Fast path

The fast path is the Virtual Service Router component in charge of packet processing acceleration. There is only one instance of fast path, that can manage interfaces in several VRF.

Enable the fast path

To accelerate ethernet NICs, they must be dedicated to the fast path, and the fast path must be started:

vsr> edit running
vsr running config# system fast-path
vsr running fast-path#! port pci-b0s4
vsr running fast-path# port pci-b0s5
vsr running fast-path# show config
fast-path
    enabled true
    port pci-b0s4
    port pci-b0s5
    cp-protection
        budget 10
        ..
vsr running fast-path# commit

Note

use show state / network-port to see the list of available network ports with PCI ids; it can help choosing the right ports.

The same configuration can be made using this NETCONF XML configuration:

vsr running config# show config xml absolute system fast-path
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <fast-path xmlns="urn:6wind:vrouter/fast-path">
      <enabled>true</enabled>
      <cp-protection>
        <budget>10</budget>
      </cp-protection>
      <port>pci-b0s4</port>
      <port>pci-b0s5</port>
      <core-mask/>
      <crypto/>
      <advanced/>
      <limits/>
    </fast-path>
  </system>
</config>

Check the current state of the fast path:

vsr running fast-path# show state
fast-path
    port pci-b0s5
    port pci-b0s4
    enabled true
    core-mask
        fast-path 2-3
        exception 0
        linux-to-fp 2-3
        ..
    cpu-usage cpu2
        busy 0
        ..
    cpu-usage cpu3
        busy 0
        ..
    cp-protection
        budget 10
        ..
    crypto
        nb-session 0
        nb-buffer 0
        ..
    advanced
        nb-mbuf 32768
        offload false
        vlan-strip false
        power-mode performance
        frequency-scaling false
        intercore-ring-size 128
        software-txq 0
        reserve-hugepages true
        ipv4-netfilter-cache true
        ipv6-netfilter-cache true
        ipv4-pre-ipsec-fragmentation off
        ipv6-pre-ipsec-fragmentation off
        ..
    limits
        fp-max-vrf 16
        ..

Note

fast path starting can take several seconds.

Configuring the core masks

In the core-mask context, the assignation of cores can be customized. This includes:

  • The cores which are dedicated to the fast path for dataplane operations. The accepted values are either a policy (min, half, max) or a core mask. By default, half of the available cores on are dedicated to the fast path for dataplane operations.

  • Which dataplane cores (included in fast path mask) that receive packets from Linux. By default, all dataplane cores.

  • The control plane cores (disjoint of fast path mask) that receive exception packets. By default, the first control plane core.

  • The mapping between fast path cores and the ports, in other words which core polls which port. By default, each port is polled by each core of the same NUMA node.

Here is an example of configuration with a custom fast path core mask and exception mask:

vsr> edit running
vsr running config# system fast-path
vsr running fast-path#! port pci-b0s4
vsr running fast-path# core-mask
vsr running core-mask# fast-path 5,9-12
vsr running core-mask# exception 0-4
vsr running core-mask# ..
vsr running fast-path# show config
fast-path
    enabled true
    port pci-b0s4
    core-mask
        fast-path 5,9-12
        exception 0-4
        ..
    cp-protection
        budget 10
        ..
    ..
vsr running fast-path# commit

Note

use show state / system linux to see the list of available cores.

The same configuration can be made using this NETCONF XML configuration:

vsr running config# show config xml absolute system fast-path
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <fast-path xmlns="urn:6wind:vrouter/fast-path">
      <enabled>true</enabled>
      <core-mask>
        <fast-path>5,9-12</fast-path>
        <exception>0-4</exception>
      </core-mask>
      <cp-protection>
        <budget>10</budget>
      </cp-protection>
      <crypto/>
      <advanced/>
      <limits/>
      <port>pci-b0s4</port>
    </fast-path>
  </system>
</config>

Fast path limits configuration

The fast path capabilities can be tuned according to your requirements in terms of scalability and memory footprint. This is done through the fast path limits configuration.

Here is an example of configuration with a custom number of VRs and IPv4 routes:

vsr> edit running
vsr running config# system fast-path
vsr running fast-path#! port pci-b0s4
vsr running fast-path# limits
vsr running limits# fp-max-vrf 128
vsr running limits# ip4-max-route 1000000
vsr running limits# ..
vsr running fast-path# show config
fast-path
    enabled true
    port pci-b0s4
    cp-protection
        budget 10
        ..
    limits
        fp-max-vrf 128
        ip4-max-route 1000000
        ..
    ..
vsr running fast-path# commit

Warning

Similar changes may be required in system neighbor configuration and in system conntrack configuration.

Note

Default fast path scalability limits are automatically adjusted if memory is insufficient, to prevent startup failure due to lack of memory. show state / system fast-path limits can be used to check the actual values.

The same configuration can be made using this NETCONF XML configuration:

dut-vm running config# show config xml absolute system fast-path
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <fast-path xmlns="urn:6wind:vrouter/fast-path">
      <enabled>true</enabled>
      <core-mask/>
      <cp-protection>
        <budget>10</budget>
      </cp-protection>
      <crypto/>
      <advanced/>
      <limits>
        <fp-max-vrf>128</fp-max-vrf>
        <ip4-max-route>1000000</ip4-max-route>
      </limits>
      <port>pci-b0s4</port>
    </fast-path>
  </system>
</config>

Advanced fast path configuration

For advanced users, some fast path parameters can also be customized: the number of network packet buffers, the number of crypto buffers or sessions, the activation of advanced offload features, the exception core mask, the hardware queue mapping etc…

Please refer to the fast path crypto command reference and the fast path advanced command reference for details.

Reducing power consumption

The / system fast-path advanced power-mode configuration node selects a default power behavior:

  • performance (default): the fast path cores runs at their maximum speed to provide the lowest latency and highest throughput.

  • eco: in this mode, the recommended fast path settings are applied to reduce power consumption.

    It enables frequency scaling if it is supported in the environment where Virtual Service Router is running (currently, baremetal on Intel servers). The frequency of fast path cores is automatically adapted to fast path load.

    If frequency scaling is not available, the eco mode falls back to the usage of a mainloop delay: when the fast path load is low, the fast path cores are put to sleep during a short time (100 µs by default).

To take advantage of these power saving features, the machine BIOS has to be configured to:

  • let the operating system dynamically control individual core frequency (example: CPU Power Management = OS DPBM)

  • enable hardware CPU sleep states (example: C1E = Enabled, C States = Enabled)

  • scale uncore frequency dynamically (example: Uncore Frequency = Dynamic)

To enable power saving, you can change the power-mode value to eco:

vsr> edit running
vsr running config# system fast-path advanced
vsr running advanced# power-mode eco
vsr running advanced# commit

A custom value can be set for frequency-scaling and mainloop-delay-us. In this case, it overrides the default value corresponding to the configured power mode.

Please refer to the fast path advanced command reference for details.

Troubleshooting

Fast Path ports

Use show fast-path ports to list the ports that are currently used by the fast path.

vsr> show fast-path ports
Id Interface Port name VRF  Driver
== ========= ========= ===  ======
 0 eth1      pci-b0s4  main net_virtio
 1 eth2      pci-b0s5  main net_virtio
 2 eth3      pci-b0s6  main net_virtio

Fast Path statistics

Use show fast-path statistics to get the statistics recorded by the fast path:

vsr> show fast-path statistics
show-fast-path-statistics
  ipv4
      ip-forwarded-datagrams 56342521
      ip-in-received 56342521
      ..
  global
      fast-path-dropped 4
      fast-path-dropped-system 4
      ..
 [...]
  interface iface1-vr0
      accelerated true
      input-bytes 7857363852
      input-packets 22470833
      output-bytes 3940231251
      output-packets 11352582
      ..
 [...]
  ..

Note

The fast-path-dropped* and exceptions statistics can help diagnosing problems when too few or no packets are forwarded.

Fast Path CPU usage

Use show fast-path cpu-usage command to get the fast path usage per core:

vsr> show fast-path cpu-usage
cpu   busy
===   ====
cpu8  73%
cpu24 68%

It is a good indicator regarding how busy the fast path cores are, processing packets.

Control Plane Protection

In a network architecture, control packets are critical, since losing some of them has stronger consequences than losing data packets:

  • losing ARP packets can make a gateway unreachable

  • losing OSPF/BGP/… packets can make a network unreachable

  • losing IKE packets can prevent the setup of IPsec security associations

Control Plane Protection is a software mechanism that reduces the risk of dropping these control packets. It has an impact on performance, which can be tuned depending on the required throughput and criticity of losing control packets.

The software parser recognizes ARP, ICMP, ICMPv6, OSPF, VRRP, IKE, DHCP, DHCPv6, BGP, LACP, SSH packets. All can be encapsulated in vlan or QinQ.

Control Plane Protection is disabled by default. It can be enabled on a per-interface basis, for RX or TX, depending on the situation:

  • RX: the router is overloaded, the software is not able to dequeue the incoming packets fast enough, the hardware RX ring becomes full and the NIC starts to drop packets.

  • TX: the router tries to send more packets than what the network link supports, the hardware TX ring becomes full and the software starts to drop packets.

Control Plane Protection works according to a maximum CPU budget. If control plane packets are still dropped after enabling Control Plane Protection, it means that this budget has to be increased.

To enable Control Plane Protection on a physical interface:

vsr running config# system fast-path
vsr running fast-path#! port pci-b0s4
vsr running fast-path# cp-protection budget 10
vsr running fast-path# / vrf main interface physical eth0
vsr running physical eth0#! port pci-b0s4
vsr running physical eth0# rx-cp-protection true
vsr running physical eth0# tx-cp-protection true

The same configuration can be made using this NETCONF XML configuration:

vsr running config# show config xml absolute
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <fast-path xmlns="urn:6wind:vrouter/fast-path">
      <enabled>true</enabled>
      <core-mask/>
      <cp-protection>
        <budget>10</budget>
      </cp-protection>
      <crypto/>
      <advanced/>
      <limits/>
      <port>pci-b0s4</port>
    </fast-path>
  </system>
  <vrf>
    <name>main</name>
    <interface xmlns="urn:6wind:vrouter/interface">
      <physical>
        <name>eth0</name>
        <enabled>true</enabled>
        <ipv4>
          <enabled>true</enabled>
        </ipv4>
        <ipv6>
          <enabled>true</enabled>
        </ipv6>
        <ethernet>
          <auto-negotiate>true</auto-negotiate>
        </ethernet>
        <port>pci-b0s4</port>
        <rx-cp-protection>true</rx-cp-protection>
        <tx-cp-protection>true</tx-cp-protection>
      </physical>
    </interface>
  </vrf>
</config>

Note

the Control Plane Protection feature only works when the fast path is enabled, if the feature is supported by the NIC driver.

Control Plane Protection provides statistics to monitor the number of filtered packets:

vsr running fast-path# show interface hardware-statistics eth0
  (...)
  fpn.rx_cp_passthrough: 0
  fpn.rx_cp_kept: 0
  fpn.rx_dp_drop: 0
  fpn.rx_cp_overrun: 0
  fpn.tx_cp_passthrough: 0
  fpn.tx_cp_kept: 0
  fpn.tx_dp_drop: 0
  fpn.tx_cp_overrun: 0
  (...)

When RX Control Plane Protection is enabled, fpn.rx_cp_passthrough is increased for each received packet when machine is not overloaded. These packets are processed normally without being analyzed.

If the machine is loaded (RX ring length exceeds the threshold) and the CPU budget is not reached, fpn.rx_cp_kept and fpn.rx_dp_drop will increase respectively for each control plane packet (kept) and for each data plane packet (drop).

If the CPU budget is exceeded, fpn.rx_cp_overrun is increased for each received packet. These packets are processed normally without being analyzed.

The same applies for TX.

See also

The command reference for details.

Isolation of dataplane cores

The cores that are in charge of processing the network packets (the data plane) are dedicated to this task. The other tasks (the control plane) run on the other cores.

To display the cores affected to control plane:

vsr> show state system cp-mask
cp-mask 0-2

To change the cores affected to control plane:

vsr> edit running
vsr running config# system cp-mask 0
vsr running config# commit
Configuration committed.

Note

It is not possible to add fast path cores in cp-mask.

Important

To get the best performance, fast path cores should be isolated thanks to the cmd set-next-boot-params isolate-cpus <fp-coremask> command. A reboot is needed after the set-next-boot-params command has been issued.

It is also recommended to mask IRQs on the fast path cores for optimal zero-loss performance. Please refer to the fast path advanced command reference for details.

Traffic mirroring

The fast path allows to mirror traffic from:
  • a source (vrf/interface)

  • to a destination (vrf/interface)

  • in a given direction (ingress/egress/both)

Here is the way of configuring it:

vsr> edit running
vsr running config# system fast-path mirror-traffic
vsr running mirror-traffic# from vrf main interface ntfp1 type both to vrf main interface ntfp2
vsr running mirror-traffic# show config
{
  "vrouter-fast-path:mirror-traffic": {
    "from": [
      {
        "interface": "ntfp1",
        "vrf": "main",
        "type": "both",
        "to": {
          "vrf": "main",
          "interface": "ntfp2"
        }
      }
    ]
  }
}

Note

In order to avoid mirroring traffic in a looping way, it is forbidden to set a configuration with a source (vrf/interface) that is also a destination (vrf/interface). For example, the following configuration will trigger an error:

vsr> edit running
vsr running config# system fast-path mirror-traffic
vsr running mirror-traffic# from vrf main interface ntfp1 type ingress to vrf main interface ntfp2
vsr running mirror-traffic# from vrf main interface ntfp3 type ingress to vrf main interface ntfp1
vsr running mirror-traffic# show config
mirror-traffic
    from interface ntfp1 vrf main type ingress to interface ntfp2 vrf main
    from interface ntfp3 vrf main type ingress to interface ntfp1 vrf main
vsr running mirror-traffic# commit
ERROR: / system fast-path mirror-traffic from interface ntfp1 vrf main type ingress
    Must condition "not (../from/to[interface=current()/interface and vrf=current()/vrf])" not satisfied.
ERROR: / system fast-path mirror-traffic from interface ntfp1 vrf main type ingress
    A source cannot be a destination
Invalid configuration