Recommendations for fragmented traffic and LACP configuration on Blue Coat X series platform

book

Article ID: 167990

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Recommendations for fragmented traffic and LACP configuration on Blue Coat X series platformPacket loss or latency is observed when a LACP group-interface is configured across multiple NPM's in the X-series

Cause

Analysis of the problem:
  • The problem happens only on traffic incoming to the X-Series side of the LACP bundle.
  • Problem disappears when using only one link or only one NPM in the bundle
  • The issue is related to the switch sending IP fragments on more than one link.
  • Each fragment may reach a different NPM and therefore cannot be reassembled to determine to which firewall the fragmented packet should go. UDP/TCP information cannot be deduced from the fragment if the first fragment hasn't been received by this NPM.

Resolution

How to address this issue:
  • The X-series platform does not support fragments for the same flow being received on multiple NPM for a given LACP
  • Configure the LACP group-interface to use all links on a single NPM.
  • Configure the upstream switches to transmit all packets for a given flow to a single link within the configured LACP group-interface.


An extract of the IEEE 802.3 standard that proves the non-conformance to the IEEE standard is listed next.

43.2.4 Frame Distributor

The Frame Distributor is responsible for taking outgoing frames from the MAC Client and transmitting them through the set of links that form the Link Aggregation Group. The Frame Distributor implements a distribution function (algorithm) responsible for choosing the link to be used for the transmission of any given frame or set of frames.
This standard does not mandate any particular distribution algorithm(s); however, any distribution algorithm
shall ensure that, when frames are received by a Frame Collector as specified in 43.2.3, the algorithm shall not cause
a) Mis-ordering of frames that are part of any given conversation, or
b) Duplication of frames.

The above requirement to maintain frame ordering is met by ensuring that all frames that compose a given conversation are transmitted on a single link in the order that they are generated by the MAC Client; hence, this requirement does not involve the addition (or modification) of any information to the MAC frame, nor any buffering or processing on the part of the corresponding Frame Collector in order to re-order frames.
This approach to the operation of the distribution function permits a wide variety of distribution and load balancing algorithms to be used, while also ensuring interoperability between devices that adopt differing algorithms.