Wired Intelligent Edge

last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Better understanding of capacity of Aruba mobility switches required.

This thread has been viewed 0 times

  • 1.  Better understanding of capacity of Aruba mobility switches required.

    Posted Dec 04, 2014 02:14 AM
    Being an 'old fashioned' network guy I am used to switches offloading traffic flows to ASICs for performance reasons. My current understanding is the Aruba mobility switches support layer 2 switching (presumably in a similar fashion) but also support tunnelling protocols such as GRE and, more of interest to myself, IPSEC. Is the encryption element in IPSEC offloaded to dedicated hardware in the device? And, assuming I have understood the product at this very basic level, and what would be the rated throughput on such a device for IPSEC tunnels from a device like this? Or would the encryption function take a proportion of resource from shared CPU also used for management and control plane? If so how is the control plane policed for protection of the control plane? Also regarding stateful inspection, it's that done on dedicated hardware, and how does is do deep packet inspection, if at all? Thanks!


  • 2.  RE: Better understanding of capacity of Aruba mobility switches required.

    Posted Dec 08, 2014 12:42 AM

    Nik,

     

     On Aruba Mobility Access Switch (MAS):

    * IPSec packet encryption/decryption is done in hardware.

     

    * And further these IPSec/VPN packets are software processed for deep packet inspection & session handling.

     

    * And to provide the control plane protection (to CPU), there is a rate limit of 40K PPS (packets per second). This will prevent any possibilty of CPU hogging by just one type of traffic (this way traffic is policed for control plane protection)

     

    * Which means, coming to your question on throughput: Depending on the packet size(s), you can get varying throughput numbers:

    With 64 byte packets       :     ~20 Mbps

    With 1500 byte packets   :   ~480 Mbps

     

    Rgds,

    -Vinay



  • 3.  RE: Better understanding of capacity of Aruba mobility switches required.

    Posted Dec 08, 2014 02:19 AM
    Thanks for the answer. Very thorough indeed! Do you have like a IMIX benchmark result for those throughput stats and would a mobility controller get better throughput than this? These mobility switches always stuck me as being based on a same hardware architecture as the mobility controllers?


  • 4.  RE: Better understanding of capacity of Aruba mobility switches required.

    EMPLOYEE
    Posted Dec 10, 2014 09:04 PM

    Nik,

    We are currently running new performance tests based upon recent code changes and once they are ready we can send them your way.

     

    Mobility Controllers do have better software forwarding performance than the Mobility Access Switches given their architecture. They are actually different.

     

    The Mobility Switches are based around a switching ASIC in which the majority of the L2/L3 is done in hardware so we get wirespeed switching and routing. Only traffic requireing stateful Firewall, NAT and VPN is directed to a multi-core processor for "session-processing".

     

    The Mobility Controllers on the otherhand always have their traffic sent through a multi-core processor and as such have higher capactiy CPUs so they can scale from X Gbps to XX Gbps depending on the model.

     

    Another way to look at it is that the software forwarding features of the Mobility Access Switch are designed for small branch deployements while Mobility Controllers can scale from small branch deployment up through large campus designs.

     

    Best regards,

     

    Madani