What Is Cut-Through Switching?

deanwebb · April 21, 2022, 10:05:59 AM

That came up in a conversation today and I've never heard it before. Guy was asking if /32 masking for IPv4 and /128 on IPv6 would be recommended as a possible security measure. Before I get into the security, I'd like to know what the cut-through switching is in the first place.

Otanx · April 21, 2022, 10:58:54 AM

cut-through vs store and forward. This is basically the two ways that switches forward packets.

cut-through: As soon as the switch reads the destination MAC address it starts forwarding the frame out the destination port. If you remember what a L2 frame looks like the destination MAC is the first thing in the packet. This lets the switch begin forwarding the frame quickly, and helps reduce the need for buffers to store the entire frame. The downside is that if there is corruption further into the frame the switch won't see this before it has started forwarding the frame, and so the error will propagate.

store and forward: The switch waits for the entire frame to show up, and then makes the forwarding decision. Requires bigger buffers in the switches (especially when doing jumbo frames), but can prevent bad frames from moving forward because the switch can check FCS before sending it on.

I would say normally nobody really cares what the switch uses. Even the speed increase of cut through is very small. There are also cases where a cut through switch will use store and forward. Going off memory it will move to store and forward if the outbound link is faster than the inbound. If you try to cut through a frame coming into the switch at 1G out an interface running at 10G you end up with a lot of empty time while you wait for the rest of the frame to show up at 1G.

I would also wonder what security measure he thinks a subnet mask gives.

-Otanx

deanwebb · April 21, 2022, 11:18:28 AM

This person was saying that cut-through minimizes "the penalty from routing versus switching."

But it sounds to me like that's not really the case, is it?

Otanx · April 21, 2022, 12:48:11 PM

I guess in theory you could say that. I wouldn't. I doubt you could measure the difference without getting some really expensive testing hardware. We are talking about micro seconds or less of delay for either. So unless you are working on a high frequency trading network nobody would really care. Maybe 30 or 40 years ago when routing was slow it mattered.

-Otanx

deanwebb · April 21, 2022, 01:50:39 PM

So thinking about the security angle, a bazillion /32 routes would kill the TCAM memory, especially if we also want ACLs hosted on that switch if it is L2/L3. And unless all the traffic is being forced through an enforcement point so that it's all north-south and zero east-west, you don't get a security benefit from everything being a /32 network.

Otanx · April 21, 2022, 02:57:13 PM

A bazillion of any kind of route would kill TCAM. Last time I looked unless it was locked behind licensing (looking at you Cisco) anything that could do routing could handle 256K routes. Then it just becomes a routing design question. Advertise aggregates when appropriate to reduce the route table size.

You also don't have to use routing to send traffic through an enforcement point. It is probably the most common way, but you can put a firewall inline at layer2, and filter traffic. Even 802.1x can be used to apply an ACL to a port.

-Otanx

deanwebb · April 21, 2022, 06:38:56 PM

But if we have zero trust architecture, we're getting rid of trusted zones, so all traffic has to pass through an enforcement point of some sort - the local ACL can be one such - or the endpoint itself becomes an enforcement point if the right agents are running.

Otanx · April 22, 2022, 10:35:27 AM

For zero trust the endpoint MUST be the enforcement point. Otherwise the endpoint is trusting the network to be the enforcement point. The common design style I see with zero trust is using certificates and having the client and server both validate each others certs. If the traffic can't be setup with certificates then you build a host to host IPSec tunnel using certificates and route the traffic over that. This is why zero trust is really hard. The applications have to support it or you end up with a lot of overhead that does not scale.

-Otanx

icecream-guy · April 24, 2022, 06:51:08 AM

ok, so lets put a host on the network with a /32 mask

take my PC here

lets configure the IP address 192.168.1.1
lets configure the mask 255.255.255.255
next. lets configure the default gateway, what would we use?
The default gateway needs to be on the same network for L3 to function.
here our network contains a single IP. there is no other IP available on this network for a default gateway
so how would the PC work on the network?

deanwebb · April 24, 2022, 11:30:50 AM

True and true!