Performance Tuning Tip – Lightspeed Appliance

Lightspeed Overview

The new Quantum Lightspeed firewalls (QLS250, QLS 450, QLS 650, QLS 800) are much better in performance because they use NVIDIA ASIC's on ConnectX NIC’s with accelerated packet processing technology.

Faster firewall security at line-rate speed

- 250 to 800 Gbps Hyper-Fast througput
- Ultra low latency at 3us (10 x faster as GAIA software)
- Scalability up to 3 Tbps with Maestro (MLS 200, MLS 400 - available Q2/2022)
- Acceleration of elephant flows

Lightspeed Design

Only traffic on the same NVIDIA network card can be accelerated by Lightspeed.
Network traffic between different network cards cannot be accelerated by Lightspeed (uses regular flow and speed).
An important point at the moment is that only firewall traffic can be optimised via Lightspeed on the same network card. As soon as traffic has to be analysed by F2F path or PSLXL path - for example by the IPS blade - the connection is not optimised by Lightspeed.

Security Gateway does not support these features when you install a NVIDIA 2-port 100G Card:

- ClusterXL in the Load Sharing mode or Active-Active mode.
- VSX mode
- SecureXL Drop Templates (see sk153832).
- VRRP Cluster.
- Rate Limiting rules for DoS Mitigation configured with the commands 'fwaccel dos deny' and 'fwaccel dos allow' (see sk112454).

How does it work?

1) First packet in every connection validated by security policy check in the CoreXL instance.

2) Approved traffic flow offloaded to Quantum Lightspeed ASIC via rte_flow API

3) Subsequent packetes are secured by accelerated packet processing via NVIDIA ASIC

NVIDIA accelerated packet processing supports the following features on ASIC:
- TCP state validation
- Tunneling and NAT support
- Header validation
- Accelerated firewall packet flow

We plan to use Lightspeed applications in the data centre in the future. Can the traffic also be accelerated between two NVIDIA network cards through Lightspeed?

Hi @Rasputin,

Lightspeed optimization is not possible between two NVIDIA network cards.
For acceleration, both 100Gbps interfaces must be on one network card. 


When will the QLS applications be available from the distribution?

According to the price list, the QLS appliances should be available from 01 February 2022.

Very interesting information!

Very nice summary. Thank you.

I would also add (from what I have learned on a presentation):

- Header validation is currently up to L4

- In development there is acceleration of inspection layers above L4.

- size of the card - The card is double width and occupies two slots (though careful reader will notice this on the pictures).

- Interface bonding between two cards will not guarantee the acceleration. - Currently there is no mechanism implemented to ensure that the inbound and outbound frames of one connection will be on the same card but it is in preparation (smart bonding).

