User Manual
8
Policy Enforcement Engine
The ProVision ASICs on each line interface module contain the Policy Enforcement Engine. This
engine provides fast packet classification to be applied to ACLs, QoS, Rate Limiting, and some other
features through an onboard TCAM. Some of the variables that can be used include source and
destination IP addresses (can follow specific users), TCP/UDP port numbers, and ranges (apply ACLs
to an application that uses fixed port numbers or ranges). Over 14 different variables can be used to
specify the packets to which ACL and QoS rules, rate limiting counters, and others are to be applied.
Partially implemented in the initial software release, the Policy Enforcement Engine will provide a
common front end for the user interface to ACLs, QoS, rate limiting, and some other services. In
subsequent software releases for the switches, more features can take advantage of the Policy
Enforcement Engine to provide a powerful, flexible method for controlling the network environment.
For example, traffic from a specific application can be raised in priority for some users, blocked for
some other users, and limited in bandwidth for yet other users. After the Policy Enforcement Engine,
the header is then forwarded to the programmable section of the network switch engine.
Network switch engine programmability
Each ProVision ASIC switch engine contains multiple programmable units, making them truly
Network Processor Units (NPUs). One of the functions of the NPU is to analyze the header of each
packet as it comes into the switch. The packet’s addresses can be read with the switch making
forwarding decisions based on this analysis. For example, if a packet’s 802.1Q tag needs to be changed
to re-map the packet priority, the ProVision ASIC needs to look at each packet to see if any particular
one needs to be changed. This packet-by-packet processing has to occur very quickly to maintain
overall wire-speed performance – a capability of the ProVision ASICs.
To broaden the flexibility of the ProVision ASICs, a programmable function is included for its packet
processing. This NPU function allows the HP ProCurve designers the opportunity to make some future
changes or additions in the packet processing features of the ASIC by downloading new software to it.
Thus, new features needing high-performance ASIC processing can be accommodated, extending the
useful life of the switch without the need to upgrade or replace the hardware. In the first release of the
HP ProCurve Switch 5400zl, 3500yl, and 6200yl series, the NPU function within the ProVision ASICs
is totally unused, awaiting future upgrades.
The concept of adding the programmable functionality of the NPU within a switching ASIC was
originally designed and implemented in the popular HP ProCurve Switch 4000M family introduced in
1998. The programmable capability of the HP ProCurve Switch 5300xl was a second-generation
design based on the original HP ProCurve Switch 4000M implementation. The programmable
capability was used to give both the HP ProCurve Switch 4000M and Switch 5300xl new ASIC-related
features well after initial release of those products. The customers’ investments in the HP ProCurve
Switch 4000M and 5300xl are preserved by new functionality not otherwise possible without the ASIC
NPU programmability.
Being based on the HP ProCurve Switch 4000M and 5300xl implementations, the NPU capabilities of
the ProVision ASICs used in the HP ProCurve Switch 5400zl, 3500yl, and 6200yl series are a third-
generation design.
Fabric Interface
After the packet header leaves the programmable section, the header is forwarded to the Fabric
Interface. The Fabric Interface makes final adjustments to the header, based on priority information,
multicast grouping, etc., and then uses this header to modify the actual packet header as necessary.
The Fabric Interface then negotiates with the destination ProVision ASICs for outbound packet buffer
space. If congestion is present on the outbound port, WRED (weighted random early detection) can be
applied at this point as a congestion-avoidance mechanism. Finally, the ProVision ASICs Fabric
Interface forwards the entire packet through the Fabric-ASIC to an awaiting output buffer on the
ProVision ASICs that controls the outbound port for the packet. Packet transfer from the ProVision
ASICs to the Fabric-ASIC is accomplished using the 28.8 Gbps full-duplex backplane connection, also
managed by the Fabric Interface.