Manuals / HP / Computer Equipment / Switch

HP 3500yl, 5200zl manual Policy Enforcement Engine benefits, Wire-speed performance for ACLs

Models: 5200zl 3500yl

1 65
Download 65 pages 15.2 Kb
Page 46
Image 46

Policy Enforcement Engine benefits

The Policy Enforcement Engine has several benefits:

Granular policy enforcement

The initial software release on these products takes advantage of a subset of the full Policy Enforcement Engine capabilities, which will provide a common front end for the user interface to ACLs, QoS, Rate-Limiting, and Guaranteed Minimum Bandwidth controls. Fully implemented in later software releases, the Policy Enforcement Engine provides a powerful, flexible method for controlling the network environment. For example, traffic from a specific application (TCP/UDP port) can be raised in priority (QoS) for some users (IP address), blocked (ACL) for some other users, and limited in bandwidth (Rate-Limiting) for yet other users.

The Policy Enforcement Engine provides fast packet classification to be applied to ACLs and QoS rules, and Rate Limiting and Guaranteed Minimum Bandwidth counters. Parameters that can be used include source and destination IP addresses, which can follow specific users, and TCP/UDP port numbers and ranges, which are useful for applications that use fixed port numbers. Over 14 different variables can be used to specify the packets to which ACL, QoS, Rate Limiting, and Guaranteed Minimum Bandwidth controls are to be applied.

Hardware-based performance

As mentioned above, the Policy Enforcement Engine is a part of the ProVision ASIC. The packet selection is done by hardware at wire-speed except in some very involved rules situations. Therefore, very sophisticated control can be implemented without adversely affecting performance of the network.

Works with Identity Driven Manager

HP ProCurve Identity Driven Manager (IDM) provides the centralized command from the center to define the user policies to be used with each user. The IDM policy requests sent down to the switch are used to set up the user profile in the Policy Enforcement Engine so that the per-user ACL, QoS, and Rate-Limiting parameters can be used from the actual policy defined in IDM.

Wire-speed performance for ACLs

At the heart of the Policy Enforcement Engine is a memory area called the Ternary Content Addressable Memory (TCAM) that is contained within the ProVision ASIC along with the surrounding code for the Policy Enforcement Engine.

It is this specialized memory area that helps the ProVision ASIC achieve wire-speed performance when processing ACLs for packets. In fact, multiple passes through the TCAM can be performed for packet sizes that are typically found in customers’ production networks. For the typical network, the average packet size will tend to be about 500 bytes. When maximum lookups are enabled, the ProVision ASIC performance is optimal for an average packet length of 200 bytes or more, which includes the range of packet sizes in typical networks.

The TCAM can support approximately 3,000 data entries that may be used to represent various traffic controls, including ACLs. For most customers, this quantity of entries will be more than adequate to ensure wire-speed performance for ACL processing. Keep in mind that each ACL entry may consist of multiple criteria such as a specific IP address and TCP or UDP port number.

In the initial release, the contents of the TCAM are common among the multiple line interface modules that a switch may have installed. For example, a HP ProCurve Switch 5406zl may have up to 6 line interface modules, and a HP ProCurve Switch 5412zl may have up to 12 line interface modules.

46

Page 45 Page 47
Page 46
Image 46
HP 3500yl, 5200zl manual Policy Enforcement Engine benefits, Wire-speed performance for ACLs, Granular policy enforcement
Page 45 Page 47