topic Re: Performance Tuning Tip – Lightspeed Appliance in General Topics

Performance Tuning Tip – Lightspeed Appliance

HeikoAnkenbrand — Thu, 17 Feb 2022 08:02:19 GMT

Lightspeed Overview

The new Quantum Lightspeed firewalls (QLS250, QLS 450, QLS 650, QLS 800) are much better in performance because they use NVIDIA ASIC's on ConnectX NIC’s with accelerated packet processing technology.

Faster firewall security at line-rate speed

- 250 to 800 Gbps Hyper-Fast througput
- Ultra low latency at 3us (10 x faster as GAIA software)
- Scalability up to 3 Tbps with Maestro (MLS 200, MLS 400 - available Q2/2022)
- Acceleration of elephant flows

Lightspeed Design

Only traffic on the same NVIDIA network card can be accelerated by Lightspeed.

Network traffic between different network cards cannot be accelerated by Lightspeed (uses regular flow and speed).

An important point at the moment is that only firewall traffic can be optimised via Lightspeed on the same network card. As soon as traffic has to be analysed by F2F path or PSLXL path - for example by the IPS blade - the connection is not optimised by Lightspeed.

Security Gateway does not support these features when you install a NVIDIA 2-port 100G Card:

- ClusterXL in the Load Sharing mode or Active-Active mode.
- VSX mode
- SecureXL Drop Templates (see sk153832).
- VRRP Cluster.
- Rate Limiting rules for DoS Mitigation configured with the commands 'fwaccel dos deny' and 'fwaccel dos allow' (see sk112454).

How does it work?

1) First packet in every connection validated by security policy check in the CoreXL instance.

2) Approved traffic flow offloaded to Quantum Lightspeed ASIC via rte_flow API

3) Subsequent packetes are secured by accelerated packet processing via NVIDIA ASIC

NVIDIA accelerated packet processing supports the following features on ASIC:
- TCP state validation
- Tunneling and NAT support
- Header validation
- Accelerated firewall packet flow

Re: Performance Tuning Tip – Lightspeed Appliance

Rasputin — Thu, 17 Feb 2022 05:26:21 GMT

We plan to use Lightspeed applications in the data centre in the future. Can the traffic also be accelerated between two NVIDIA network cards through Lightspeed?

Re: Performance Tuning Tip – Lightspeed Appliance

HeikoAnkenbrand — Thu, 17 Feb 2022 07:30:04 GMT

Hi @Rasputin,

Lightspeed optimization is not possible between two NVIDIA network cards.
For acceleration, both 100Gbps interfaces must be on one network card.

Re: Performance Tuning Tip – Lightspeed Appliance

Joschua_M — Fri, 18 Feb 2022 07:32:37 GMT

When will the QLS applications be available from the distribution?

Re: Performance Tuning Tip – Lightspeed Appliance

HeikoAnkenbrand — Mon, 21 Feb 2022 07:09:35 GMT

According to the price list, the QLS appliances should be available from 01 February 2022.

Re: Performance Tuning Tip – Lightspeed Appliance

Tobias_L — Thu, 24 Feb 2022 08:00:46 GMT

Very interesting information!

Re: Performance Tuning Tip – Lightspeed Appliance

Václav_Brožík — Thu, 24 Feb 2022 08:59:22 GMT

Very nice summary. Thank you.

I would also add (from what I have learned on a presentation):

- Header validation is currently up to L4

- In development there is acceleration of inspection layers above L4.

- size of the card - The card is double width and occupies two slots (though careful reader will notice this on the pictures).

- Interface bonding between two cards will not guarantee the acceleration. - Currently there is no mechanism implemented to ensure that the inbound and outbound frames of one connection will be on the same card but it is in preparation (smart bonding).