Policy Enforcement Engine Benefits; Wire-Speed Performance For Acls - HP 5400zl Series Technical Overview

Policy Enforcement Engine benefits

The Policy Enforcement Engine has several benefits:
• Granular policy enforcement
The initial software release on these products takes advantage of a subset of the full Policy
Enforcement Engine capabilities, which will provide a common front end for the user interface to
ACLs, QoS, Rate-Limiting, and Guaranteed Minimum Bandwidth controls. Fully implemented in
later software releases, the Policy Enforcement Engine provides a powerful, flexible method for
controlling the network environment. For example, traffic from a specific application (TCP/UDP
port) can be raised in priority (QoS) for some users (IP address), blocked (ACL) for some other
users, and limited in bandwidth (Rate-Limiting) for yet other users.
The Policy Enforcement Engine provides fast packet classification to be applied to ACLs and QoS
rules, and Rate Limiting and Guaranteed Minimum Bandwidth counters. Parameters that can be
used include source and destination IP addresses, which can follow specific users, and TCP/UDP
port numbers and ranges, which are useful for applications that use fixed port numbers. Over 14
different variables can be used to specify the packets to which ACL, QoS, Rate Limiting, and
Guaranteed Minimum Bandwidth controls are to be applied.
• Hardware-based performance
As mentioned above, the Policy Enforcement Engine is a part of the ProVision ASIC. The packet
selection is done by hardware at wire-speed except in some very involved rules situations.
Therefore, very sophisticated control can be implemented without adversely affecting performance
of the network.
• Works with Identity Driven Manager
HP ProCurve Identity Driven Manager (IDM) provides the centralized command from the center to
define the user policies to be used with each user. The IDM policy requests sent down to the switch
are used to set up the user profile in the Policy Enforcement Engine so that the per-user ACL, QoS,
and Rate-Limiting parameters can be used from the actual policy defined in IDM.

Wire-speed performance for ACLs

At the heart of the Policy Enforcement Engine is a memory area called the Ternary Content
Addressable Memory (TCAM) that is contained within the ProVision ASIC along with the
surrounding code for the Policy Enforcement Engine.
It is this specialized memory area that helps the ProVision ASIC achieve wire-speed performance
when processing ACLs for packets. In fact, multiple passes through the TCAM can be performed for
packet sizes that are typically found in customers' production networks. For the typical network, the
average packet size will tend to be about 500 bytes. When maximum lookups are enabled, the
ProVision ASIC performance is optimal for an average packet length of 200 bytes or more, which
includes the range of packet sizes in typical networks.
The TCAM can support approximately 3,000 data entries that may be used to represent various traffic
controls, including ACLs. For most customers, this quantity of entries will be more than adequate to
ensure wire-speed performance for ACL processing. Keep in mind that each ACL entry may consist of
multiple criteria such as a specific IP address and TCP or UDP port number.
In the initial release, the contents of the TCAM are common among the multiple line interface modules
that a switch may have installed. For example, a HP ProCurve Switch 5406zl may have up to 6 line
interface modules, and a HP ProCurve Switch 5412zl may have up to 12 line interface modules.
46