> On 27 Mar 2020, at 00:47, Govindarajan Mohandoss > <govindarajan.mohand...@arm.com> wrote: > > > > Hi Andrew, > > I just found out that ACL action differentiates SF or SL. Following > command enables SF and provides better performance. > > “acl_add_replace -1 ipv4 permit+reflect dst 192.82.1.1/32” > > > > Few more questions: > > ================= > > Choosing between VPP Classifiers and ACL Plugin: > > > https://lists.fd.io/g/vpp-dev/message/5716?p=,,,20,0,0,0::relevance,,ACL,20,2,60,10641995 > > You mentioned that VPP classifiers are faster than ACL plugin. > For <L2, L3, L4> field based classification, which one provides better data > plane perf ?
It depends. If you wanna simultaneously match on all three, there is currently no mechanism to generically do so. But then every time I looked at the use cases claiming to require that, turned out it was a bad idea to represent the data this way - because of combinatorial explosion. Even ACLs themselves suffer from this issue - N sources times M destinations times K servces equal N*M*K rules, which quickly skyrockets. > Does classifier support ranges ? Classifier supports chained masked lookups. You might emulate ranges there. That said, I had seen ranges used only in a tiny percentage of the cases. So they are a corner case imho. > Which one is better if the rate of ACL rule add/del is high / low? Classifier single table is your best bet probably. ACL plugin deliberately does not have an API to add/del a single rule - you always download the entire ACL. > Whether ACL rule priority is supported in both the schemes ? First match for Acl and multi table classify case. Single table is just a hash lookup because the entries don’t overlap by definition > Whether ACL Plugin SF mode will perform better than classifier ? I did not benchmark them. It's somewhat different use cases. > Whether classifier also has SF mode ? Nope. > > > ACL Plugin: > > SF mode – How much of extra memory is needed compared to SL mode ? Depending on the number of active sessions... each session creates two binash table entries, and consumes an entry in the session pool. The default values in the code for the bihash memory usage have been tested with half a million sessions - so you can extrapolate from those with some ballpark (though bihash memory usage is not linear wrt the entries, and also there is some extra memory churn due to bucket reallocations when the size increases). —a > > > Thanks > > Govind > > > > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Govindarajan > Mohandoss via Lists.Fd.Io > Sent: Thursday, March 26, 2020 12:37 PM > To: Andrew 👽 Yourtchenko <ayour...@gmail.com> > Cc: vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] ACL question > > > > Hi Andrew, > > Thanks for the document. > > Can you please share the documents related to ACL plugin CLI config for > both stateful & stateless modes ? > > > > I tried the following commands for input ACL in VAT CLI. Not sure whether > this is SL / SF ? > > “ > > vat# acl_add_replace -1 ipv4 permit dst 192.82.1.1/32 > > vl_api_acl_add_replace_reply_t_handler:70: ACL index: 0 > > vat# acl_interface_set_acl_list TenGigabitEthernet13/0/0 input 0 > > vat# acl_interface_list_dump TenGigabitEthernet13/0/0 > > vl_api_acl_interface_list_details_t_handler:115: sw_if_index: 3, count: 1, > n_input: 1 > > input 0 > > > > vat# help acl_add_replace > > usage: acl_add_replace <acl-idx> [<ipv4|ipv6>] > <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen] [sport X-Y] > [dport X-Y] [proto P] [tcpflags FL MASK], ... , ... > > “ > > > > Thanks > > Govind > > > > From: Andrew 👽 Yourtchenko <ayour...@gmail.com> > Sent: Thursday, March 26, 2020 4:49 AM > To: Govindarajan Mohandoss <govindarajan.mohand...@arm.com> > Cc: vpp-dev@lists.fd.io; Lijian Zhang <lijian.zh...@arm.com>; Jieqiang Wang > <jieqiang.w...@arm.com>; nd <n...@arm.com> > Subject: Re: [vpp-dev] ACL question > > > > As an acl plugin author I can say both stateful and stateless ACLs are used > for different consumers. > > > > Various matching implementations in vpp are used in different use cases... > and there is not a single silver bullet magic answer, because the trade offs > are different. > > > > https://nonsns.github.io/paper/rossi19ton.pdf > > > > Is a reasonable read on the subject - also because it relates to VPP and the > real project that we did a while ago. > > > > --a > > >> >> On 25 Mar 2020, at 17:26, Govindarajan Mohandoss >> <govindarajan.mohand...@arm.com> wrote: >> >> >> >> Hello ACL Maintainer, >> >> We want to measure and optimize the ACL performance for ARM servers. As >> per the foll. link, there are 4 different implementation of ACLs in VPP. >> >> https://fd.io/docs/vpp/master/usecases/acls.html >> >> We would like to start with most commonly used ACL implementation in VPP >> which can cover L2, L3 and L4 fields. As per the link above and CSIT reports >> (link below), it looks like ACL plugin is the right match. >> >> Can you please confirm ? ACL plugin has 2 variants – Stateful & Stateless. >> Which is common and widely used in VPP ? >> >> >> https://docs.fd.io/csit/master/report/detailed_test_results/vpp_performance_results/index.html >> >> >> >> Thanks >> >> Govind >> >> IMPORTANT NOTICE: The contents of this email and any attachments are >> confidential and may also be privileged. If you are not the intended >> recipient, please notify the sender immediately and do not disclose the >> contents to any other person, use it for any purpose, or store or copy the >> information in any medium. Thank you.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#15897): https://lists.fd.io/g/vpp-dev/message/15897 Mute This Topic: https://lists.fd.io/mt/72544608/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
