Reset Search
 

 

Article

Securestack Slow Host/Management Functions

« Go Back

Information

 
TitleSecurestack Slow Host/Management Functions
Symptoms
  • Slow TFTP firmware transfer 
  • High ping response times
  • Random Ping drops 
  • Ping response times normal then spike to high response times 
  • Performance of subnet relay (e.g. Wake-on-LAN, DNS, Bootp/DHCP) via the forward-protocol function is adversely affected. 
  • Performance of host management (e.g. SSH, Telnet, TACACS, TFTP, SNTP/NTP, SNMP, PING/ICMP) functions is adversely affected.
  • Host management of the Securestack is set for Data/User Vlan
Environment
  • G-Series, firmware 6.42.01.0046 through 6.61.08.0013
  • C5-Series, firmware 6.41.00.0022 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008
  • C3-Series, firmware 6.42.01.0046 through 6.61.08.001
  • B5-Series, firmware 6.41.00.0022 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008
  • B3-Series, firmware 6.42.01.0046 through 6.61.08.001
  • Host VLAN 
  • Management 
Cause
High level of Broadcast/multicast/unicast traffic being flooded to the host CPU that the Host does not need or should not have to process. 
Resolution
  1. Upgrade Firmware  Securestack B3/C3 6.61.09.0012 or higher. 
  2. Upgrade  Firmware Securestack B5/C5 to 6.71.03.0025 or higher
  3. Upgrade Firmwarre G Series to 6.61.09.x or higher
  4. More secure solution and option in addition to the upgrade is to create a management vlan specifically for inband management of switches. Moving the Host IP from previous assigned User Vlan. This protects the Host and switch management from the user traffic. IE: Broadcast and Multicast that the switches do not need to process.  
  5. Enable IGMP on VLAN's to scope Multicast traffic. 

Release notes document the treatment change, in the 'Changes and Enhancements in 6.61.09.0012' section:

G-Series:
16073  Adjusted the priority of packets destined to the IPv4 address of loopback interface 1 (if configured), to increase the ability to maintain management when there is large volumes for traffic trapped to the host CPU.

C5-Series:
16073  Adjusted the priority of packets destined to IPv4 primary and loopback interface addresses, to increase the ability to maintain management, when there is large volumes for traffic trapped to the host CPU.

C3-Series:
16073  Adjusted the priority of packets destined to IPv4 loopback interface addresses, to increase the ability to maintain management, when there is large volumes for traffic trapped to the host CPU.

B5-Series:
16073  Adjusted the priority of packets destined to primary IPv4 and loopback interface addresses, to increase the ability to maintain management, when there is large volumes for traffic trapped to the host CPU.

For the C5/B5, you may also upgrade to firmware 6.71.03.0025 or higher.

Release notes state, in the 'Changes and Enhancements in 6.71.03.0025' section:
16073  Adjusted the priority of packets destined to IPv4 primary and loopback interface addresses, to increase the ability to maintain management, when there is large volumes for traffic trapped to the host CPU.

Pre-upgrade workaround: Adjust the priority of legitimate host-destined or host-relayed traffic, somewhere between its transmission and local host receipt.

One prioritization option is to set the CoS/Priority of management traffic on the (untagged first hop) edge so that the Priority has a value of 3 or higher when forwarded within the VLAN tag of the last hop. There are several methods to do this; including Policy, Access Control Lists (ACLs) using the assign-queue option (f/w 6.51.01.0018 and higher), and Port Priority ('set cos state disable', 'set port priority <port#> 3'). The most granular method is to use Policy.

These sample Policy configurations may be used upon ingress on the first or intermediate hop, or on the tagged last hop. They may be applied to any policy-compliant switch (including the affected switches under discussion) within the data path, to identify host-destined traffic and increase its priority to 3 for assignment to transmit queue 2, which is the minimum queue# necessary to promote good performance in the presence of flooded traffic within transmit queue 1 
The suggested rules may be tailored as desired; to best accommodate network requirements in consideration of which devices need to connect to management, where they are located, and which protocols they need to use. The reprioritization action is triggered when any of the underlying rules encounter a match while examining a packet.

Example 1 (generic)

set policy profile 1 name manager           [Creates a role/profile #1, named "manager"]
set policy rule 1 ipdestsocket x.x.x.x mask 32 cos 3  [Matches the Interface IP destination]

Example 2 (focused)

set policy profile 1 name manager           [Creates a role/profile #1, named "manager"]
set policy rule 1 ipdestsocket x.x.x.x:22 mask 48 cos 3  [Matches SSH to the Interface IP]
set policy rule 1 ipdestsocket x.x.x.x:23 mask 48 cos 3  [Matches Telnet to the Interface IP]
set policy rule 1 ipdestsocket x.x.x.x:49 mask 48 cos 3  [Matches TACACS to the Interface IP]
set policy rule 1 ipdestsocket x.x.x.x:69 mask 48 cos 3  [Matches TFTP to the Interface IP]
set policy rule 1 ipdestsocket x.x.x.x:123 mask 48 cos 3 [Matches SNTP/NTP to the Interface IP]
set policy rule 1 ipdestsocket x.x.x.x:161 mask 48 cos 3 [Matches SNMP to the Interface IP]
set policy rule 1 ipdestsocket 255.255.255.255:0 mask 48 cos 3  [Matches WoL for relay]
set policy rule 1 ipdestsocket 255.255.255.255:7 mask 48 cos 3  [Matches WoL for relay]
set policy rule 1 ipdestsocket 255.255.255.255:9 mask 48 cos 3  [Matches WoL for relay]
set policy rule 1 ipdestsocket 255.255.255.255:53 mask 48 cos 3 [Matches DNS for relay]
set policy rule 1 ipdestsocket 255.255.255.255:67 mask 48 cos 3 [Matches Bootp/DHCP for relay]
set policy rule 1 ipdestsocket 255.255.255.255:68 mask 48 cos 3 [Matches Bootp client for relay]
set policy rule 1 ipproto 1 cos 3                   [Matches PING/ICMP, to host or pass-through]

To statically apply the policy to all ingress port(s):
set policy port ge.*.* 1
Note that this command is supported for standalone ports only, not LAG aggregator ports.

To instead dynamically apply the policy to the authenticated management user, use authentication

If NetSight Policy Manager has been deployed, then it should be used to apply these configurations, as any manual policy configuration will be overwritten by PM's policy enforcement.

Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255