LARTC - Dec 2003 - u32 hash-es ?

hi I would like to ask is the following config correct for what I want to
achieve ...
Scenario: 
I have 3 networks 192.168.12.0/24,  192.168.48.0/24,  192.168.56.0/24 and most
of the users use 1 IP, some of them more...
If I make flat u32-filter search the box will  make aprox/max 3  * 256 = 768
checks for every IP, so i''m deciding to deploy u32 hashes..
Here is the config I think to use (i''m ommiting some of the filter
syntax for simplicity) :

protocol ip u32
 #what is the divisor meaning !?
handle 5: protocol ip u32 divisor 256

u32 ht 800:: 
        match ip src  192.168.12.0/24
        match ip src  192.168.48.0/24
        match ip src  192.168.56.0/24
        #13 is the third octet in the IP address isnt ''it
        hashkey mask 0x000000ff at 13 
        link 5:

   # c => 12 , 
u32 ht 5:c:   match ip src 192.168.12.1 flowid 1:1
u32 ht 5:c:   match ip src 192.168.12.2 flowid 1:2
.....
  # 30 => 48
u32 ht 5:30:   match ip src 192.168.48.1 flowid 1:257
u32 ht 5:30:   match ip src 192.168.48.2 flowid 1:258
......
  #38 => 56
u32 ht 5:38:   match ip src 192.168.56.1 flowid 1:513
..................

If that is OK, then my next question comes in :").. if I know how much
networks I will support with a given
qos-box to calculate the best possible variant how to subdivide filters.. I mean
it will be better if I
divide them not by class-C but on smaller group...Lets make some calculations :

I expect to handle maximum 10 class C networks with one box. This means that if
the checks are divided
by class-C (like above) the max number of check would be (calculations are
aproximate so that they are
 easy for understanding) :

class-C  ===> 10 + 256 =  267 checks
If I divide the check for every 128 ip''s now first level checks goes
from 10 --> 20
128 ip''s  level1 ===> 20 + 128 = 148
next....
64 ip''s level1 ===> 40 + 64 = 104
next .....
32 ip''s level1 ===> 80 + 32 = 112

From the calculation is seen that for my scenario of 10 class-C nets the best
will be to divide the checks
per 64 ip''s.
So my question is how TO DO IT ? i.e. make the hash check in a way to compare
sub-nets ? example pls ?
I have to change the
         hashkey mask 0x000000ff at 13 
to :
        hashkey mask 0x000000XX at 13  :"), fill in..


For those that dont see reason for doing this, one more calculation :
10 class-C nets * 256 ips = 2560 checks
so in the simple classC scenario we have 10 fold speed up, and for the 64 ips -
25 times faster....

Subquestion : is there a way to see exactly which subsystem takes what cpu time,
on the top/atop
output we see just the total SYSTEM cpu time but now how it is divided by the
net framework..
if we have such info we will know how to tune the system better ?!

tia


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello, raptor,

On Sun, 7 Dec 2003 14:11:10 +0200
raptor <raptor@tvskat.net> wrote:

[ cut for simplicity''s sake ]

 : I have to change the
 :          hashkey mask 0x000000ff at 13 
 : to :
 :         hashkey mask 0x000000XX at 13  :"), fill in..

Probably 0x40? And btw, you are doing hashes by source IP, right? Why is that -
some kind of ingress filtering? For a dest should this be "at 16"?

 : Subquestion : is there a way to see exactly which subsystem takes what cpu
time, on the top/atop
 : output we see just the total SYSTEM cpu time but now how it is divided by the
net framework..
 : if we have such info we will know how to tune the system better ?!

Have you tried sar?

Debian: apt-get install atsar

In general, I could be of no help, but I''m also very much interested in
any
replies you receive about a working hash syntax and methodology. Please share
them with us. ;)
________________________________________________________________________

Cheers,
Nickola

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM d? s:- a- C++++ UL++++ P+ L++++ E--- W-- N o K- w-- 
O- M- V- PS+ PE Y PGP- t 5 X R- tv- b+++ DI-- D+ 
G e h-- r y** 
------END GEEK CODE BLOCK------