct_acl_trap_queue_0 sct_ip_bc
sct_acl_trap_queue_1 sct_ip_to_me
sct_acl_trap_queue_2 sct_isis
sct_acl_trap_queue_3 sct_lacp
sct_acl_trap_queue_4 sct_lldp
sct_acl_trap_queue_5 sct_nat
sct_acl_trap_queue_6 sct_ospf
sct_acl_trap_queue_7 sct_special_ip4_icmp_redirect
sct_arp_intervention sct_special_ip4_mtu_exceed
sct_arp_to_me sct_special_ip4_options_in_ip_hdr
sct_bgp sct_special_ip4_zero_ttl
sct_bgp_all_routers_mc sct_ssh
sct_cdp sct_stp
sct_default_route sct_telnet
sct_dhcp sct_vrrp
sct_icmp
NOTE: /sys/kernel/debug in this example is shown only because it's the most used mount-point of debugfs.
Writing (configuring) SCT
Setting a custom rate of a group:
echo 200 > /sys/kernel/debug/prestera/sct/sct_ssh
cat /sys/kernel/debug/prestera/sct/sct_ssh
sct_ssh: 200 (pps)
Disabling SCT
Set ‘0’ value to the specified file interface to disable SCT limiting.
Rate limiter behavior
The mechanism in which the static traps are policed is as follows: The timeline is split into windows, and each window is 1/100 for Aldrin2 device, and 1/10 for any other device, per second. The Driver counts packets in a window and if they hit a set limit - any excess packets will be dropped during that window.
For example: if a packet type has a limit of 200 pps, then only 20 packets of that type would be allowed in each window. And because there are 10 windows in a second, the total rate would be 20 * 10 = 200 pps. But if packets are sent in quick bursts (e.g., 1000 packets at line rate), then all of the packets get counted towards a single window and only 20 packets are trapped to CPU.
NOTES
- 65K is a maximum ('unlimited') SCT value user can set.
- Setting SCT group limit value equal to zero automatically 'disables' (sets 65K_) limit value.