Specifications
41
Appendix B: Policy Enforcement Engine
The ProVision ASIC architecture used in the ProCurve 6600 Switch Series, 8200zl, 5400zl, 3500yl, and
6200yl Series brings a number of advanced capabilities to the network that offer a highly reliable, robust
environment that leads to increased network uptime, keeping overall network costs down. One major feature is
the ProVision Policy Enforcement Engine, which is implemented in the ProVision ASIC of each interface module.
Policy Enforcement Engine benefits
The Policy Enforcement Engine has several benefits.
Granular policy enforcement
The initial software release on these products takes advantage of a subset of the full Policy Enforcement Engine
capabilities, which will provide a common front end for the user interface to ACLs, QoS, Rate-Limiting, and
Guaranteed Minimum Bandwidth controls. Fully implemented in later software releases, the Policy Enforcement
Engine provides a powerful, flexible method for controlling the network environment. For example, traffic from
a specific application (TCP/UDP port) can be raised in priority (QoS) for some users (IP address), blocked (ACL)
for some other users, and limited in bandwidth (Rate-Limiting) for still other users.
The Policy Enforcement Engine provides fast packet classification to be applied to ACLs and QoS rules and
Rate-Limiting and Guaranteed Minimum Bandwidth counters. Parameters that can be used include source and
destination IP addresses, which can follow specific users, and TCP/UDP port numbers and ranges, which are
useful for applications that use fixed-port numbers. More than 14 different variables can be used to specify the
packets to which ACL, QoS, Rate-Limiting, and Guaranteed Minimum Bandwidth controls are to be applied.
Hardware-based performance
As mentioned earlier, the Policy Enforcement Engine is a part of the ProVision ASIC. The packet selection is
done by hardware at wire speed except in some very involved rules situations. Therefore, very sophisticated
control can be implemented without adversely affecting performance of the network.
Works with HP ProCurve Data Center Connection Manager ONE
HP Data Center Connection Manager ONE provides the centralized automation based on predetermined
server connection profiles that define network requirements for each physical and virtual server. The Data
Center Connection Manager ONE subscription request is sent down to the individual switch port and is used
to set up a server profile in the Policy Enforcement Engine so that the per-VM ACL, QoS, and Rate-Limiting
parameters can be used from the actual policy defined in Data Center Connection Manager ONE.
Wire-speed performance for ACLs
At the heart of the Policy Enforcement Engine is a memory area called the Ternary Content Addressable
Memory (TCAM) that is contained within the ProVision ASIC, along with the surrounding code for the Policy
Enforcement Engine.
It is this specialized memory area that helps the ProVision ASIC to achieve wire-speed performance when
processing ACLs for packets. In fact, multiple passes through the TCAM can be performed for packet sizes that
are found typically in customers’ production networks. For the typical network, the average packet size will tend
to be about 500 bytes. When maximum lookups are enabled, the ProVision ASIC performance is optimal for
an average packet length of 200 bytes or more, which includes the range of packet sizes in typical networks.
The TCAM can support approximately 3,000 data entries that may be used to represent various traffic controls,
including ACLs. For most customers, this quantity of entries will be more than adequate to provide wire-speed
performance for ACL processing. Keep in mind that each ACL entry may consist of multiple criteria, such as a
specific IP address and TCP or UDP port number.