02-06-2016 01:10 AM - edited 03-08-2019 04:29 AM
Hi all,
I have a stack with two WS-C3650-48TD and IPBase license. I have enabled ipv4 routing with a few SVIs (VLAN interfaces for a few low traffic customers) and I'm running OSPF.
Yesterday, a DDOS attack was *routed* through the WS-C3650. At the input interface a had 1G of traffic with about 300Kpps and at the output interface I had 70Mbps of traffic and 17Kpps....
This means to me that the 3650 managed to route only 17Kpps of ipv4 traffic that passed by the switch and that the rest of traffic was dropped.
The million dollar question is:
Does the WS-C3650-48TD do, ipv4 routing in hardware or software? Because if it does it in software, then whats the point of supporting 1000 SVIs and 24000 routes and routing protocols as the PDF says.
Thanx,
Sp
02-06-2016 02:05 AM
All L3 switches route in hardware.
However certain types of packet, certain options used etc. can cause the switch to send packets to the main CPU ie. process switching and this is when the performance of a L3 switch can drop.
Jon
02-06-2016 02:29 AM
thanx for your response.
What kind of options/configurations are you referring at?
I'm not actually using any features. It is just a VLAN interface without any other features enabled.
Something like:
interface Vlan1
ip address x.x.x.23 255.255.255.248
no ip proxy-arp
ip ospf cost 100
arp timeout 300
end
One thing I can see for the some of the routing vlans:
sw5#sh interfaces stats
Vlan1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 23256751 2093578079 0 0
Route cache 0 0 88173408 19860239378
Total 23256751 2093578079 88173408 19860239378
Vlan10
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 101198618 9530828009 0 0
Route cache 611697 157207480 1217409 156343754
Total 101810315 9688035489 1217409 156343754
while the SVIs report:
Vlan1 is up, line protocol is up
Internet address is x.x.x.x/29
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 9000 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: Check hwidb
Vlan10 is up, line protocol is up
Internet address is x.x.x.x/29
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 9000 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: Check hwidb
02-06-2016 02:40 AM
Each platform has it's own limitations.
As a general rule any packet sent to or from the switch itself eg. pinging an IP on the switch would be processed switched because the packet has to travel up and down the TCP/IP stack.
Using acls with the log keyword can also be an issue.
For your specific platform using deny lines in a PBR acl will also cause those packets to be process switched.
If it is just a very basic configuration and the packets were being sent through the switch as opposed to being sent to the switch itself then they should be hardware switched and this should have minimal effect on the main CPU.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide