fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Brocade ADX - How to tune/configure the TCP stack

Introduction

There are 2 main methods for configuring the TCP stack on an ADX, globally or via a tcp profile. Within this article we will look at the main configuration settings available, such as how to configure Nagle, SACK and Window Scaling. 

TCP Profiles

TCP profiles allow you to modify the TCP parameters on a specific port at a virtual server level.
Both client-side and server-side profiles are defined and assigned. There are 4 main methods of assignment, as shown below.

	ADX(config)# server VIP_192.168.1.100 192.168.1.100
	ADX(config-vs-192.168.1.100)# port ssl ssl-proxy <clientprofile> <serverprofile>
	
	ADX(config)# server VIP_192.168.1.100 192.168.1.100
	ADX(config-vs-192.168.1.100)# port ssl ssl-terminate <clientprofile> <serverprofile>
	
	ADX(config)# ssl profile myprofile
	ADX(config-ssl-profile-myprofile)# tcp-profile client-profile
	ADX(config)# server VIP_192.168.1.100 192.168.1.100
	ADX(config-vs-192.168.1.100)# port ssl ssl-terminate sslprofile myprofile
	
	ADX(config)# server VIP_192.168.1.100 192.168.1.100
	ADX(config-vs-192.168.1.100)# port http tcp-proxy <clientprofile> <serverprofile>

Note :

  • As you can see above, there are 2 methods for assigning a tcp profile to a SSL terminated port, within the ssl profile and directly to the virtual server.
  • At the point tcp profiles are assigned to http, traffic is proxied when passed through the virtual server. This is worth mentioning due to the fact that by default http traffic is not proxied when passing via a virtual server.

Selective ACK

Selective ACK is TCP feature that allows the receiver to ACK only certain packets within the TCP window. This then allows the sender to only resend the lost segments rather then the whole window.

By default, the ADX removes this option from the TCP header during the 3 way handshake, resulting in SACK being disabled. To enable SACK (i.e prevent the SACK option from being removed) syn-proxy must be enabled.

To enable syn-proxy globally the following syntax is used,

	ADX(config)# ip tcp syn-proxy

Note : Please be aware that enabling the SYN-Proxy feature can have an impact on memory consumption. 

Window Scaling

Window Scaling is an extension to the TCP Windowing feature. Window Scaling allows the window size to exceed the standard size of 65,535 bytes.

Pre version 12.4f the Window Scale option was not supported. This meant during the 3 way handshake, the WS (Window Scale) option was not propagated to the server. In turn disabling the us of Window Scaling by either side.

To enable the Window Scaling (in 12.4f and higher) a TCP profile can be configured specifying the WS value.

	ADX(config)# tcp profile client-profile
	ADX(config-client-profile)# tcp-wnd-scale 1
	
	ADX(config)# tcp profile server-profile
	ADX(config-server-profile)# tcp-wnd-scale 1

TX/RX Buffers

Both the TX (send)/RX(receive) buffers can be configured within the TCP profile(s). The maximum buffer size is 3145278, the default is 0.

	ADX(config)# tcp profile client-profile
	ADX(config-client-profile)# rxbuf-size <0 to 3145278>
	ADX(config-client-profile)# txbuf-size <0 to 3145278>

Nagle

The Nagle algorithm is a method to alleviate network overhead by combining a number of smaller packets into one.
To disable nagle the following syntax is used,

	ADX(config)# tcp profile client-profile
	ADX(config-tcp-profile-client-profile)# nagle off

Delayed ACK

Delayed ACK is a technique to prevent the receiver having to acknowledge every data segment.
To disable delayed ACK the following syntax is used,

	ADX(config)# tcp profile client-profile
	ADX(config-tcp-profile-client-profile)# delayed-ack off

Push-Bit Off

By default all egress data packets are set with the PUSH flag. This can be disabled by the following syntax,

	ADX(config)# tcp profile client-profile
	ADX(config-tcp-profile-client-profile)# push-bit off

Tags: ADX, TCP

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001