Switch VLANs Very High CPU

jmginer · May 31, 2019, 10:05am

Hi, I have a CHR x86 for routing and peering at DECIX Madrid.

Additionally DECIX provides me with the same cable peering in Lisbon through a VLAN.

The DECIX cable, I have it connected to an intermediate CRS switch.

What I do is connect the CRS cable to the CHR with 2 VLANs, one for Lisbon (vlan11) and one for Madrid (vlan10).

The problem is that the CPU of the switch is very high, with only 50.000 PPS the CPU reaches +40%.

This is my configuration. Is something wrong?

Thank you!

# model = CRS317-1G-16S+

/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=sfp-sfpplus1-DECIX-IN
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus2-DECIX-OUT speed=10Gbps

/interface vlan
add interface=sfp-sfpplus1-DECIX-IN name=vlan-DECIX-Lisbon-IN vlan-id=11
add interface=sfp-sfpplus2-DECIX-OUT name=vlan-DECIX-Lisbon-OUT vlan-id=11
add interface=sfp-sfpplus2-DECIX-OUT name=vlan-DECIX-Madrid-OUT vlan-id=10

/interface bridge
add name=bridge-decix-lisbon protocol-mode=none
add name=bridge-decix-madrid protocol-mode=none

/interface bridge port
add bridge=bridge-decix-madrid interface=sfp-sfpplus1-DECIX-IN
add bridge=bridge-decix-madrid interface=vlan-DECIX-Madrid-OUT
add bridge=bridge-decix-lisbon interface=vlan-DECIX-Lisbon-IN
add bridge=bridge-decix-lisbon interface=vlan-DECIX-Lisbon-OUT

/ip firewall connection tracking
set enabled=no

mkx · May 31, 2019, 12:07pm

Right now all packets between VLANs (and access ports towards your CHR) are passing CRS’ weak CPU.

You should reconfigure CRS to use single bridge and vlan-filtering … you can have a look at this fine tutorial.
Your CRS3xx will then deal with VLANs in hardware (switch chip).

jmginer · June 4, 2019, 10:56am

I think I’ve solved, at least is working and only using 2% CPU…

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes

/interface bridge port
add bridge=BR1 interface=sfp-sfpplus1-DECIX-IN
add bridge=BR1 interface=sfp-sfpplus2-DECIX-OUT

/interface bridge vlan
add bridge=BR1 tagged=sfp-sfpplus2-DECIX-OUT untagged=sfp-sfpplus1-DECIX-IN vlan-ids=10
add bridge=BR1 tagged=sfp-sfpplus1-DECIX-IN,sfp-sfpplus2-DECIX-OUT vlan-ids=11

/interface ethernet switch rule
add switch=switch1 ports=sfp-sfpplus1-DECIX-IN vlan-header=not-present new-vlan-id=10

mkx · June 4, 2019, 3:53pm

Your latest config mixes bridge vlan concept and HW based concept. The last setting (/interface ethernet switch rule) can probably be replaced by

/interface bridge port
set [ find name=sfp-sfpplus1-DECIX-IN ] pvid=10

jmginer · June 4, 2019, 6:30pm

You’re right, fixed, thanks!

Now I have my transit upstreams connected directly to the CHR. Tomorrow I will try with one of them to pass it through the switch.
I suppose I can create a new bridge? Or do I have to use a single bridge to take advantage of HW acceleration?

mkx · June 4, 2019, 7:07pm

Manual says that only single bridge can be HW offloaded … so you better stick to single bridge and use whatever means available to partition switch (either use VLANs with access ports or port isolation … the later being switch chip feature which brings you back to a mix of bridge and HW setup)

jmginer · June 5, 2019, 3:08pm

Got it!

I’ve created the isolated ports and a unique bridge.
I’ve connected my upstreams (3 x FULL BGP) and all the traffic is working fine.
The bridge is returning “HW Offload” active on all ports.
And the CPU on the CRS is less 1-5% every time.

Many thanks! @mkx Please, send me a PM with your Paypal account to send you a gift.

mkx · June 5, 2019, 4:13pm

No PM on this forum. So kindly pass the offered gift to a charity of your choice, thank you.

jmginer · June 5, 2019, 8:06pm

done!

mkx · June 6, 2019, 5:15am

@jmginer: topic outcomes like this make contributing to this forum specially worthwhile.