Appendix B: Policy Enforcement Engine; Policy Enforcement Engine Benefits - HP ProCurve 3500-24 Reference Manual

60

Appendix B: Policy Enforcement Engine

The ProVision ASIC architecture used in the HP ProCurve Switch 8200zl, 5400zl, 3500, and 6200yl series
brings a number of advanced capabilities to the network that offer a highly reliable, robust environment that
leads to increased network uptime, keeping overall network costs down . One major feature is the ProVision
Policy Enforcement Engine, which is implemented in the ProVision ASIC of each line interface module .

Policy Enforcement Engine benefits

The Policy Enforcement Engine has several benefits:
• Granular policy enforcement
The initial software release on these products takes advantage of a subset of the full Policy Enforcement
Engine capabilities, which will provide a common front end for the user interface to ACLs, QoS, Rate-
Limiting, and Guaranteed Minimum Bandwidth controls . Fully implemented in later software releases, the
Policy Enforcement Engine provides a powerful, flexible method for controlling the network environment . For
example, traffic from a specific application (TCP/UDP port) can be raised in priority (QoS) for some users
(IP address), blocked (ACL) for some other users, and limited in bandwidth (Rate-Limiting) for yet other users .
The Policy Enforcement Engine provides fast packet classification to be applied to ACLs and QoS rules, and
Rate Limiting and Guaranteed Minimum Bandwidth counters . Parameters that can be used include source and
destination IP addresses, which can follow specific users, and TCP/UDP port numbers and ranges, which are
useful for applications that use fixed port numbers . Over 14 different variables can be used to specify the
packets to which ACL, QoS, Rate Limiting, and Guaranteed Minimum Bandwidth controls are to be applied .
• Hardware-based performance
As mentioned above, the Policy Enforcement Engine is a part of the ProVision ASIC . The packet selection is
done by hardware at wire-speed except in some very involved rules situations . Therefore, very sophisticated
control can be implemented without adversely affecting performance of the network .
• Works with Identity Driven Manager
HP ProCurve Identity Driven Manager (IDM) provides the centralized command from the center to define the
user policies to be used with each user . The IDM policy requests sent down to the switch are used to set up
the user profile in the Policy Enforcement Engine so that the per-user ACL, QoS, and Rate-Limiting parameters
can be used from the actual policy defined in IDM .
Wire-speed performance for ACLs
At the heart of the Policy Enforcement Engine is a memory area called the Ternary Content Addressable
Memory (TCAM) that is contained within the ProVision ASIC along with the surrounding code for the Policy
Enforcement Engine .
It is this specialized memory area that helps the ProVision ASIC achieve wire-speed performance when
processing ACLs for packets . In fact, multiple passes through the TCAM can be performed for packet sizes that
are typically found in customers' production networks . For the typical network, the average packet size will tend
to be about 500 bytes . When maximum lookups are enabled, the ProVision ASIC performance is optimal for
an average packet length of 200 bytes or more, which includes the range of packet sizes in typical networks .
The TCAM can support approximately 3,000 data entries that may be used to represent various traffic controls,
including ACLs . For most customers, this quantity of entries will be more than adequate to ensure wire-speed
performance for ACL processing . Keep in mind that each ACL entry may consist of multiple criteria such as a
specific IP address and TCP or UDP port number .
In the initial release, the contents of the TCAM are common among the multiple line interface modules that
a switch may have installed . For example, a HP ProCurve Switch 5406zl or 8206zl may have up to 6 line
interface modules, and a HP ProCurve Switch 5412zl or 8212zl may have up to 12 line interface modules .