Wired Intelligent Edge (Campus Switching and Routing)

Regular Contributor I

Better understanding of capacity of Aruba mobility switches required.

Being an 'old fashioned' network guy I am used to switches offloading traffic flows to ASICs for performance reasons. My current understanding is the Aruba mobility switches support layer 2 switching (presumably in a similar fashion) but also support tunnelling protocols such as GRE and, more of interest to myself, IPSEC. Is the encryption element in IPSEC offloaded to dedicated hardware in the device? And, assuming I have understood the product at this very basic level, and what would be the rated throughput on such a device for IPSEC tunnels from a device like this? Or would the encryption function take a proportion of resource from shared CPU also used for management and control plane? If so how is the control plane policed for protection of the control plane? Also regarding stateful inspection, it's that done on dedicated hardware, and how does is do deep packet inspection, if at all? Thanks!
Aruba Employee

Re: Better understanding of capacity of Aruba mobility switches required.



 On Aruba Mobility Access Switch (MAS):

* IPSec packet encryption/decryption is done in hardware.


* And further these IPSec/VPN packets are software processed for deep packet inspection & session handling.


* And to provide the control plane protection (to CPU), there is a rate limit of 40K PPS (packets per second). This will prevent any possibilty of CPU hogging by just one type of traffic (this way traffic is policed for control plane protection)


* Which means, coming to your question on throughput: Depending on the packet size(s), you can get varying throughput numbers:

With 64 byte packets       :     ~20 Mbps

With 1500 byte packets   :   ~480 Mbps




Regular Contributor I

Re: Better understanding of capacity of Aruba mobility switches required.

Thanks for the answer. Very thorough indeed! Do you have like a IMIX benchmark result for those throughput stats and would a mobility controller get better throughput than this? These mobility switches always stuck me as being based on a same hardware architecture as the mobility controllers?

Re: Better understanding of capacity of Aruba mobility switches required.


We are currently running new performance tests based upon recent code changes and once they are ready we can send them your way.


Mobility Controllers do have better software forwarding performance than the Mobility Access Switches given their architecture. They are actually different.


The Mobility Switches are based around a switching ASIC in which the majority of the L2/L3 is done in hardware so we get wirespeed switching and routing. Only traffic requireing stateful Firewall, NAT and VPN is directed to a multi-core processor for "session-processing".


The Mobility Controllers on the otherhand always have their traffic sent through a multi-core processor and as such have higher capactiy CPUs so they can scale from X Gbps to XX Gbps depending on the model.


Another way to look at it is that the software forwarding features of the Mobility Access Switch are designed for small branch deployements while Mobility Controllers can scale from small branch deployment up through large campus designs.


Best regards,



Search Airheads
Showing results for 
Search instead for 
Did you mean: