TRex ==== :author: hhaim :email: :revnumber: 2.1 :quotes.++: :numbered: :web_server_url: http://trex-tgn.cisco.com/trex :local_web_server_url: csi-wiki-01:8181/trex :toclevels: 4 include::trex_ga.asciidoc[] == Introduction === A word on traffic generators Traditionally, routers have been tested using commercial traffic generators, while performance typically has been measured using packets per second (PPS) metrics. As router functionality and services became more complex, stateful traffic generators now need to provide more realistic traffic scenarios. Advantages of realistic traffic generators: * Accurate performance metrics. * Discovering bottlenecks in realistic traffic scenarios. ==== Current Challenges: * *Cost*: Commercial stateful traffic generators are very expensive. * *Scale*: Bandwidth does not scale up well with feature complexity. * *Standardization*: Lack of standardization of traffic patterns and methodologies. * *Flexibility*: Commercial tools do not allow agility when flexibility and changes are needed. ==== Implications * High capital expenditure (capex) spent by different teams. * Testing in low scale and extrapolation became a common practice. This is non-ideal and fails to indicate bottlenecks that appear in real-world scenarios. * Teams use different benchmark methodologies, so results are not standardized. * Delays in development and testing due to dependence on testing tool features. * Resource and effort investment in developing different ad hoc tools and test methodologies. === Overview of TRex TRex addresses these problems through an innovative and extendable software implementation and by leveraging standard and open software and x86/UCS hardware. * Generates and analyzes L4-7 traffic. In one package, provides capabilities of commercial L7 tools. * Stateful traffic generator based on pre-processing and smart replay of real traffic templates. * Generates and *amplifies* both client and server side traffic. * Customized functionality can be added. * Scales to 200Gb/sec for one UCS (using Intel 40Gb/sec NICs). * Low cost. * Self-contained package that can be easily installed and deployed. * Virtual interface support enables TRex to be used in a fully virtual environment without physical NICs. Example use cases: ** Amazon AWS ** Cisco LaaS // Which LaaS is this? Location as a service? Linux? ** TRex on your laptop .TRex Hardware [options="header",cols="1^,1^"] |================= |Cisco UCS Platform | Intel NIC | image:images/ucs200_2.png[title="generator"] | image:images/Intel520.png[title="generator"] |================= === Purpose of this guide This guide explains the use of TRex internals and the use of TRex together with Cisco ASR1000 Series routers. The examples illustrate novel traffic generation techniques made possible by TRex. == Download and installation === Hardware recommendations TRex operates in a Linux application environment, interacting with Linux kernel modules. TRex curretly works on x86 architecture and can operate well on Cisco UCS hardware. The following platforms have been tested and are recommended for operating TRex. [NOTE] ===================================== A high-end UCS platform is not required for operating TRex in its current version, but may be required for future versions. ===================================== [NOTE] ===================================== Not all supported DPDK interfaces are supported by TRex ===================================== .Preferred UCS hardware [options="header",cols="1,3"] |================= | UCS Type | Comments | UCS C220 M3/M4 | *Preferred Low-End*. Supports up to 40Gb/sec with 540-D2. With newer Intel NIC (recommended), supports 80Gb/sec with 1RU. See table below describing components. | UCS C200| Early UCS model. | UCS C210 M2 | Supports up to 40Gb/sec PCIe3.0. | UCS C240 M3/M4 | *Preferred, High-End* Supports up to 200Gb/sec. 6x XL710 NICS (PCIex8) or 2xFM10K (PCIex16). See table below describing components. | UCS C260M2 | Supports up to 30Gb/sec (limited by V2 PCIe). |================= .Low-End UCS C220 M4 - Internal components [options="header",cols="1,2",width="60%"] |================= | Components | Details | CPU | 2x E5-2620 @ 2.0 GHz. | CPU Configuration | 2-Socket CPU configurations (also works with 1 CPU). | Memory | 2x4 banks f.or each CPU. Total of 32GB in 8 banks. | RAID | No RAID. |================= .High-End C240 M4 - Internal components [options="header",cols="1,2",width="60%"] |================= | Components | Details | CPU | 2x E5-2667 @ 3.20 GHz. | PCIe | 1x Riser PCI expansion card option A PID UCSC-PCI-1A-240M4 enables 2 PCIex16. | CPU Configuration | 2-Socket CPU configurations (also works with 1 CPU). | Memory | 2x4 banks for each CPU. Total of 32GB in 8 banks. | RAID | No RAID. | Riser 1/2 | both left and right should support x16 PCIe. Right (Riser1) should be from option A x16 and Left (Riser2) should be x16. need to order both |================= .Supported NICs [options="header",cols="1,1,4",width="90%"] |================= | Chipset | Bandwidth (Gb/sec) | Example | Intel I350 | 1 | Intel 4x1GE 350-T4 NIC | Intel 82599 | 10 | Cisco part ID:N2XX-AIPCI01 Intel x520-D2, Intel X520 Dual Port 10Gb SFP+ Adapter | Intel X710 | 10 | Cisco part ID:UCSC-PCIE-IQ10GF link:https://en.wikipedia.org/wiki/Small_form-factor_pluggable_transceiver[SFP+], *Preferred* support per stream stats in hardware link:http://www.silicom-usa.com/PE310G4i71L_Quad_Port_Fiber_SFP+_10_Gigabit_Ethernet_PCI_Express_Server_Adapter_49[Silicom PE310G4i71L] | Intel XL710 | 40 | Cisco part ID:UCSC-PCIE-ID40GF, link:https://en.wikipedia.org/wiki/QSFP[QSFP+] (copper/optical) | Intel FM10420 | 25/100 | QSFP28, by Silicom link:http://www.silicom-usa.com/100_Gigabit_Dual_Port_Fiber_Ethernet_PCI_Express_PE3100G2DQiR_96[Silicom PE3100G2DQiR_96] (*in development*) | Mellanox ConnectX-4 | 25/40/50/56/100 | QSFP28, link:http://www.mellanox.com/page/products_dyn?product_family=201&[ConnectX-4] link:http://www.mellanox.com/related-docs/prod_adapter_cards/PB_ConnectX-4_VPI_Card.pdf[ConnectX-4-brief] (copper/optical) supported from v2.11 more details xref:connectx_support[TRex Support] | Mellanox ConnectX-5 | 25/40/50/56/100 | Not supported yet | Cisco 1300 series | 40 | QSFP+, VIC 1380, VIC 1385, VIC 1387 see more xref:ciscovic_support[TRex Support] | VMXNET / + VMXNET3 (see notes) | VMware paravirtualized | Connect using VMware vSwitch | E1000 | paravirtualized | VMware/KVM/VirtualBox | Virtio | paravirtualized | KVM |================= // in table above, is it correct to list "paravirtualized" as chipset? Also, what is QSFP28? It does not appear on the lined URL. Clarify: is Intel X710 the preferred NIC? .SFP+ support [options="header",cols="2,1,1,1",width="90%"] |================= | link:https://en.wikipedia.org/wiki/Small_form-factor_pluggable_transceiver[SFP+] | Intel Ethernet Converged X710-DAX | Silicom link:http://www.silicom-usa.com/PE310G4i71L_Quad_Port_Fiber_SFP+_10_Gigabit_Ethernet_PCI_Express_Server_Adapter_49[PE310G4i71L] (Open optic) | 82599EB 10-Gigabit | link:http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/data_sheet_c78-455693.html[Cisco SFP-10G-SR] | Does not work | [green]*works* | [green]*works* | link:http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/data_sheet_c78-455693.html[Cisco SFP-10G-LR] | Does not work | [green]*works* | [green]*works* | link:http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/data_sheet_c78-455693.html[Cisco SFP-H10GB-CU1M]| [green]*works* | [green]*works* | [green]*works* | link:http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/data_sheet_c78-455693.html[Cisco SFP-10G-AOC1M] | [green]*works* | [green]*works* | [green]*works* |================= [NOTE] ===================================== Intel X710 NIC (example: FH X710DA4FHBLK) operates *only* with Intel SFP+. For open optic, use the link:http://www.silicom-usa.com/PE310G4i71L_Quad_Port_Fiber_SFP+_10_Gigabit_Ethernet_PCI_Express_Server_Adapter_49[Silicom PE310G4i71L] NIC. ===================================== // clarify above table and note .XL710 NIC base QSFP+ support [options="header",cols="1,1,1",width="90%"] |================= | link:https://en.wikipedia.org/wiki/QSFP[QSFP+] | Intel Ethernet Converged XL710-QDAX | Silicom link:http://www.silicom-usa.com/Dual_Port_Fiber_40_Gigabit_Ethernet_PCI_Express_Server_Adapter_PE340G2Qi71_83[PE340G2Qi71] Open optic | QSFP+ SR4 optics | APPROVED OPTICS [green]*works*, Cisco QSFP-40G-SR4-S does *not* work | Cisco QSFP-40G-SR4-S [green]*works* | QSFP+ LR-4 Optics | APPROVED OPTICS [green]*works*, Cisco QSFP-40G-LR4-S does *not* work | Cisco QSFP-40G-LR4-S [green]*works* | QSFP Active Optical Cables (AoC) | Cisco QSFP-H40G-AOC [green]*works* | Cisco QSFP-H40G-AOC [green]*works* | QSFP+ Intel Ethernet Modular Optics | N/A | N/A | QSFP+ DA twin-ax cables | N/A | N/A | Active QSFP+ Copper Cables | Cisco QSFP-4SFP10G-CU [green]*works* | Cisco QSFP-4SFP10G-CU [green]*works* |================= [NOTE] ===================================== For Intel XL710 NICs, Cisco SR4/LR QSFP+ does not operate. Use Silicom with Open Optic. ===================================== .ConnectX-4 NIC base QSFP28 support (100gb) [options="header",cols="1,2",width="90%"] |================= | link:https://en.wikipedia.org/wiki/QSFP[QSFP28] | ConnectX-4 | QSFP28 SR4 optics | N/A | QSFP28 LR-4 Optics | N/A | QSFP28 (AoC) | Cisco QSFP-100G-AOCxM [green]*works* | QSFP28 DA twin-ax cables | Cisco QSFP-100G-CUxM [green]*works* |================= .Cisco VIC NIC base QSFP+ support [options="header",cols="1,2",width="90%"] |================= | link:https://en.wikipedia.org/wiki/QSFP[QSFP+] | Intel Ethernet Converged XL710-QDAX | QSFP+ SR4 optics | N/A | QSFP+ LR-4 Optics | N/A | QSFP Active Optical Cables (AoC) | Cisco QSFP-H40G-AOC [green]*works* | QSFP+ Intel Ethernet Modular Optics | N/A | QSFP+ DA twin-ax cables | N/A | N/A | Active QSFP+ Copper Cables | N/A |================= // clarify above table and note. let's discuss. .FM10K QSFP28 support [options="header",cols="1,1",width="70%"] |================= | QSFP28 | Example | todo | todo |================= // do we want to show "todo"? maybe "pending" [IMPORTANT] ===================================== * Intel SFP+ 10Gb/sec is the only one supported by default on the standard Linux driver. TRex also supports Cisco 10Gb/sec SFP+. // above, replace "only one" with "only mode"? * For operating high speed throughput (example: several Intel XL710 40Gb/sec), use different link:https://en.wikipedia.org/wiki/Non-uniform_memory_access[NUMA] nodes for different NICs. + To verify NUMA and NIC topology: `lstopo (yum install hwloc)` + To display CPU info, including NUMA node: `lscpu` + NUMA usage xref:numa-example[example] * For Intel XL710 NICs, verify that the NVM is v5.04 . xref:xl710-firmware[Info]. ** `> sudo ./t-rex-64 -f cap2/dns.yaml -d 0 *-v 6* --nc | grep NVM` + `PMD: FW 5.0 API 1.5 NVM 05.00.04 eetrack 800013fc` ===================================== // above, maybe rename the bullet points "NIC usage notes"? should we create a subsection for NICs? Maybe it would be under "2.1 Hardware recommendations" as a subsection. .Sample order for recommended low-end Cisco UCSC-C220-M3S with 4x10Gb ports [options="header",cols="1,1",width="70%"] |================= | Component | Quantity | UCSC-C220-M3S | 1 | UCS-CPU-E5-2650 | 2 | UCS-MR-1X041RY-A | 8 | A03-D500GC3 | 1 | N2XX-AIPCI01 | 2 | UCSC-PSU-650W | 1 | SFS-250V-10A-IS | 1 | UCSC-CMA1 | 1 | UCSC-HS-C220M3 | 2 | N20-BBLKD | 7 | UCSC-PSU-BLKP | 1 | UCSC-RAIL1 | 1 |================= // should table above say "low-end Cisco UCS C220 M3S" instead of "low-end USCS-C220-M3S"? NOTE: Purchase the 10Gb/sec SFP+ separately. Cisco would be fine with TRex (but not for plain Linux driver). // does note above mean "TRex operates with 10Gb/sec SFP+ components, but plain Linux does not provide drivers."? if so, how does purchasing separately solve this? where do they get drivers? === Installing OS ==== Supported versions Supported Linux versions: * Fedora 20-23, 64-bit kernel (not 32-bit) * Ubuntu 14.04.1 LTS, 64-bit kernel (not 32-bit) * Ubuntu 16.xx LTS, 64-bit kernel (not 32-bit) NOTE: Additional OS version may be supported by compiling the necessary drivers. To check whether a kernel is 64-bit, verify that the ouput of the following command is `x86_64`. [source,bash] ---- $uname -m x86_64 ---- ==== Download Linux ISO images for supported Linux releases can be downloaded from: .Supported Linux ISO image links [options="header",cols="1^,2^",width="50%"] |====================================== | Distribution | SHA256 Checksum | link:http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/20/Fedora/x86_64/iso/Fedora-20-x86_64-DVD.iso[Fedora 20] | link:http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/20/Fedora/x86_64/iso/Fedora-20-x86_64-CHECKSUM[Fedora 20 CHECKSUM] | link:http://fedora-mirror01.rbc.ru/pub/fedora/linux/releases/21/Server/x86_64/iso/Fedora-Server-DVD-x86_64-21.iso[Fedora 21] | link:http://fedora-mirror01.rbc.ru/pub/fedora/linux/releases/21/Server/x86_64/iso/Fedora-Server-21-x86_64-CHECKSUM[Fedora 21 CHECKSUM] | link:http://old-releases.ubuntu.com/releases/14.04.1/ubuntu-14.04-desktop-amd64.iso[Ubuntu 14.04.1] | http://old-releases.ubuntu.com/releases/14.04.1/SHA256SUMS[Ubuntu 14.04* CHECKSUMs] | link:http://releases.ubuntu.com/16.04.1/ubuntu-16.04.1-server-amd64.iso[Ubuntu 16.04.1] | http://releases.ubuntu.com/16.04.1/SHA256SUMS[Ubuntu 16.04* CHECKSUMs] |====================================== For Fedora downloads... * Select a mirror close to your location: + https://admin.fedoraproject.org/mirrormanager/mirrors/Fedora + Choose: "Fedora Linux http" -> releases -> -> Server -> x86_64 -> iso -> Fedora-Server-DVD-x86_64-.iso * Verify the checksum of the downloaded file matches the linked checksum values with the `sha256sum` command. Example: [source,bash] ---- $sha256sum Fedora-18-x86_64-DVD.iso 91c5f0aca391acf76a047e284144f90d66d3d5f5dcd26b01f368a43236832c03 #<1> ---- <1> Should be equal to the link:https://en.wikipedia.org/wiki/SHA-2[SHA-256] values described in the linked checksum files. ==== Install Linux Ask your lab admin to install the Linux using CIMC, assign an IP, and set the DNS. Request the sudo or super user password to enable you to ping and SSH. xref:fedora21_example[Example of installing Fedora 21 Server] [NOTE] ===================================== * To use TRex, you should have sudo on the machine or the root password. * Upgrading the linux Kernel using `yum upgrade` requires building the TRex drivers. * In Ubuntu 16, auto-updater is enabled by default. It's advised to turn it off as with update of Kernel need to compile again the DPDK .ko file. + Command to remove it: + > sudo apt-get remove unattended-upgrades ===================================== ==== Verify Intel NIC installation Use `lspci` to verify the NIC installation. Example 4x 10Gb/sec TRex configuration (see output below): * I350 management port * 4x Intel Ethernet Converged Network Adapter model x520-D2 (82599 chipset) [source,bash] ---- $[root@trex]lspci | grep Ethernet 01:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01) #<1> 01:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01) #<2> 03:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) #<3> 03:00.1 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 82:00.0 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) 82:00.1 Ethernet controller: Intel Corporation 82599EB 10-Gigabit SFI/SFP+ Network Connection (rev 01) ---- <1> Management port <2> CIMC port <3> 10Gb/sec traffic ports (Intel 82599EB) === Obtaining the TRex package Connect using `ssh` to the TRex machine and execute the commands described below. NOTE: Prerequisite: *$WEB_URL* is *{web_server_url}* or *{local_web_server_url}* (Cisco internal) Latest release: [source,bash] ---- $mkdir trex $cd trex $wget --no-cache $WEB_URL/release/latest $tar -xzvf latest ---- Bleeding edge version: [source,bash] ---- $wget --no-cache $WEB_URL/release/be_latest ---- To obtain a specific version, do the following: [source,bash] ---- $wget --no-cache $WEB_URL/release/vX.XX.tar.gz #<1> ---- <1> X.XX = Version number == First time Running === Configuring for loopback Before connecting TRex to your DUT, it is strongly advised to verify that TRex and the NICs work correctly in loopback. + To get best performance, it is advised to loopback interfaces on the same NUMA (controlled by the same physical processor). If you do not know how to check this, you can ignore this advice for now. + [NOTE] ===================================================================== If you are using 10Gbs NIC based on Intel 520-D2 NICs, and you loopback ports on the same NIC, using SFP+, it might not sync, and you will fail to get link up. + We checked many types of SFP+ (Intel/Cisco/SR/LR) and it worked for us. + If you still encounter link issues, you can either try to loopback interfaces from different NICs, or use link:http://www.fiberopticshare.com/tag/cisco-10g-twinax[Cisco twinax copper cable]. ===================================================================== .Loopback example image:images/loopback_example.png[title="Loopback example"] ==== Identify the ports [source,bash] ---- $>sudo ./dpdk_setup_ports.py -s Network devices using DPDK-compatible driver ============================================ Network devices using kernel driver =================================== 0000:03:00.0 '82599ES 10-Gigabit SFI/SFP+ Network Connection' drv= unused=ixgb #<1> 0000:03:00.1 '82599ES 10-Gigabit SFI/SFP+ Network Connection' drv= unused=ixgb 0000:13:00.0 '82599ES 10-Gigabit SFI/SFP+ Network Connection' drv= unused=ixgb 0000:13:00.1 '82599ES 10-Gigabit SFI/SFP+ Network Connection' drv= unused=ixgb 0000:02:00.0 '82545EM Gigabit Ethernet Controller (Copper)' if=eth2 drv=e1000 unused=igb_uio *Active* #<2> Other network devices ===================== ---- <1> If you did not run any DPDK application, you will see list of interfaces binded to the kernel, or not binded at all. <2> Interface marked as 'active' is the one used by your ssh connection. *Never* put it in TRex config file. Choose ports to use and follow the instructions in the next section to create configuration file. ==== Creating minimum configuration file Default configuration file name is: `/etc/trex_cfg.yaml`. You can copy basic configuration file from cfg folder [source,bash] ---- $cp cfg/simple_cfg.yaml /etc/trex_cfg.yaml ---- Then, edit the configuration file and put your interface's and IP addresses details. Example: [source,bash] ---- - port_limit : 2 version : 2 #List of interfaces. Change to suit your setup. Use ./dpdk_setup_ports.py -s to see available options interfaces : ["03:00.0", "03:00.1"] #<1> port_info : # Port IPs. Change to suit your needs. In case of loopback, you can leave as is. - ip : 1.1.1.1 default_gw : 2.2.2.2 - ip : 2.2.2.2 default_gw : 1.1.1.1 ---- <1> You need to edit this line to match the interfaces you are using. Notice that all NICs you are using should have the same type. You cannot mix different NIC types in one config file. For more info, see link:http://trex-tgn.cisco.com/youtrack/issue/trex-201[trex-201]. You can find xref:trex_config[here] full list of configuration file options. === Script for creating config file To help starting with basic configuration file that suits your needs, there a script that can automate this process. The script helps you getting started, and you can then edit the file and add advanced options from xref:trex_config[here] if needed. + There are two ways to run the script. Interactively (script will pormpt you for parameters), or providing all parameters using command line options. ==== Interactive mode [source,bash] ---- sudo ./dpdk_setup_ports.py -i ---- You will see a list of available interfaces with their related information + Just follow the instructions to get basic config file. ==== Specifying input arguments using command line options First, run this command to see the list of all interfaces and their related information: [source,bash] ---- sudo ./dpdk_setup_ports.py -t ---- * In case of *Loopback* and/or only *L1-L2 Switches* on the way, you do not need to provide IPs or destination MACs. + The script Will assume the following interface connections: 0↔1, 2↔3 etc. + Just run: [source,bash] ---- sudo ./dpdk_setup_ports.py -c ... ---- * In case of *Router* (or other next hop device, such as *L3 Switch*), you should specify the TRex IPs and default gateways, or MACs of the router as described below. .Additional arguments to creating script (dpdk_setup_ports.py -c) [options="header",cols="2,5,3",width="100%"] |================= | Arg | Description | Example | -c | Create a configuration file by specified interfaces (PCI address or Linux names: eth1 etc.) | -c 03:00.1 eth1 eth4 84:00.0 | --dump | Dump created config to screen. | | -o | Output the config to this file. | -o /etc/trex_cfg.yaml | --dest-macs | Destination MACs to be used per each interface. Specify this option if you want MAC based config instead of IP based one. You must not set it together with --ip and --def_gw | --dest-macs 11:11:11:11:11:11 22:22:22:22:22:22 | --ip | List of IPs to use for each interface. If this option and --dest-macs is not specified, script assumes loopback connections (0↔1, 2↔3 etc.) | --ip 1.2.3.4 5.6.7.8 |--def-gw | List of default gateways to use for each interface. If --ip given, you must provide --def_gw as well | --def-gw 3.4.5.6 7.8.9.10 | --ci | Cores include: White list of cores to use. Make sure there is enough for each NUMA. | --ci 0 2 4 5 6 | --ce | Cores exclude: Black list of cores to exclude. Make sure there will be enough for each NUMA. | --ci 10 11 12 | --no-ht | No HyperThreading: Use only one thread of each Core in created config yaml. | | --prefix | Advanced option: prefix to be used in TRex config in case of parallel instances. | --prefix first_instance | --zmq-pub-port | Advanced option: ZMQ Publisher port to be used in TRex config in case of parallel instances. | --zmq-pub-port 4000 | --zmq-rpc-port | Advanced option: ZMQ RPC port to be used in TRex config in case of parallel instances. | --zmq-rpc-port | --ignore-numa | Advanced option: Ignore NUMAs for config creation. Use this option only if you have to, as it might reduce performance. For example, if you have pair of interfaces at different NUMAs | |================= === Configuring ESXi for running TRex To get best performance, it is advised to run TRex on bare metal hardware, and not use any kind of VM. Bandwidth on VM might be limited, and IPv6 might not be fully supported. Having said that, there are sometimes benefits for running on VM. + These include: + * Virtual NICs can be used to bridge between TRex and NICs not supported by TRex. + * If you already have VM installed, and do not require high performance. + 1. Click the host machine, enter Configuration -> Networking. a. One of the NICs should be connected to the main vSwitch network to get an "outside" connection, for the TRex client and ssh: + image:images/vSwitch_main.png[title="vSwitch_main"] b. Other NICs that are used for TRex traffic should be in distinguish vSwitch: + image:images/vSwitch_loopback.png[title="vSwitch_loopback"] 2. Right-click guest machine -> Edit settings -> Ensure the NICs are set to their networks: + image:images/vSwitch_networks.png[title="vSwitch_networks"] [NOTE] ===================================================================== Before version 2.10, the following command did not function as expected: [subs="quotes"] .... sudo ./t-rex-64 -f cap2/dns.yaml *--lm 1 --lo* -l 1000 -d 100 .... The vSwitch did not "know" where to route the packet. Was solved on version 2.10 when TRex started to support ARP. ===================================================================== * Pass-through is the way to use directly the NICs from host machine inside the VM. Has no limitations except the NIC/hardware itself. The only difference via bare-metal OS is occasional spikes of latency (~10ms). Passthrough settings cannot be saved to OVA. 1. Click on the host machine. Enter Configuration -> Advanced settings -> Edit. Mark the desired NICs. Reboot the ESXi to apply. + image:images/passthrough_marking.png[title="passthrough_marking"] 2. Right click on guest machine. Edit settings -> Add -> *PCI device* -> Choose the NICs one by one. + image:images/passthrough_adding.png[title="passthrough_adding"] === Configuring for running with router (or other L3 device) as DUT You can follow link:trex_config_guide.html[this] presentation for an example of how to configure router as DUT. === Running TRex When all is set, use the following command to start basic TRex run for 10 seconds (it will use the default config file name /etc/trex_cfg.yaml): [source,bash] ---- $sudo ./t-rex-64 -f cap2/dns.yaml -c 4 -m 1 -d 10 -l 1000 ---- If successful, the output will be similar to the following: [source,python] ---- $ sudo ./t-rex-64 -f cap2/dns.yaml -d 10 -l 1000 Starting TRex 2.09 please wait ... zmq publisher at: tcp://*:4500 number of ports found : 4 port : 0 ------------ link : link : Link Up - speed 10000 Mbps - full-duplex <1> promiscuous : 0 port : 1 ------------ link : link : Link Up - speed 10000 Mbps - full-duplex promiscuous : 0 port : 2 ------------ link : link : Link Up - speed 10000 Mbps - full-duplex promiscuous : 0 port : 3 ------------ link : link : Link Up - speed 10000 Mbps - full-duplex promiscuous : 0 -Per port stats table ports | 0 | 1 | 2 | 3 ------------------------------------------------------------------------------------- opackets | 1003 | 1003 | 1002 | 1002 obytes | 66213 | 66229 | 66132 | 66132 ipackets | 1003 | 1003 | 1002 | 1002 ibytes | 66225 | 66209 | 66132 | 66132 ierrors | 0 | 0 | 0 | 0 oerrors | 0 | 0 | 0 | 0 Tx Bw | 217.09 Kbps | 217.14 Kbps | 216.83 Kbps | 216.83 Kbps -Global stats enabled Cpu Utilization : 0.0 % <2> 29.7 Gb/core <3> Platform_factor : 1.0 Total-Tx : 867.89 Kbps <4> Total-Rx : 867.86 Kbps <5> Total-PPS : 1.64 Kpps Total-CPS : 0.50 cps Expected-PPS : 2.00 pps <6> Expected-CPS : 1.00 cps <7> Expected-BPS : 1.36 Kbps <8> Active-flows : 0 <9> Clients : 510 Socket-util : 0.0000 % Open-flows : 1 <10> Servers : 254 Socket : 1 Socket/Clients : 0.0 drop-rate : 0.00 bps <11> current time : 5.3 sec test duration : 94.7 sec -Latency stats enabled Cpu Utilization : 0.2 % <12> if| tx_ok , rx_ok , rx ,error, average , max , Jitter , max window | , , check, , latency(usec),latency (usec) ,(usec) , -------------------------------------------------------------------------------------------------- 0 | 1002, 1002, 0, 0, 51 , 69, 0 | 0 69 67 <13> 1 | 1002, 1002, 0, 0, 53 , 196, 0 | 0 196 53 2 | 1002, 1002, 0, 0, 54 , 71, 0 | 0 71 69 3 | 1002, 1002, 0, 0, 53 , 193, 0 | 0 193 52 ---- <1> Link must be up for TRex to work. <2> Average CPU utilization of transmitters threads. For best results it should be lower than 80%. <3> Gb/sec generated per core of DP. Higher is better. <4> Total Tx must be the same as Rx at the end of the run <5> Total Rx must be the same as Tx at the end of the run <6> Expected number of packets per second (calculated without latency packets). <7> Expected number of connections per second (calculated without latency packets). <8> Expected number of bits per second (calculated without latency packets). <9> Number of TRex active "flows". Could be different than the number of router flows, due to aging issues. Usualy the TRex number of active flows is much lower than that of the router because the router ages flows slower. <10> Total number of TRex flows opened since startup (including active ones, and ones already closed). <11> Drop rate. <12> Rx and latency thread CPU utilization. <13> Tx_ok on port 0 should equal Rx_ok on port 1, and vice versa. More statistics information: *socket*:: Same as the active flows. *Socket/Clients*:: Average of active flows per client, calculated as active_flows/#clients. *Socket-util*:: Estimation of number of L4 ports (sockets) used per client IP. This is approximately (100*active_flows/#clients)/64K, calculated as (average active flows per client*100/64K). Utilization of more than 50% means that TRex is generating too many flows per single client, and that more clients must be added in the generator config. // clarify above, especially the formula *Max window*:: Momentary maximum latency for a time window of 500 msec. There are few numbers shown per port. The newest number (last 500msec) is on the right. Oldest on the left. This can help identifying spikes of high latency clearing after some time. Maximum latency is the total maximum over the entire test duration. To best understand this, run TRex with latency option (-l) and watch the results with this section in mind. *Platform_factor*:: There are cases in which we duplicate the traffic using splitter/switch and we would like all numbers displayed by TRex to be multiplied by this factor, so that TRex counters will match the DUT counters. WARNING: If you don't see rx packets, revisit your MAC address configuration. include::trex_book_basic.asciidoc[] == Advanced features === VLAN Trunk support anchor:trex_vlan[] The VLAN Trunk TRex feature attempts to solve the router port bandwidth limitation when the traffic profile is asymmetric. Example: Asymmetric SFR profile. This feature converts asymmetric traffic to symmetric, from the port perspective, using router sub-interfaces. This requires TRex to send the traffic on two VLANs, as described below. .YAML format [source,python] ---- vlan : { enable : 1 , vlan0 : 100 , vlan1 : 200 } ---- .Example [source,python] ---- - duration : 0.1 vlan : { enable : 1 , vlan0 : 100 , vlan1 : 200 } <1> ---- <1> Enable VLAN feature, vlan0==100 , vlan1==200 *Problem definition:*:: Scenario: TRex with two ports and an SFR traffic profile. .Without VLAN/sub interfaces [source,python] ---- 0 ( client) -> [ ] - 1 ( server) ---- Without VLAN support the traffic is asymmetric. 10% of the traffic is sent from port 0 (client side), 90% is from port 1 (server). Port 1 become the bottlneck (10Gb/s limit) before port 0. .With VLAN/sub interfaces [source,python] ---- port 0 ( client VLAN0) <-> | | <-> port 1 ( server-VLAN0) port 0 ( server VLAN1) <-> | | <-> port 1 ( client-VLAN1) ---- In this case both ports have the same amount of traffic. *Router configuation:*:: [source,python] ---- ! interface TenGigabitEthernet1/0/0 <1> mac-address 0000.0001.0000 mtu 4000 no ip address load-interval 30 ! i interface TenGigabitEthernet1/0/0.100 encapsulation dot1Q 100 <2> ip address 11.77.11.1 255.255.255.0 ip nbar protocol-discovery ip policy route-map vlan_100_p1_to_p2 <3> ! interface TenGigabitEthernet1/0/0.200 encapsulation dot1Q 200 <4> ip address 11.88.11.1 255.255.255.0 ip nbar protocol-discovery ip policy route-map vlan_200_p1_to_p2 <5> ! interface TenGigabitEthernet1/1/0 mac-address 0000.0001.0000 mtu 4000 no ip address load-interval 30 ! interface TenGigabitEthernet1/1/0.100 encapsulation dot1Q 100 ip address 22.77.11.1 255.255.255.0 ip nbar protocol-discovery ip policy route-map vlan_100_p2_to_p1 ! interface TenGigabitEthernet1/1/0.200 encapsulation dot1Q 200 ip address 22.88.11.1 255.255.255.0 ip nbar protocol-discovery ip policy route-map vlan_200_p2_to_p1 ! arp 11.77.11.12 0000.0001.0000 ARPA <6> arp 22.77.11.12 0000.0001.0000 ARPA route-map vlan_100_p1_to_p2 permit 10 <7> set ip next-hop 22.77.11.12 ! route-map vlan_100_p2_to_p1 permit 10 set ip next-hop 11.77.11.12 ! route-map vlan_200_p1_to_p2 permit 10 set ip next-hop 22.88.11.12 ! route-map vlan_200_p2_to_p1 permit 10 set ip next-hop 11.88.11.12 ! ---- <1> Disable the IP on the main port it is important. // above, clarify what's important <2> Enable VLAN1 <3> PBR configuration <4> Enable VLAN2 <5> PBR configuration <6> TRex destination port MAC address <7> PBR configuration rules === Static source MAC address setting With this feature, TRex replaces the source MAC address with the client IP address. Note: This feature was requested by the Cisco ISG group. *YAML:*:: [source,python] ---- mac_override_by_ip : true ---- .Example [source,python] ---- - duration : 0.1 .. mac_override_by_ip : true <1> ---- <1> In this case, the client side MAC address looks like this: SRC_MAC = IPV4(IP) + 00:00 === IPv6 support Support for IPv6 includes: 1. Support for pcap files containing IPv6 packets 2. Ability to generate IPv6 traffic from pcap files containing IPv4 packets The following command line option enables this feature: `--ipv6` The keywords (`src_ipv6` and `dst_ipv6`) specify the most significant 96 bits of the IPv6 address - for example: [source,python] ---- src_ipv6 : [0xFE80,0x0232,0x1002,0x0051,0x0000,0x0000] dst_ipv6 : [0x2001,0x0DB8,0x0003,0x0004,0x0000,0x0000] ---- The IPv6 address is formed by placing what would typically be the IPv4 address into the least significant 32 bits and copying the value provided in the src_ipv6/dst_ipv6 keywords into the most signficant 96 bits. If src_ipv6 and dst_ipv6 are not specified, the default is to form IPv4-compatible addresses (most signifcant 96 bits are zero). There is support for all plugins. *Example:*:: [source,bash] ---- $sudo ./t-rex-64 -f cap2l/sfr_delay_10_1g.yaml -c 4 -p -l 100 -d 100000 -m 30 --ipv6 ---- *Limitations:*:: * TRex cannot generate both IPv4 and IPv6 traffic. * The `--ipv6` switch must be specified even when using pcap file containing only IPv6 packets. *Router configuration:*:: [source,python] ---- interface TenGigabitEthernet1/0/0 mac-address 0000.0001.0000 mtu 4000 ip address 11.11.11.11 255.255.255.0 ip policy route-map p1_to_p2 load-interval 30 ipv6 enable ==> IPv6 ipv6 address 2001:DB8:1111:2222::1/64 <1> ipv6 policy route-map ipv6_p1_to_p2 <2> ! ipv6 unicast-routing <3> ipv6 neighbor 3001::2 TenGigabitEthernet0/1/0 0000.0002.0002 <4> ipv6 neighbor 2001::2 TenGigabitEthernet0/0/0 0000.0003.0002 route-map ipv6_p1_to_p2 permit 10 <5> set ipv6 next-hop 2001::2 ! route-map ipv6_p2_to_p1 permit 10 set ipv6 next-hop 3001::2 ! asr1k(config)#ipv6 route 4000::/64 2001::2 asr1k(config)#ipv6 route 5000::/64 3001::2 ---- <1> Enable IPv6 <2> Add pbr <3> Enable IPv6 routing <4> MAC address setting. Should be TRex MAC. <5> PBR configuraion === Client clustering configuration TRex supports testing complex topologies, using a feature called "client clustering". This feature allows more detailed clustering of clients. Let's look at the following topology: image:images/client_clustering_topology.png[title="Client Clustering"] We would like to configure two clusters and direct traffic to them. Using config file, you can instruct TRex to generate clients with specific configuration per cluster. Cluster configuration includes: * IP start range. * IP end range. * Initiator side configuration. * Responder side configuration. [NOTE] It is important to understand that this is *complimentary* to the client generator configured per profile - it only defines how the generator will be clustered. Let's look at an example. We have a profile defining client generator. [source,bash] ---- $cat cap2/dns.yaml - duration : 10.0 generator : distribution : "seq" clients_start : "16.0.0.1" clients_end : "16.0.0.255" servers_start : "48.0.0.1" servers_end : "48.0.0.255" clients_per_gb : 201 min_clients : 101 dual_port_mask : "1.0.0.0" tcp_aging : 1 udp_aging : 1 cap_info : - name: cap2/dns.pcap cps : 1.0 ipg : 10000 rtt : 10000 w : 1 ---- We want to create two clusters with 4 devices each. We also want to divide *80%* of the traffic to the upper cluster and *20%* to the lower cluster. We will create the following cluster configuration file. [source,bash] ---- # # Client configuration example file # The file must contain the following fields # # 'vlan' - if the entire configuration uses VLAN, # each client group must include vlan # configuration # # 'groups' - each client group must contain range of IPs # and initiator and responder section # 'count' represents the number of different MACs # addresses in the group. # # initiator and responder can contain 'vlan', 'src_mac', 'dst_mac' # # each group contains a double way VLAN configuration vlan: true groups: - ip_start : 16.0.0.1 ip_end : 16.0.0.204 initiator : vlan : 100 dst_mac : "00:00:00:01:00:00" responder : vlan : 200 dst_mac : "00:00:00:01:00:00" count : 4 - ip_start : 16.0.0.205 ip_end : 16.0.0.255 initiator : vlan : 101 dst_mac : "01:00:00:00:01:01" responder: vlan : 201 dst_mac : "01:00:00:00:02:01" count : 4 ---- The above configuration will divide the generator range of 255 clients to two clusters, each with 4 devices and VLAN in both directions. MACs will be allocated incrementaly, with a wrap around. e.g. * 16.0.0.1 --> 00:00:00:01:00:00 * 16.0.0.2 --> 00:00:00:01:00:01 * 16.0.0.3 --> 00:00:00:01:00:02 * 16.0.0.4 --> 00:00:00:01:00:03 * 16.0.0.5 --> 00:00:00:01:00:00 * 16.0.0.6 --> 00:00:00:01:00:01 and so on. *Usage:* [source,bash] ---- sudo ./t-rex-64 -f cap2/dns.yaml --client_cfg my_cfg.yaml ---- === NAT support TRex can learn dynamic NAT/PAT translation. To enable this feature add `--learn-mode ` to the command line. To learn the NAT translation, TRex must embed information describing the flow a packet belongs to, in the first packet of each flow. This can be done in two different methods, depending on the chosen . *mode 1:*:: Flow info is embedded in the ACK of the first TCP SYN. In this mode, there is a limitation that bidirectional UDP templates (for example, DNS) are not supported. This mode was developed for testing NAT with firewalls (which usually do not work with mode 2). In this mode, TRex also learn and compensate for TCP sequence number randomization that might be done by the DUT. TRex can learn and compensate for seq num randomization in both directions of the connection. *mode 2:*:: Flow info is added in a special IPv4 option header (8 bytes long 0x10 id). The option is added only to the first packet in the flow. This mode does not work with DUTs that drop packets with IP options (for example, Cisco ASA firewall). *mode 3:*:: This is like mode 1, with the only change being that TRex does not learn the seq num randomization in the server->client direction. This mode can give much better connections per second performance than mode 1 (still, for all existing firewalls, mode 1 cps rate is more than enough). ==== Examples *simple HTTP traffic* [source,bash] ---- $sudo ./t-rex-64 -f cap2/http_simple.yaml -c 4 -l 1000 -d 100000 -m 30 --learn-mode 1 ---- *SFR traffic without bundling/ALG support* [source,bash] ---- $sudo ./t-rex-64 -f avl/sfr_delay_10_1g_no_bundling.yaml -c 4 -l 1000 -d 100000 -m 10 --learn-mode 2 ---- *NAT terminal counters:*:: [source,python] ---- -Global stats enabled Cpu Utilization : 0.6 % 33.4 Gb/core Platform_factor : 1.0 Total-Tx : 3.77 Gbps NAT time out : 917 <1> (0 in wait for syn+ack) <5> Total-Rx : 3.77 Gbps NAT aged flow id: 0 <2> Total-PPS : 505.72 Kpps Total NAT active: 163 <3> (12 waiting for syn) <6> Total-CPS : 13.43 Kcps Total NAT opened: 82677 <4> ---- <1> Number of connections for which TRex had to send the next packet in the flow, but did not learn the NAT translation yet. Should be 0. Usually, value different than 0 is seen if the DUT drops the flow (probably because it can't handle the number of connections) <2> Number of flows for which when we got the translation info, flow was aged out already. Non 0 value here should be very rare. Can occur only when there is huge latency in the DUT input/output queue. <3> Number of flows for which we sent the first packet, but did not learn the NAT translation yet. Value seen depends on the connection per second rate and round trip time. <4> Total number of translations over the lifetime of the TRex instance. May be different from the total number of flows if template is uni-directional (and consequently does not need translation). <5> Out of the timed out flows, how many were timed out while waiting to learn the TCP seq num randomization of the server->client from the SYN+ACK packet (Seen only in --learn-mode 1) <6> Out of the active NAT sessions, how many are waiting to learn the client->server translation from the SYN packet (others are waiting for SYN+ACK from server) (Seen only in --learn-mode 1) *Configuration for Cisco ASR1000 Series:*:: This feature was tested with the following configuration and sfr_delay_10_1g_no_bundling. yaml traffic profile. Client address range is 16.0.0.1 to 16.0.0.255 [source,python] ---- interface TenGigabitEthernet1/0/0 <1> mac-address 0000.0001.0000 mtu 4000 ip address 11.11.11.11 255.255.255.0 ip policy route-map p1_to_p2 ip nat inside <2> load-interval 30 ! interface TenGigabitEthernet1/1/0 mac-address 0000.0001.0000 mtu 4000 ip address 11.11.11.11 255.255.255.0 ip policy route-map p1_to_p2 ip nat outside <3> load-interval 30 ip nat pool my 200.0.0.0 200.0.0.255 netmask 255.255.255.0 <4> ip nat inside source list 7 pool my overload access-list 7 permit 16.0.0.0 0.0.0.255 <5> ip nat inside source list 8 pool my overload <6> access-list 8 permit 17.0.0.0 0.0.0.255 ---- <1> Must be connected to TRex Client port (router inside port) <2> NAT inside <3> NAT outside <4> Pool of outside address with overload <5> Match TRex YAML client range <6> In case of dual port TRex // verify 1 and 5 above; rephrased *Limitations:*:: . The IPv6-IPv6 NAT feature does not exist on routers, so this feature can work only with IPv4. . Does not support NAT64. . Bundling/plugin is not fully supported. Consequently, sfr_delay_10.yaml does not work. Use sfr_delay_10_no_bundling.yaml instead. [NOTE] ===================================================================== * `--learn-verify` is a TRex debug mechanism for testing the TRex learn mechanism. * Need to run it when DUT is configured without NAT. It will verify that the inside_ip==outside_ip and inside_port==outside_port. ===================================================================== === Flow order/latency verification In normal mode (without this feature enabled), received traffic is not checked by software. Hardware (Intel NIC) testing for dropped packets occurs at the end of the test. The only exception is the Latency/Jitter packets. This is one reason that with TRex, you *cannot* check features that terminate traffic (for example TCP Proxy). To enable this feature, add `--rx-check ` to the command line options, where is the sample rate. The number of flows that will be sent to the software for verification is (1/(sample_rate). For 40Gb/sec traffic you can use a sample rate of 1/128. Watch for Rx CPU% utilization. [NOTE] ============ This feature changes the TTL of the sampled flows to 255 and expects to receive packets with TTL 254 or 255 (one routing hop). If you have more than one hop in your setup, use `--hops` to change it to a higher value. More than one hop is possible if there are number of routers betwean TRex client side and TRex server side. ============ This feature ensures that: * Packets get out of DUT in order (from each flow perspective). * There are no packet drops (no need to wait for the end of the test). Without this flag, you must wait for the end of the test in order to identify packet drops, because there is always a difference between TX and Rx, due to RTT. .Full example [source,bash] ---- $sudo ./t-rex-64 -f avl/sfr_delay_10_1g.yaml -c 4 -p -l 100 -d 100000 -m 30 --rx-check 128 ---- [source,python] ---- Cpu Utilization : 0.1 % <1> if| tx_ok , rx_ok , rx ,error, average , max , Jitter , max window | , , check, , latency(usec),latency (usec) ,(usec) , -------------------------------------------------------------------------------- 0 | 1002, 1002, 2501, 0, 61 , 70, 3 | 60 1 | 1002, 1002, 2012, 0, 56 , 63, 2 | 50 2 | 1002, 1002, 2322, 0, 66 , 74, 5 | 68 3 | 1002, 1002, 1727, 0, 58 , 68, 2 | 52 Rx Check stats enabled <2> ------------------------------------------------------------------------------------------- rx check: avg/max/jitter latency, 94 , 744, 49 | 252 287 309 <3> active flows: <6> 10, fif: <5> 308, drop: 0, errors: 0 <4> ------------------------------------------------------------------------------------------- ---- <1> CPU% of the Rx thread. If it is too high, *increase* the sample rate. <2> Rx Check section. For more detailed info, press 'r' during the test or at the end of the test. <3> Average latency, max latency, jitter on the template flows in microseconds. This is usually *higher* than the latency check packet because the feature works more on this packet. <4> Drop counters and errors counter should be zero. If not, press 'r' to see the full report or view the report at the end of the test. <5> fif - First in flow. Number of new flows handled by the Rx thread. <6> active flows - number of active flows handled by rx thread .Press R to Display Full Report [source,python] ---- m_total_rx : 2 m_lookup : 2 m_found : 1 m_fif : 1 m_add : 1 m_remove : 1 m_active : 0 <1> 0 0 0 0 1041 0 0 0 0 0 0 0 0 min_delta : 10 usec cnt : 2 high_cnt : 2 max_d_time : 1041 usec sliding_average : 1 usec <2> precent : 100.0 % histogram ----------- h[1000] : 2 tempate_id_ 0 , errors: 0, jitter: 61 <3> tempate_id_ 1 , errors: 0, jitter: 0 tempate_id_ 2 , errors: 0, jitter: 0 tempate_id_ 3 , errors: 0, jitter: 0 tempate_id_ 4 , errors: 0, jitter: 0 tempate_id_ 5 , errors: 0, jitter: 0 tempate_id_ 6 , errors: 0, jitter: 0 tempate_id_ 7 , errors: 0, jitter: 0 tempate_id_ 8 , errors: 0, jitter: 0 tempate_id_ 9 , errors: 0, jitter: 0 tempate_id_10 , errors: 0, jitter: 0 tempate_id_11 , errors: 0, jitter: 0 tempate_id_12 , errors: 0, jitter: 0 tempate_id_13 , errors: 0, jitter: 0 tempate_id_14 , errors: 0, jitter: 0 tempate_id_15 , errors: 0, jitter: 0 ager : m_st_alloc : 1 m_st_free : 0 m_st_start : 2 m_st_stop : 1 m_st_handle : 0 ---- <1> Errors, if any, shown here <2> Low pass filter on the active average of latency events <3> Error per template info // IGNORE: this line added to help rendition. Without this line, the "Notes and Limitations" section below does not appear. *Notes and Limitations:*:: ** To receive the packets TRex does the following: *** Changes the TTL to 0xff and expects 0xFF (loopback) or oxFE (route). (Use `--hop` to configure this value.) *** Adds 24 bytes of metadata as ipv4/ipv6 option header. // clarify "ipv4/ipv6 option header" above == Reference === Traffic YAML (parameter of -f option) ==== Global Traffic YAML section [source,python] ---- - duration : 10.0 <1> generator : <2> distribution : "seq" clients_start : "16.0.0.1" clients_end : "16.0.0.255" servers_start : "48.0.0.1" servers_end : "48.0.0.255" clients_per_gb : 201 min_clients : 101 dual_port_mask : "1.0.0.0" tcp_aging : 1 udp_aging : 1 mac : [0x00,0x00,0x00,0x01,0x00,0x00] <3> cap_ipg : true <4> cap_ipg_min : 30 <5> cap_override_ipg : 200 <6> vlan : { enable : 1 , vlan0 : 100 , vlan1 : 200 } <7> mac_override_by_ip : true <8> ---- <1> Test duration (seconds). Can be overridden using the `-d` option. <2> See the link:trex_manual.html#_clients_servers_ip_allocation_scheme[generator] section. // what does note 2 mean? see somewhere else? isn't this simply the generator section? <3> Default source/destination MAC address. The configuration YAML can override this. <4> true (default) indicates that the IPG is taken from the cap file (also taking into account cap_ipg_min and cap_override_ipg if they exist). false indicates that IPG is taken from per template section. <5> The following two options can set the min ipg in microseconds: (if (pkt_ipg Value to override (microseconds), as described in note above. <7> Enable vlan feature. See xref:trex_vlan[trex_vlan section] for info. <8> Enable MAC address replacement by client IP. ==== Per template section // clarify "per template" [source,python] ---- - name: cap2/dns.pcap <1> cps : 10.0 <2> ipg : 10000 <3> rtt : 10000 <4> w : 1 <5> server_addr : "48.0.0.7" <6> one_app_server : true <7> ---- <1> The name of the template pcap file. Can be relative path from the t-rex-64 image directory, or an absolute path. The pcap file should include only one flow. (Exception: in case of plug-ins). <2> Connection per second. This is the value that will be used if specifying -m 1 from command line (giving -m x will multiply this <3> If the global section of the YAML file includes `cap_ipg : false`, this line sets the inter-packet gap in microseconds. <4> Should be set to the same value as ipg (microseconds). <5> Default value: w=1. This indicates to the IP generator how to generate the flows. If w=2, two flows from the same template will be generated in a burst (more for HTTP that has burst of flows). <6> If `one_app_server` is set to true, then all templates will use the same server. <7> If the same server address is required, set this value to true. === Configuration YAML (parameter of --cfg option) anchor:trex_config[] The configuration file, in YAML format, configures TRex behavior, including: - IP address or MAC address for each port (source and destination). - Masked interfaces, to ensure that TRex does not try to use the management ports as traffic ports. - Changing the zmq/telnet TCP port. You specify which config file to use by adding --cfg to the command line arguments. + If no --cfg given, the default `/etc/trex_cfg.yaml` is used. + Configuration file examples can be found in the `$TREX_ROOT/scripts/cfg` folder. ==== Basic Configurations [source,python] ---- - port_limit : 2 #mandatory <1> version : 2 #mandatory <2> interfaces : ["03:00.0", "03:00.1"] #mandatory <3> #enable_zmq_pub : true #optional <4> #zmq_pub_port : 4500 #optional <5> #prefix : setup1 #optional <6> #limit_memory : 1024 #optional <7> c : 4 #optional <8> port_bandwidth_gb : 10 #optional <9> port_info : # set eh mac addr mandatory - default_gw : 1.1.1.1 # port 0 <10> dest_mac : '00:00:00:01:00:00' # Either default_gw or dest_mac is mandatory <10> src_mac : '00:00:00:02:00:00' # optional <11> ip : 2.2.2.2 # optional <12> vlan : 15 # optional <13> - dest_mac : '00:00:00:03:00:00' # port 1 src_mac : '00:00:00:04:00:00' - dest_mac : '00:00:00:05:00:00' # port 2 src_mac : '00:00:00:06:00:00' - dest_mac : [0x0,0x0,0x0,0x7,0x0,0x01] # port 3 <14> src_mac : [0x0,0x0,0x0,0x8,0x0,0x02] # <14> ---- <1> Number of ports. Should be equal to the number of interfaces listed in 3. - mandatory <2> Must be set to 2. - mandatory <3> List of interfaces to use. Run `sudo ./dpdk_setup_ports.py --show` to see the list you can choose from. - mandatory <4> Enable the ZMQ publisher for stats data, default is true. <5> ZMQ port number. Default value is good. If running two TRex instances on the same machine, each should be given distinct number. Otherwise, can remove this line. <6> If running two TRex instances on the same machine, each should be given distinct name. Otherwise, can remove this line. ( Passed to DPDK as --file-prefix arg) <7> Limit the amount of packet memory used. (Passed to dpdk as -m arg) <8> Number of threads (cores) TRex will use per interface pair ( Can be overridden by -c command line option ) <9> The bandwidth of each interface in Gbs. In this example we have 10Gbs interfaces. For VM, put 1. Used to tune the amount of memory allocated by TRex. <10> TRex need to know the destination MAC address to use on each port. You can specify this in one of two ways: + Specify dest_mac directly. + Specify default_gw (since version 2.10). In this case (only if no dest_mac given), TRex will issue ARP request to this IP, and will use the result as dest MAC. If no dest_mac given, and no ARP response received, TRex will exit. <11> Source MAC to use when sending packets from this interface. If not given (since version 2.10), MAC address of the port will be used. <12> If given (since version 2.10), TRex will issue gratitues ARP for the ip + src MAC pair on appropriate port. In stateful mode, gratitues ARP for each ip will be sent every 120 seconds (Can be changed using --arp-refresh-period argument). <13> If given, gratitues ARP and ARP request will be sent using the given VLAN tag. <14> Old MAC address format. New format is supported since version v2.09. [NOTE] ========================================================================================= If you use version earlier than 2.10, or choose to omit the ``ip'' and have mac based configuration, be aware that TRex will not send any gratitues ARP and will not answer ARP requests. In this case, you must configure static ARP entries pointing to TRex port on your DUT. For an example config, you can look xref:trex_config[here]. ========================================================================================= To find out which interfaces (NIC ports) can be used, perform the following: [source,bash] ---- $>sudo ./dpdk_setup_ports.py --show Network devices using DPDK-compatible driver ============================================ Network devices using kernel driver =================================== 0000:02:00.0 '82545EM Gigabit Ethernet Controller' if=eth2 drv=e1000 unused=igb_uio *Active* #<1> 0000:03:00.0 '82599ES 10-Gigabit SFI/SFP+ Network Connection' drv= unused=ixgb #<2> 0000:03:00.1 '82599ES 10-Gigabit SFI/SFP+ Network Connection' drv= unused=ixgb 0000:13:00.0 '82599ES 10-Gigabit SFI/SFP+ Network Connection' drv= unused=ixgb 0000:13:00.1 '82599ES 10-Gigabit SFI/SFP+ Network Connection' drv= unused=ixgb Other network devices ===================== ---- <1> We see that 02:00.0 is active (our management port). <2> All other NIC ports (03:00.0, 03:00.1, 13:00.0, 13:00.1) can be used. minimum configuration file is: [source,bash] ---- - port_limit : 4 version : 2 interfaces : ["03:00.0","03:00.1","13:00.1","13:00.0"] ---- ==== Memory section configuration The memory section is optional. It is used when there is a need to tune the amount of memory used by TRex packet manager. Default values (from the TRex source code), are usually good for most users. Unless you have some unusual needs, you can eliminate this section. [source,python] ---- - port_limit : 2 version : 2 interfaces : ["03:00.0","03:00.1"] memory : <1> mbuf_64 : 16380 <2> mbuf_128 : 8190 mbuf_256 : 8190 mbuf_512 : 8190 mbuf_1024 : 8190 mbuf_2048 : 4096 traffic_mbuf_64 : 16380 <3> traffic_mbuf_128 : 8190 traffic_mbuf_256 : 8190 traffic_mbuf_512 : 8190 traffic_mbuf_1024 : 8190 traffic_mbuf_2048 : 4096 dp_flows : 1048576 <4> global_flows : 10240 <5> ---- <1> Memory section header <2> Numbers of memory buffers allocated for packets in transit, per port pair. Numbers are specified per packet size. <3> Numbers of memory buffers allocated for holding the part of the packet which is remained unchanged per template. You should increase numbers here, only if you have very large amount of templates. <4> Number of TRex flow objects allocated (To get best performance they are allocated upfront, and not dynamically). If you expect more concurrent flows than the default (1048576), enlarge this. <5> Number objects TRex allocates for holding NAT ``in transit'' connections. In stateful mode, TRex learn NAT translation by looking at the address changes done by the DUT to the first packet of each flow. So, these are the number of flows for which TRex sent the first flow packet, but did not learn the translation yet. Again, default here (10240) should be good. Increase only if you use NAT and see issues. ==== Platform section configuration The platform section is optional. It is used to tune the performance and allocate the cores to the right NUMA a configuration file now has the folowing struct to support multi instance [source,python] ---- - version : 2 interfaces : ["03:00.0","03:00.1"] port_limit : 2 .... platform : <1> master_thread_id : 0 <2> latency_thread_id : 5 <3> dual_if : <4> - socket : 0 <5> threads : [1,2,3,4] <6> ---- <1> Platform section header. <2> Hardware thread_id for control thread. <3> Hardware thread_id for RX thread. <4> ``dual_if'' section defines info for interface pairs (according to the order in ``interfaces'' list). each section, starting with ``- socket'' defines info for different interface pair. <5> The NUMA node from which memory will be allocated for use by the interface pair. <6> Hardware threads to be used for sending packets for the interface pair. Threads are pinned to cores, so specifying threads actually determines the hardware cores. *Real example:* anchor:numa-example[] We connected 2 Intel XL710 NICs close to each other on the motherboard. They shared the same NUMA: image:images/same_numa.png[title="2_NICSs_same_NUMA"] CPU utilization was very high ~100%, with c=2 and c=4 the results were same. Then, we moved the cards to different NUMAs: image:images/different_numa.png[title="2_NICSs_different_NUMAs"] *+* We added configuration to the /etc/trex_cfg.yaml: [source,python] platform : master_thread_id : 0 latency_thread_id : 8 dual_if : - socket : 0 threads : [1, 2, 3, 4, 5, 6, 7] - socket : 1 threads : [9, 10, 11, 12, 13, 14, 15] This gave best results: with *\~98 Gb/s* TX BW and c=7, CPU utilization became *~21%*! (40% with c=4) === Command line options anchor:cml-line[] *--allow-coredump*:: Allow creation of core dump. *--arp-refresh-period *:: Period in seconds between sending of gratuitous ARP for our addresses. Value of 0 means ``never send``. *-c *:: Number of hardware threads to use per interface pair. Use at least 4 for TRex 40Gbs. + TRex uses 2 threads for inner needs. Rest of the threads can be used. Maximum number here, can be number of free threads divided by number of interface pairs. + For virtual NICs on VM, we always use one thread per interface pair. *--cfg *:: TRex configuration file to use. See relevant manual section for all config file options. *--checksum-offload*:: Enable IP, TCP and UDP tx checksum offloading, using DPDK. This requires all used interfaces to support this. *--client_cfg *:: YAML file describing clients configuration. Look link:trex_manual.html#_client_clustering_configuration[here] for details. *-d *:: Duration of the test in seconds. *-e*:: Same as `-p`, but change the src/dst IP according to the port. Using this, you will get all the packets of the same flow from the same port, and with the same src/dst IP. + It will not work good with NBAR as it expects all clients ip to be sent from same direction. *-f *:: Specify traffic YAML configuration file to use. Mandatory option for stateful mode. *--hops *:: Provide number of hops in the setup (default is one hop). Relevant only if the Rx check is enabled. Look link:trex_manual.html#_flow_order_latency_verification[here] for details. *--iom *:: I/O mode. Possible values: 0 (silent), 1 (normal), 2 (short). *--ipv6*:: Convert templates to IPv6 mode. *-k *:: Run ``warm up'' traffic for num seconds before starting the test. This is needed if TRex is connected to switch running spanning tree. You want the switch to see traffic from all relevant source MAC addresses before starting to send real data. Traffic sent is the same used for the latency test (-l option) + Current limitation (holds for TRex version 1.82): does not work properly on VM. *-l *:: In parallel to the test, run latency check, sending packets at rate/sec from each interface. *--learn-mode *:: Learn the dynamic NAT translation. Look link:trex_manual.html#_nat_support[here] for details. *--learn-verify*:: Used for testing the NAT learning mechanism. Do the learning as if DUT is doing NAT, but verify that packets are not actually changed. *--limit-ports *:: Limit the number of ports used. Overrides the ``port_limit'' from config file. *--lm *:: Mask specifying which ports will send traffic. For example, 0x1 - Only port 0 will send. 0x4 - only port 2 will send. This can be used to verify port connectivity. You can send packets from one port, and look at counters on the DUT. *--lo*:: Latency only - Send only latency packets. Do not send packets from the templates/pcap files. *-m *:: Rate multiplier. TRex will multiply the CPS rate of each template by num. *--nc*:: If set, will terminate exacly at the end of the specified duration. This provides faster, more accurate TRex termination. By default (without this option), TRex waits for all flows to terminate gracefully. In case of a very long flow, termination might prolong. *--no-flow-control-change*:: Prevents TRex from changing flow control. By default (without this option), TRex disables flow control at startup for all cards, except for the Intel XL710 40G card. *--no-key*:: Daemon mode, don't get input from keyboard. *--no-watchdog*:: Disable watchdog. *-p*:: Send all packets of the same flow from the same direction. For each flow, TRex will randomly choose between client port and server port, and send all the packets from this port. src/dst IPs keep their values as if packets are sent from two ports. Meaning, we get on the same port packets from client to server, and from server to client. + If you are using this with a router, you can not relay on routing rules to pass traffic to TRex, you must configure policy based routes to pass all traffic from one DUT port to the other. + *-pm *:: Platform factor. If the setup includes splitter, you can multiply all statistic number displayed by TRex by this factor, so that they will match the DUT counters. *-pubd*:: Disable ZMQ monitor's publishers. *--rx-check *:: Enable Rx check module. Using this, each thread randomly samples 1/sample_rate of the flows and checks packet order, latency, and additional statistics for the sampled flows. Note: This feature works on the RX thread. *-v *:: Show debug info. Value of 1 shows debug info on startup. Value of 3, shows debug info during run at some cases. Might slow down operation. *--vlan*:: Relevant only for stateless mode with Intel 82599 10G NIC. When configuring flow stat and latency per stream rules, assume all streams uses VLAN. *-w *:: Wait additional time between NICs initialization and sending traffic. Can be useful if DUT needs extra setup time. Default is 1 second. ifndef::backend-docbook[] endif::backend-docbook[] == Appendix === Simulator The TRex simulator is a linux application (no DPDK needed) that can run on any Linux (it can also run on TRex machine itself). you can create output pcap file from input of traffic YAML. ==== Simulator [source,bash] ---- $./bp-sim-64-debug -f avl/sfr_delay_10_1g.yaml -v 1 -- loading cap file avl/delay_10_http_get_0.pcap -- loading cap file avl/delay_10_http_post_0.pcap -- loading cap file avl/delay_10_https_0.pcap -- loading cap file avl/delay_10_http_browsing_0.pcap -- loading cap file avl/delay_10_exchange_0.pcap -- loading cap file avl/delay_10_mail_pop_0.pcap -- loading cap file avl/delay_10_mail_pop_1.pcap -- loading cap file avl/delay_10_mail_pop_2.pcap -- loading cap file avl/delay_10_oracle_0.pcap -- loading cap file avl/delay_10_rtp_160k_full.pcap -- loading cap file avl/delay_10_rtp_250k_full.pcap -- loading cap file avl/delay_10_smtp_0.pcap -- loading cap file avl/delay_10_smtp_1.pcap -- loading cap file avl/delay_10_smtp_2.pcap -- loading cap file avl/delay_10_video_call_0.pcap -- loading cap file avl/delay_10_sip_video_call_full.pcap -- loading cap file avl/delay_10_citrix_0.pcap -- loading cap file avl/delay_10_dns_0.pcap id,name , tps, cps,f-pkts,f-bytes, duration, Mb/sec, MB/sec, c-flows, PPS,total-Mbytes-duration,errors,flows #<2> 00, avl/delay_10_http_get_0.pcap ,404.52,404.52, 44 , 37830 , 0.17 , 122.42 , 15.30 , 67 , 17799 , 2 , 0 , 1 01, avl/delay_10_http_post_0.pcap ,404.52,404.52, 54 , 48468 , 0.21 , 156.85 , 19.61 , 85 , 21844 , 2 , 0 , 1 02, avl/delay_10_https_0.pcap ,130.87,130.87, 96 , 91619 , 0.22 , 95.92 , 11.99 , 29 , 12564 , 1 , 0 , 1 03, avl/delay_10_http_browsing_0.pcap ,709.89,709.89, 37 , 34425 , 0.13 , 195.50 , 24.44 , 94 , 26266 , 2 , 0 , 1 04, avl/delay_10_exchange_0.pcap ,253.81,253.81, 43 , 9848 , 1.57 , 20.00 , 2.50 , 400 , 10914 , 0 , 0 , 1 05, avl/delay_10_mail_pop_0.pcap ,4.76,4.76, 20 , 5603 , 0.17 , 0.21 , 0.03 , 1 , 95 , 0 , 0 , 1 06, avl/delay_10_mail_pop_1.pcap ,4.76,4.76, 114 , 101517 , 0.25 , 3.86 , 0.48 , 1 , 543 , 0 , 0 , 1 07, avl/delay_10_mail_pop_2.pcap ,4.76,4.76, 30 , 15630 , 0.19 , 0.60 , 0.07 , 1 , 143 , 0 , 0 , 1 08, avl/delay_10_oracle_0.pcap ,79.32,79.32, 302 , 56131 , 6.86 , 35.62 , 4.45 , 544 , 23954 , 0 , 0 , 1 09, avl/delay_10_rtp_160k_full.pcap ,2.78,8.33, 1354 , 1232757 , 61.24 , 27.38 , 3.42 , 170 , 3759 , 0 , 0 , 3 10, avl/delay_10_rtp_250k_full.pcap ,1.98,5.95, 2069 , 1922000 , 61.38 , 30.48 , 3.81 , 122 , 4101 , 0 , 0 , 3 11, avl/delay_10_smtp_0.pcap ,7.34,7.34, 22 , 5618 , 0.19 , 0.33 , 0.04 , 1 , 161 , 0 , 0 , 1 12, avl/delay_10_smtp_1.pcap ,7.34,7.34, 35 , 18344 , 0.21 , 1.08 , 0.13 , 2 , 257 , 0 , 0 , 1 13, avl/delay_10_smtp_2.pcap ,7.34,7.34, 110 , 96544 , 0.27 , 5.67 , 0.71 , 2 , 807 , 0 , 0 , 1 14, avl/delay_10_video_call_0.pcap ,11.90,11.90, 2325 , 2532577 , 36.56 , 241.05 , 30.13 , 435 , 27662 , 3 , 0 , 1 15, avl/delay_10_sip_video_call_full.pcap ,29.35,58.69, 1651 , 120315 , 24.56 , 28.25 , 3.53 , 721 , 48452 , 0 , 0 , 2 16, avl/delay_10_citrix_0.pcap ,43.62,43.62, 272 , 84553 , 6.23 , 29.51 , 3.69 , 272 , 11866 , 0 , 0 , 1 17, avl/delay_10_dns_0.pcap ,1975.02,1975.02, 2 , 162 , 0.01 , 2.56 , 0.32 , 22 , 3950 , 0 , 0 , 1 00, sum ,4083.86,93928.84, 8580 , 6413941 , 0.00 , 997.28 , 124.66 , 2966 , 215136 , 12 , 0 , 23 Memory usage size_64 : 1687 size_128 : 222 size_256 : 798 size_512 : 1028 size_1024 : 86 size_2048 : 4086 Total : 8.89 Mbytes 159% util #<1> ---- <1> the memory usage of the templates <2> CSV for all the templates === firmware update to XL710/X710 anchor:xl710-firmware[] To upgrade the firmware follow this ==== Download the driver *Download driver i40e from link:https://downloadcenter.intel.com/download/24411/Network-Adapter-Driver-for-PCI-E-40-Gigabit-Network-Connections-under-Linux-[here] *Build the kernel module [source,bash] ---- $tar -xvzf i40e-1.3.47 $cd i40e-1.3.47/src $make $sudo insmod i40e.ko ---- ==== Bind the NIC to Linux In this stage we bind the NIC to Linux (take it from DPDK) [source,bash] ---- $sudo ./dpdk_nic_bind.py --status # show the ports Network devices using DPDK-compatible driver ============================================ 0000:02:00.0 'Device 1583' drv=igb_uio unused= #<1> 0000:02:00.1 'Device 1583' drv=igb_uio unused= #<2> 0000:87:00.0 'Device 1583' drv=igb_uio unused= 0000:87:00.1 'Device 1583' drv=igb_uio unused= $sudo dpdk_nic_bind.py -u 02:00.0 02:00.1 #<3> $sudo dpdk_nic_bind.py -b i40e 02:00.0 02:00.1 #<4> $ethtool -i p1p2 #<5> driver: i40e version: 1.3.47 firmware-version: 4.24 0x800013fc 0.0.0 #<6> bus-info: 0000:02:00.1 supports-statistics: yes supports-test: yes supports-eeprom-access: yes supports-register-dump: yes supports-priv-flags: yes $ethtool -S p1p2 $lspci -s 02:00.0 -vvv #<7> ---- <1> XL710 ports that need to unbind from DPDK <2> XL710 ports that need to unbind from DPDK <3> Unbind from DPDK using this command <4> Bind to linux to i40e driver <5> Show firmware version throw linux driver <6> Firmare version <7> More info ==== Upgrade Download NVMUpdatePackage.zip from Intel site link:http://downloadcenter.intel.com/download/24769/NVM-Update-Utility-for-Intel-Ethernet-Converged-Network-Adapter-XL710-X710-Series[here] It includes the utility `nvmupdate64e` Run this: [source,bash] ---- $sudo ./nvmupdate64e ---- You might need a power cycle and to run this command a few times to get the latest firmware ==== QSFP+ support for XL710 see link:https://www.google.co.il/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjJhPSH3b3LAhUp7nIKHSkACUYQFggaMAA&url=http%3A%2F%2Fwww.intel.co.id%2Fcontent%2Fdam%2Fwww%2Fpublic%2Fus%2Fen%2Fdocuments%2Frelease-notes%2Fxl710-ethernet-controller-feature-matrix.pdf&usg=AFQjCNFhwozfz-XuKGMOy9_MJDbetw15Og&sig2=ce7YU9F9Et6xf6KvqSFBxg&bvm=bv.116636494,d.bGs[QSFP+ support] for QSFP+ support and Firmware requirement for XL710 === TRex with ASA 5585 When running TRex aginst ASA 5585, you have to notice following things: * ASA can't forward ipv4 options, so there is a need to use --learn-mode 1 (or 3) in case of NAT. In this mode, bidirectional UDP flows are not supported. --learn-mode 1 support TCP sequence number randomization in both sides of the connection (client to server and server client). For this to work, TRex must learn the translation of packets from both sides, so this mode reduce the amount of connections per second TRex can generate (The number is still high enough to test any existing firewall). If you need higher cps rate, you can use --learn-mode 3. This mode handles sequence number randomization on client->server side only. * Latency should be tested using ICMP with `--l-pkt-mode 2` ==== ASA 5585 sample configuration [source,bash] ---- ciscoasa# show running-config : Saved : : Serial Number: JAD194801KX : Hardware: ASA5585-SSP-10, 6144 MB RAM, CPU Xeon 5500 series 2000 MHz, 1 CPU (4 cores) : ASA Version 9.5(2) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Management0/0 management-only nameif management security-level 100 ip address 10.56.216.106 255.255.255.0 ! interface TenGigabitEthernet0/8 nameif inside security-level 100 ip address 15.0.0.1 255.255.255.0 ! interface TenGigabitEthernet0/9 nameif outside security-level 0 ip address 40.0.0.1 255.255.255.0 ! boot system disk0:/asa952-smp-k8.bin ftp mode passive pager lines 24 logging asdm informational mtu management 1500 mtu inside 9000 mtu outside 9000 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp outside 40.0.0.2 90e2.baae.87d1 arp inside 15.0.0.2 90e2.baae.87d0 arp timeout 14400 no arp permit-nonconnected route management 0.0.0.0 0.0.0.0 10.56.216.1 1 route inside 16.0.0.0 255.0.0.0 15.0.0.2 1 route outside 48.0.0.0 255.0.0.0 40.0.0.2 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet 0.0.0.0 0.0.0.0 management telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 ! tls-proxy maximum-session 1000 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map icmp-class match default-inspection-traffic class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map icmp_policy class icmp-class inspect icmp policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global service-policy icmp_policy interface outside prompt hostname context ! jumbo-frame reservation ! no call-home reporting anonymous : end ciscoasa# ---- ==== TRex commands example Using these commands the configuration is: 1. NAT learn mode (TCP-ACK) 2. Delay of 1 second at start up (-k 1). It was added because ASA drops the first packets. 3. Latency is configured to ICMP reply mode (--l-pkt-mode 2). *Simple HTTP:*:: [source,bash] ---- $sudo ./t-rex-64 -f cap2/http_simple.yaml -d 1000 -l 1000 --l-pkt-mode 2 -m 1000 --learn-mode 1 -k 1 ---- This is more realistic traffic for enterprise (we removed from SFR file the bidirectional UDP traffic templates, which (as described above), are not supported in this mode). *Enterprise profile:*:: [source,bash] ---- $sudo ./t-rex-64 -f avl/sfr_delay_10_1g_asa_nat.yaml -d 1000 -l 1000 --l-pkt-mode 2 -m 4 --learn-mode 1 -k 1 ---- The TRex output [source,bash] ---- -Per port stats table ports | 0 | 1 ----------------------------------------------------------------------------------------- opackets | 106347896 | 118369678 obytes | 33508291818 | 118433748567 ipackets | 118378757 | 106338782 ibytes | 118434305375 | 33507698915 ierrors | 0 | 0 oerrors | 0 | 0 Tx Bw | 656.26 Mbps | 2.27 Gbps -Global stats enabled Cpu Utilization : 18.4 % 31.7 Gb/core Platform_factor : 1.0 Total-Tx : 2.92 Gbps NAT time out : 0 #<1> (0 in wait for syn+ack) #<1> Total-Rx : 2.92 Gbps NAT aged flow id: 0 #<1> Total-PPS : 542.29 Kpps Total NAT active: 163 (12 waiting for syn) Total-CPS : 8.30 Kcps Nat_learn_errors: 0 Expected-PPS : 539.85 Kpps Expected-CPS : 8.29 Kcps Expected-BPS : 2.90 Gbps Active-flows : 7860 Clients : 255 Socket-util : 0.0489 % Open-flows : 3481234 Servers : 5375 Socket : 7860 Socket/Clients : 30.8 drop-rate : 0.00 bps #<1> current time : 425.1 sec test duration : 574.9 sec -Latency stats enabled Cpu Utilization : 0.3 % if| tx_ok , rx_ok , rx ,error, average , max , Jitter , max window | , , check, , latency(usec),latency (usec) ,(usec) , ---------------------------------------------------------------------------------------------------------------- 0 | 420510, 420495, 0, 1, 58 , 1555, 14 | 240 257 258 258 219 930 732 896 830 472 190 207 729 1 | 420496, 420509, 0, 1, 51 , 1551, 13 | 234 253 257 258 214 926 727 893 826 468 187 204 724 ---- <1> These counters should be zero anchor:fedora21_example[] === Fedora 21 Server installation Download the .iso file from link above, boot with it using Hypervisor or CIMC console. + Troubleshooting -> install in basic graphics mode * In packages selection, choose: ** C Development Tools and Libraries ** Development Tools ** System Tools * Set Ethernet configuration if needed * Use default hard-drive partitions, reclaim space if needed * After installation, edit file /etc/selinux/config + set: + SELINUX=disabled * Run: + systemctl disable firewalld * Edit file /etc/yum.repos.d/fedora-updates.repo + set everywhere: + enabled=0 * Reboot === Configure Linux host as network emulator There are lots of Linux tutorials on the web, so this will not be full tutorial, only highlighting some key points. Commands were checked on Ubuntu system. For this example: 1. TRex Client side network is 16.0.0.x 2. TRex Server side network is 48.0.0.x 3. Linux Client side network eth0 is configured with IPv4 as 172.168.0.1 4. Linux Server side network eth1 is configured with IPv4 as 10.0.0.1 [source,bash] ---- TRex-0 (16.0.0.1->48.0.0.1 ) <--> ( 172.168.0.1/255.255.0.0)-eth0 [linux] -( 10.0.0.1/255.255.0.0)-eth1 <--> TRex-1 (16.0.0.1<-48.0.0.1) ---- ==== Enable forwarding One time (will be discarded after reboot): + [source,bash] ---- echo 1 > /proc/sys/net/ipv4/ip_forward ---- To make this permanent, add the following line to the file /etc/sysctl.conf: + ---- net.ipv4.ip_forward=1 ---- ==== Add static routes Example if for the default TRex networks, 48.0.0.0 and 16.0.0.0. Routing all traffic from 48.0.0.0 to the gateway 10.0.0.100 [source,bash] ---- route add -net 48.0.0.0 netmask 255.255.0.0 gw 10.0.0.100 ---- Routing all traffic from 16.0.0.0 to the gateway 172.168.0.100 [source,bash] ---- route add -net 16.0.0.0 netmask 255.255.0.0 gw 172.168.0.100 ---- If you use stateless mode, and decide to add route only in one direction, remember to disable reverse path check. + For example, to disable on all interfaces: [source,bash] ---- for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i done ---- Alternatively, you can edit /etc/network/interfaces, and add something like this for both ports connected to TRex. This will take effect, only after restarting networking (rebooting the machine in an alternative also). ---- auto eth1 iface eth1 inet static address 16.0.0.100 netmask 255.0.0.0 network 16.0.0.0 broadcast 16.255.255.255 ... same for 48.0.0.0 ---- ==== Add static ARP entries [source,bash] ---- sudo arp -s 10.0.0.100 sudo arp -s 172.168.0.100 eth6 (Down) mlx5_1 port 1 ==> eth7 (Down) ----- ==== TRex specific implementation details TRex uses flow director filter to steer specific packets to specific queues. To support that we change IPv4.TOS/Ipv6.TC LSB to *1* to be steered. So latency packets will have this bit turn on (not only for ConnectX-4) Watch out, In case DUT will clear this bit (change the TOS with LSB==0, e.g. 0x3->0x2) packets won't be forward to TRex. ==== Which NIC to buy? NIC with two ports will work better from performance prospective, so it is better to have MCX455A-ECAT(two 100gb port) and *not* the MCX456A-ECAT (one 100gb port). ==== Limitation/Issues * Stateless per stream statistic is not supported yet * link:https://trex-tgn.cisco.com/youtrack/issue/trex-260[64B performance issue] * link:https://trex-tgn.cisco.com/youtrack/issue/trex-261[Latency issue] * link:https://trex-tgn.cisco.com/youtrack/issue/trex-262[Statful RX out of order] === Cisco VIC support anchor:ciscovic_support[] * Only 1300 series Cisco adapter * Firmware version 2.0(13) for UCS C-series servers * Firmware version 3.1(2) for blade servers supports more filtering capabilities. * The feature can be enabled via Cisco CIMC or USCM with the 'advanced filters' radio button. When enabled, the these additional flow director modes are available: RTE_ETH_FLOW_NONFRAG_IPV4_OTHER RTE_ETH_FLOW_NONFRAG_IPV4_SCTP RTE_ETH_FLOW_NONFRAG_IPV6_UDP RTE_ETH_FLOW_NONFRAG_IPV6_TCP RTE_ETH_FLOW_NONFRAG_IPV6_SCTP RTE_ETH_FLOW_NONFRAG_IPV6_OTHER ==== Limitation/Issues * Stateless per stream statistic is not supported yet * link:https://trex-tgn.cisco.com/youtrack/issue/trex-265[flow-director]