Thank you very much Andrew !! I will do some benchmarks and get back to you to understand it better.
Thanks Govind > -----Original Message----- > From: Andrew 👽 Yourtchenko <ayour...@gmail.com> > Sent: Friday, March 27, 2020 7:52 AM > To: Govindarajan Mohandoss <govindarajan.mohand...@arm.com> > Cc: vpp-dev@lists.fd.io; nd <n...@arm.com> > Subject: Re: [vpp-dev] ACL question > > > On 27 Mar 2020, at 00:47, Govindarajan Mohandoss > <govindarajan.mohand...@arm.com> wrote: > > > > > > > > Hi Andrew, > > > > I just found out that ACL action differentiates SF or SL. Following > command enables SF and provides better performance. > > > > “acl_add_replace -1 ipv4 permit+reflect dst 192.82.1.1/32” > > > > > > > > Few more questions: > > > > ================= > > > > Choosing between VPP Classifiers and ACL Plugin: > > > > > > https://lists.fd.io/g/vpp-dev/message/5716?p=,,,20,0,0,0::relevance,,A > > CL,20,2,60,10641995 > > > > You mentioned that VPP classifiers are faster than ACL plugin. > > For <L2, L3, L4> field based classification, which one provides better data > plane perf ? > > > It depends. If you wanna simultaneously match on all three, there is > currently no mechanism to generically do so. > > But then every time I looked at the use cases claiming to require that, turned > out it was a bad idea to represent the data this way - because of > combinatorial explosion. Even ACLs themselves suffer from this issue - N > sources times M destinations times K servces equal N*M*K rules, which > quickly skyrockets. > > > Does classifier support ranges ? > > > Classifier supports chained masked lookups. You might emulate ranges there. > > That said, I had seen ranges used only in a tiny percentage of the cases. So > they are a corner case imho. > > > > Which one is better if the rate of ACL rule add/del is high / low? > > > Classifier single table is your best bet probably. ACL plugin deliberately > does > not have an API to add/del a single rule - you always download the entire > ACL. > > > Whether ACL rule priority is supported in both the schemes ? > > > First match for Acl and multi table classify case. Single table is just a hash > lookup because the entries don’t overlap by definition > > > Whether ACL Plugin SF mode will perform better than classifier ? > > > I did not benchmark them. It's somewhat different use cases. > > > Whether classifier also has SF mode ? > > > Nope. > > > > > > > ACL Plugin: > > > > SF mode – How much of extra memory is needed compared to SL mode ? > > > Depending on the number of active sessions... each session creates two > binash table entries, and consumes an entry in the session pool. The default > values in the code for the bihash memory usage have been tested with half a > million sessions - so you can extrapolate from those with some ballpark > (though bihash memory usage is not linear wrt the entries, and also there is > some extra memory churn due to bucket reallocations when the size > increases). > > —a > > > > > > > Thanks > > > > Govind > > > > > > > > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of > > Govindarajan Mohandoss via Lists.Fd.Io > > Sent: Thursday, March 26, 2020 12:37 PM > > To: Andrew 👽 Yourtchenko <ayour...@gmail.com> > > Cc: vpp-dev@lists.fd.io > > Subject: Re: [vpp-dev] ACL question > > > > > > > > Hi Andrew, > > > > Thanks for the document. > > > > Can you please share the documents related to ACL plugin CLI config for > both stateful & stateless modes ? > > > > > > > > I tried the following commands for input ACL in VAT CLI. Not sure > whether this is SL / SF ? > > > > “ > > > > vat# acl_add_replace -1 ipv4 permit dst 192.82.1.1/32 > > > > vl_api_acl_add_replace_reply_t_handler:70: ACL index: 0 > > > > vat# acl_interface_set_acl_list TenGigabitEthernet13/0/0 input 0 > > > > vat# acl_interface_list_dump TenGigabitEthernet13/0/0 > > > > vl_api_acl_interface_list_details_t_handler:115: sw_if_index: 3, > > count: 1, n_input: 1 > > > > input 0 > > > > > > > > vat# help acl_add_replace > > > > usage: acl_add_replace <acl-idx> [<ipv4|ipv6>] > <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen] [sport X-Y] > [dport X-Y] [proto P] [tcpflags FL MASK], ... , ... > > > > “ > > > > > > > > Thanks > > > > Govind > > > > > > > > From: Andrew 👽 Yourtchenko <ayour...@gmail.com> > > Sent: Thursday, March 26, 2020 4:49 AM > > To: Govindarajan Mohandoss <govindarajan.mohand...@arm.com> > > Cc: vpp-dev@lists.fd.io; Lijian Zhang <lijian.zh...@arm.com>; Jieqiang > > Wang <jieqiang.w...@arm.com>; nd <n...@arm.com> > > Subject: Re: [vpp-dev] ACL question > > > > > > > > As an acl plugin author I can say both stateful and stateless ACLs are used > for different consumers. > > > > > > > > Various matching implementations in vpp are used in different use cases... > and there is not a single silver bullet magic answer, because the trade offs > are different. > > > > > > > > https://nonsns.github.io/paper/rossi19ton.pdf > > > > > > > > Is a reasonable read on the subject - also because it relates to VPP and the > real project that we did a while ago. > > > > > > > > --a > > > > > >> > >> On 25 Mar 2020, at 17:26, Govindarajan Mohandoss > <govindarajan.mohand...@arm.com> wrote: > >> > >> > >> > >> Hello ACL Maintainer, > >> > >> We want to measure and optimize the ACL performance for ARM > servers. As per the foll. link, there are 4 different implementation of ACLs > in > VPP. > >> > >> https://fd.io/docs/vpp/master/usecases/acls.html > >> > >> We would like to start with most commonly used ACL implementation in > VPP which can cover L2, L3 and L4 fields. As per the link above and CSIT > reports (link below), it looks like ACL plugin is the right match. > >> > >> Can you please confirm ? ACL plugin has 2 variants – Stateful & > >> Stateless. > Which is common and widely used in VPP ? > >> > >> > >> https://docs.fd.io/csit/master/report/detailed_test_results/vpp_perfo > >> rmance_results/index.html > >> > >> > >> > >> Thanks > >> > >> Govind > >> > >> IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, > please notify the sender immediately and do not disclose the contents to any > other person, use it for any purpose, or store or copy the information in any > medium. Thank you.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#15904): https://lists.fd.io/g/vpp-dev/message/15904 Mute This Topic: https://lists.fd.io/mt/72544608/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
