04-08-2021 04:37 AM
Hello,
i have a pair of 4500x in VSS mode and i have 10-12x GRE tunnel :
1. all of our tunnel will sing around 500mbps and 100-300k pps , is it ok ? can 4500x handle it? as i read it will handle gre in hardware
2. if i apply tcp mss command in gre tunnel , does it impact on cpu or it will handle in hardware as well?
Thank you.
04-08-2021 07:57 AM - edited 04-08-2021 07:57 AM
Hi,
10-12x GRE tunnels should not be an issue since it is switched is hardware starting 3.7.1E. As for the tcp mss command, I would configure it on a couple of interfaces and watch the CPU for few days. If no issues, add more...
HTH
04-08-2021 07:59 AM
i just want to use tcp mss on my gre interface not whole of SVIs , so i want to make sure tcpp mss will handle in hardware or cpu?
04-08-2021 09:23 AM
Correct. I would configure it on a couple of gre interfaces and watch the behavior for some time. Not sure if it is handled in hardware or CPU on the 4500x, but I think if you test a few at a time, you would learn the behavior.
int s0 ip tcp adjust-mss xxxx
int s1 ip tcp adjust-mss xx
04-08-2021 10:05 AM
Unsure whether adjust TCP MSS is supported within hardware or not on your 4500x, but even if not, unless you have many new GRE TCP sessions being created, it's normally not a serious CPU consumer (as it only comes into play during the initial TCP session setup).
However, if all your other GRE traffic is not supported in hardware, on most switches, it doesn't take much of a CPU load to overload the switch. (This because the switch is designed to handle "expected" data plane traffic via dedicated hardware.)
04-09-2021 07:53 AM
what if i receive tcp syn attacks ? it does not affect CPU ? (if the attack will be towards my services not switch control plane,) in this situation if i adjust tcp mss it does not affect cpu so much ?(if it will not handle in hardware?)
is it posible that one of the cisco engineers confirm that tcp mss handle in hardware or by cpu in 4500x ?
Thank you.
04-10-2021 10:15 AM
Unsure about TCP syn attacks. So, yes, if a switch's CPU is processing TCP adjust MSS, then yes such attacks might spike the switch's CPU.
Didn't realize you were asking about DoS attacks, which, for some, don't often need to be "fancy" to create network issues.
Ideally, for something like TCP attacks, the device providing the TCP adjust MSS function would be "behind" some form of FW that protects if from such attacks.
04-10-2021 08:11 PM
maybe i explained wrongly,
my mean was if i receive attacks from GRE tunnel towards my servers inside my network , and if i have tcp mss adjust in my GRE config, is it impact on switch cpu? because its transiting traffic ?
04-11-2021 06:13 AM
In such a situation, I'm unsure how the switch would deal with a TCP SYN attack, but if there are many TCP packets the switch is trying to adjust the MSS for, yes the switch's CPU may spike. How adverse that would be would also depend on what Cisco task priority has been assign to this feature.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide