[TriLUG] OT - gigabit switches

Aaron S. Joyner aaron at joyner.ws
Sat Sep 23 13:53:40 EDT 2006 

Christopher L Merrill wrote:

> Wow!  What a great bunch of responses, especially those from Greg,
> Ryan and Aaron.  Most of it was over my head...but I'm hoping to absorb
> just enough to make an intelligent decision for our test lab.
>
> I've tried to identify which specs of a switch are actually important
> for our use-case.  To recap, we're are moving towards having (at most)
> 20 computers in our test lab with GigE NICs (some with multiples).
> When we care about the performance, the scenario will be that most
> of those computers will be hammering one or more web servers, also on
> the same switch, with as much traffic as it/they can handle.  In some
> cases, each "load engine" will be aliasing multiple IP addresses on
> each NIC.  All of the machines will be on the same subnet.  When we
> run tests, we would like the network to be invisible...meaning that
> it is never the bottleneck.
>
> So I've seen a few specs mentioned in switch literature and mentioned
> in the discussions -- I am trying to assess how those relate to our
> situation.
> 1. MTU - larger is better to improve bandwidth efficiency

Jumbo frames are a cool technology, but you can't mix-and-match if your 
network contains any computers not capable of handling jumbo frames (aka 
any 10/100 clients).  Generally, you can get dramatically improved 
throughput by tuning the TCP connection parameters, with out the need to 
use Jumbo frames.  Check out /proc/sys/net/ipv4/tcp_*mem

> 2. # of MAC addresses - since we have a small number of computers
> on a small network, I would guess this is unimportant to us.

You're not likely to be affected by this unless you have more than 8,000 
computers on the same Ethernet segment.  If you do, fix that problem.  :)

> 3. Switching Capacity - pretty important to us, I would think, but
> also seems to be the same for all models within a given line from a
> given manufacturer - is the published number meaningful?

Generally, the published number is not meaningful.  We could get into a 
lot of specifics about internals and when it does matter, but unless 
you're going to go and do a *lot* of empirical testing, or take apart 
the switch and examine it's internals or work closely with the 
manufacturer to get design and implementation details, to learn what 
chips are used and how they're wired to what ports, you're not likely to 
come to any meaningful conclusions.  Also, unless you're stressing the 
daylights out of the switch, it's not likely to matter to you much.

The potential exception to this that I see in your use case is that with 
larger port densities, the switch design internally gets less 
efficient.  The designs are often implemented with single chips that can 
do non-blocking gig-e between 8 to 16 ports at a time.  If you have a 24 
port switch, for example, you might have two Gig-E chipsets that can 
talk to 12 ports.  The interconnections between any two ports which are 
on the same chipset, will be 1gig non-blocking, and ideally the 
interconnection between the two chipsets will be fully non-blocking.  In 
practice, that's often not the case, as that requires a 12gig channel 
between them.  In the better switch gear, generally it is, but in a lot 
of cases you either don't have full non-blocking throughput between the 
two chipsets, or even if you do, since the switch may not be able to 
push the required traffic out the required port fast enough, you can run 
into the switch having to drop packets internally, having congestion 
problems, etc -- this often isn't handled gracefully on the 
inter-chipset links.

So, consider your scenario, where you have 1 server, and 30 clients 
flooding that server with data.  It's not quite your scenario, as you're 
more likely to be pushing orders of magnitude more data *to* the clients 
than from, and this doesn't apply there, but bear with me.  :)  If those 
30 clients are all flooding 1 Gigabit of traffic into the switch, and 15 
of them are on the same chipset with the server, and 15 are not, you may 
begin to find that the 15 computers on the second chipset exhibit 
subtly, or maybe markedly different  behavior than those on the first.  
They may exhibit higher packet loss, thus high connection failure rates, 
lower throughput, etc.

> 4. Forwarding Rate - I have no idea what this is...important?

This is the same as Switching Capacity, essentially.


> One other point that I wanted to verify is that one of the jobs of
> the switch is to keep traffic away from parts of the network that
> are not involved with the sender or receiver.  For example - the
> switch in our test lab is hooked to the switch for the rest of the
> office, to which the rest of our desktops are connected.  So when
> we are running tests in the lab, none of that traffic bleeds into
> the rest of the network affecting performance there.  My
> understanding (and anecdotal evidence) is that this is true...is it?

So, how does a switch work?  :)  A switch learns what MAC addresses are 
connected to what port by looking at source addresses of incoming 
traffic, and associating that traffic with a given port.  Then, when 
another packet is received, it can look in the table of 
previously-learned entries, and send the traffic only to where it has 
learned that MAC address exists.  If it gets a packet addresses for a 
MAC it doesn't know about, or the Ethernet broadcast address, it forward 
that packet on to all ports except the port it was received on.  This is 
great for established simple flows.  This does not totally isolate one 
segment of another from another, though.  Broadcast packets, such as ARP 
requests, DHCP lease requests, some service discovery protocols 
(NetBIOS/NetBEUI's NMP, SMP, browser service...; mdns; etc) all are 
addressed to the Ethernet broadcast address (FF:FF:FF:FF:FF:FF), and 
these packets will be delivered to all end points on the network.  These 
protocols do not cross broadcast domains (god, I really sound like a 
network guy these days), which are at the borders of the routed subnet - 
for that you need a router.

So, the single-recommendation take-away I would recommend, is that you 
need to break apart your test network into a separate subnet.  There are 
numerous ways to do this, but I would suggest getting a layer3 switch, 
setting up two VLANs, assigning appropriate ports to the test lab VLAN 
and appropriate ports to the "office" VLAN, and have the switch route 
freely between those two subnets.  This will nicely allow you to still 
easily talk to machines in the test lab, but provide some insulation 
between traffic inadvertently bleeding from one network to the other.  
If you wanted to be even more cautious about it, you can implement ACLs 
on the switch to say, only allow port 22 or port 80 TCP traffic between 
the two subnets.  You could also implement this on the cheap with an old 
Linux box with two network cards, and a simple layer2 gig-e switch for 
the lab.  This is probably the simpler solution that better leverages 
your existing knowledge, but I think you'll find that once you start 
playing with a nicer switch, you'll come up with more interesting ways 
to segment the lab and get more use out of it in the long run.  Then 
again, perhaps not.  :)  That's why you get to make the decision, not me.

Aaron S. Joyner

More information about the TriLUG mailing list