Re: 450xx gre tunnel and tcpmss

blackmetal · ‎04-08-2021

Hello,

i have a pair of 4500x in VSS mode and i have 10-12x GRE tunnel :

1. all of our tunnel will sing around 500mbps and 100-300k pps , is it ok ? can 4500x handle it? as i read it will handle gre in hardware

2. if i apply tcp mss command in gre tunnel , does it impact on cpu or it will handle in hardware as well?

Thank you.

Reza Sharifi · ‎04-08-2021

Hi,

10-12x GRE tunnels should not be an issue since it is switched is hardware starting 3.7.1E. As for the tcp mss command, I would configure it on a couple of interfaces and watch the CPU for few days. If no issues, add more...

HTH

blackmetal · ‎04-08-2021

i just want to use tcp mss on my gre interface not whole of SVIs , so i want to make sure tcpp mss will handle in hardware or cpu?

Reza Sharifi · ‎04-08-2021

Correct. I would configure it on a couple of gre interfaces and watch the behavior for some time. Not sure if it is handled in hardware or CPU on the 4500x, but I think if you test a few at a time, you would learn the behavior.

int s0 
ip tcp adjust-mss xxxx

int s1 
ip tcp adjust-mss xx

Joseph W. Doherty · ‎04-08-2021

Unsure whether adjust TCP MSS is supported within hardware or not on your 4500x, but even if not, unless you have many new GRE TCP sessions being created, it's normally not a serious CPU consumer (as it only comes into play during the initial TCP session setup).

However, if all your other GRE traffic is not supported in hardware, on most switches, it doesn't take much of a CPU load to overload the switch. (This because the switch is designed to handle "expected" data plane traffic via dedicated hardware.)

blackmetal · ‎04-09-2021

what if i receive tcp syn attacks ? it does not affect CPU ? (if the attack will be towards my services not switch control plane,) in this situation if i adjust tcp mss it does not affect cpu so much ?(if it will not handle in hardware?)

is it posible that one of the cisco engineers confirm that tcp mss handle in hardware or by cpu in 4500x ?

Thank you.

Joseph W. Doherty · ‎04-10-2021

Unsure about TCP syn attacks. So, yes, if a switch's CPU is processing TCP adjust MSS, then yes such attacks might spike the switch's CPU.

Didn't realize you were asking about DoS attacks, which, for some, don't often need to be "fancy" to create network issues.

Ideally, for something like TCP attacks, the device providing the TCP adjust MSS function would be "behind" some form of FW that protects if from such attacks.

blackmetal · ‎04-10-2021

maybe i explained wrongly,

my mean was if i receive attacks from GRE tunnel towards my servers inside my network , and if i have tcp mss adjust in my GRE config, is it impact on switch cpu? because its transiting traffic ?

Joseph W. Doherty · ‎04-11-2021

In such a situation, I'm unsure how the switch would deal with a TCP SYN attack, but if there are many TCP packets the switch is trying to adjust the MSS for, yes the switch's CPU may spike. How adverse that would be would also depend on what Cisco task priority has been assign to this feature.