HP 3500yl, 5200zl manual Policy Enforcement Engine benefits, Wire-speed performance for ACLs

Page 46

Policy Enforcement Engine benefits

The Policy Enforcement Engine has several benefits:

Granular policy enforcement

The initial software release on these products takes advantage of a subset of the full Policy Enforcement Engine capabilities, which will provide a common front end for the user interface to ACLs, QoS, Rate-Limiting, and Guaranteed Minimum Bandwidth controls. Fully implemented in later software releases, the Policy Enforcement Engine provides a powerful, flexible method for controlling the network environment. For example, traffic from a specific application (TCP/UDP port) can be raised in priority (QoS) for some users (IP address), blocked (ACL) for some other users, and limited in bandwidth (Rate-Limiting) for yet other users.

The Policy Enforcement Engine provides fast packet classification to be applied to ACLs and QoS rules, and Rate Limiting and Guaranteed Minimum Bandwidth counters. Parameters that can be used include source and destination IP addresses, which can follow specific users, and TCP/UDP port numbers and ranges, which are useful for applications that use fixed port numbers. Over 14 different variables can be used to specify the packets to which ACL, QoS, Rate Limiting, and Guaranteed Minimum Bandwidth controls are to be applied.

Hardware-based performance

As mentioned above, the Policy Enforcement Engine is a part of the ProVision ASIC. The packet selection is done by hardware at wire-speed except in some very involved rules situations. Therefore, very sophisticated control can be implemented without adversely affecting performance of the network.

Works with Identity Driven Manager

HP ProCurve Identity Driven Manager (IDM) provides the centralized command from the center to define the user policies to be used with each user. The IDM policy requests sent down to the switch are used to set up the user profile in the Policy Enforcement Engine so that the per-user ACL, QoS, and Rate-Limiting parameters can be used from the actual policy defined in IDM.

Wire-speed performance for ACLs

At the heart of the Policy Enforcement Engine is a memory area called the Ternary Content Addressable Memory (TCAM) that is contained within the ProVision ASIC along with the surrounding code for the Policy Enforcement Engine.

It is this specialized memory area that helps the ProVision ASIC achieve wire-speed performance when processing ACLs for packets. In fact, multiple passes through the TCAM can be performed for packet sizes that are typically found in customers’ production networks. For the typical network, the average packet size will tend to be about 500 bytes. When maximum lookups are enabled, the ProVision ASIC performance is optimal for an average packet length of 200 bytes or more, which includes the range of packet sizes in typical networks.

The TCAM can support approximately 3,000 data entries that may be used to represent various traffic controls, including ACLs. For most customers, this quantity of entries will be more than adequate to ensure wire-speed performance for ACL processing. Keep in mind that each ACL entry may consist of multiple criteria such as a specific IP address and TCP or UDP port number.

In the initial release, the contents of the TCAM are common among the multiple line interface modules that a switch may have installed. For example, a HP ProCurve Switch 5406zl may have up to 6 line interface modules, and a HP ProCurve Switch 5412zl may have up to 12 line interface modules.

46

Page 45 Page 47
Image 46
Page 45 Page 47
Contents HP ProCurve Switch 5400zl, 3500yl, and 6200yl Series Ospf Page Executive summary IntroductionProduct positioning OverviewHP ProCurve Switch 6200yl-24G-mGBIC HP ProCurve Switch 5400zl and 3500yl SeriesProVision Asic architecture Inside the ProVision Asic Architecture Classification and lookupPolicy Enforcement Engine Management subsystem Advanced capabilities of the product familyHP ProCurve Switch 5400zl Series ProCurve Switch 5400zl Chassis 5400zl chassis layoutHP ProCurve Switch 5406zl chassis layout Power supplies Power supply types System PoE powerFan tray Zl modules Management modulePower supply configurations HP ProCurve Switch 5400zl series line interface modules5406zl 5412zl Specifications Console port ProcessorMemory Auxiliary portPorts DescriptionMini-GBICs supported ordered separately Open mini-GBIC slots Transceivers supported ordered separately Maximum distanceHP ProCurve ONE Services zl Module J9289A Description HP ProCurve Radio Ports supported ordered separatelyHP ProCurve Switch 3500yl Series Page LED status indicators Additional line interface moduleHP ProCurve Switch 6200yl HP ProCurve Switch 6200yl-24G-mGBIC J8992A Security features Overview of features and benefitsPerformance Convergence Bandwidth shaping usingQoS functions Advanced classifier-based QoSRouting protocols Layer 2 switchingBridging protocols IPv6Future-proofing DiagnosticsManagement Low cost of ownershipGeneral protocols Standards and protocolsDevice management IP MulticastMIBs Network managementQoS/Cos Capacity and performance features comparisonPerformance and capacity SecurityPer-port buffer sizes Optimizing the 10-GbE port configuration Page Throughput and latency performance data Gbps Gigabit performance traffic patterns HP ProCurve warranty and support Industry-leading warrantyAppendix a Premium License Intelligent Edge and Premium LicenseTask Manual Using Appendix B Policy Enforcement Engine Granular policy enforcement Wire-speed performance for ACLsPolicy Enforcement Engine benefits Hardware-based performanceAppendix C Power over Ethernet PoE device typesAdditional PoE power-external supplies Power delivery optionsPoE negotiation Appendix D PIM Sparse Mode Support for pre-802.3af standard powered devicesAppendix E LLDP-MED Appendix F Virus Throttle security Page Sensitivity Appendix G VrrpResponse options Connection-rate ACLXrrp support on 5300xl switch Appendix H Ospf Equal Cost Multipath Appendix I Advanced Classifier-Based QoS Vlan IDAppendix J Server-to-Switch Distributed Trunking Limitations/RestrictionsLED status indicators for 5400zl series Appendix K TroubleshootingAn example of upstream traffic forwarding is as follows EPS LED LED status indicators for 3500yl and 6200yl series Temp On green Blinking orange Fan Status PoE Status Off Part numbers and Field Replaceable Units Part number ComponentPart number Component For more information
Top Page Image Contents