The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous Multicore Architectures

$: The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous Multicore Architectures$
Vi t li d I/O i H tVirtualized I/O in Heterogeneous Multicore Architectures

Scaling x86 embedded designs to 40 Gbps and beyondScaling x86 embedded designs to 40 Gbps and beyond

Daniel ProchDirector Product ManagementDirector, Product Management

and Field Applications [email protected]

Linley Tech Spring ConferenceMay 18-19, 2010 – San Jose, CA

© Netronome Systems Inc MMX

Next-Generation Computing Trends

• Network and security application vendors need to scale performance with embedded multicore IA/x86

• Virtualization is seen as the key to the convergence of networking andthe convergence of networking and computing in the data center

• Networking functionality collapsing• Networking functionality collapsing into servers from discrete devices in data centers

A new processing paradigm is required to support these t d d l 86 t t 40 Gb d b dtrends and scale x86 systems to 40 Gbps and beyond

2© Netronome Systems Inc MMX

Network Virtualization• Virtualized networks have been around for years• Allows a single set of physical resources to be shared

amongst a diverse group of users

Access Services

amongst a diverse group of users • With isolation, performance guarantees and security

Eth t VLANAggregation

Edge Backbone

xDSL

GigE

DSLAM

Se ces

Voice

• Ethernet VLANs• IP Sec VPNs• SSL VPNs g

IPMSAN

WWW• MPLS, RFC2547• Frame Relay• ATM

FRATM

• PWE3

Video


Server Virtualization• For data center consolidation, a single physical machine

supports multiple guest OSsI th ffi i d il bilit f d• Improves the efficiency and availability of resources and applications

• The “one server, one application” model is goneThe one server, one application model is gone


Data Center Collapse• With applications uniquely tied to

physical server resources, net-working happened outside the g ppserver

• L2/L3 switching• Network security y• Load balancers to spread traffic

across hosting platforms

Changing the ratio of applications to servers changes the way we need to architect products for the data center

5

architect products for the data center


Virtualized Networking in x86 Need a

virtualized

• Multicore servers support many applications per

network in here!

many applications per physical device (whether virtualized or not)

• Networking functionality must now collapse inside the server

• Packet classification• Packet classification• Flow based load balancing• Active flow state and flow pinning• L2 switching• L2 switching • L3 forwarding• QoS

868686x86 serverx86 serverx86 server


x86 Networking Performance • Multicore x86 creates bottlenecks• Not optimized for network and

security processingsecurity processing• Processing done in “software”• Packet interrupt handling wastes CPU• Poor small packet performance

NFE

• Poor small packet performance• High power consumption

Load balancer

L2 S it hClassifier x86 server

L2 switchClassifierFlow Sate

L2 SwitchClassifier Flow State

x86 server


Enter I/O Virtualization• Hardware based network and security

processing in network flow processors• Workload-optimized NFPs and x86

VMVM

pprocessors are linked

• Efficient delivery of data to VMs at high rates (20+ Gbps)

NFEVM

VMVM

• High-performance, virtualization-aware communications path

• Zero-copy data delivery to virtual end VM

VM

pointsLoad balancer

IOV - the final link between

L2 switchClassifierFlow Sate

IOV the final link between virtualized networks, flow processors and general-purpose multicore x86 x86 serverFlow Satepurpose multicore x86


Comparing IOV Implementation OptionsIOV with multi-queue devicesSoftware IO Virtualization

• All traffic passes through management VM

• Multiplexing occurs inhardwarea age e t

• Multiplexing (and demux) in software

a d a e• Packets still traverse

management VM (adds latency)

9

• Poor performance and latency latency)


Netronome Enhanced IOV

• PCI device direct assignment

Guest VMs can directly• Guest VMs can directly access hardware devices

• Eliminates IOV overheads

• Netronome IOV solution is SR-IOV-compliantis SR-IOV-compliant while providing flexible device support • Dumb NIC• Dumb NIC• Intelligent NIC• Crypto NIC or • Packet Capture (pcap) NIC• Packet Capture (pcap) NIC


• Application/control plane processing

• Deep packet inspection• Content inspection, behavioral heuristics,

forensics, PCREforensics, PCRE

• L2-L7 classification• Stateful flow processing

• Cryptography• PKI operations

• Flow-based load balancing• L2 switching to VMsL2 switching to VMs

• L2-L4 packet classification• Packet-based load balancing g

• Physical InterfacesI t t d b l

11

• Integrated bypass relays


Deep Packet InspectionIn a heterogeneous multicore architecture

• Packets are classified on ingress

• Sent to x86 for DPI processingp g

• Results in application or protocol awarenessNew classification rule• New classification rule programmed to NFP for each flow


Reduction in CPU Utilization

• Up to 80% of the total CPU resources are dedicated to packet I/O with systems using standard adapters

• Leaves only 20% of CPU resources for application processingN t k fl b d• Network flow-based coprocessors give a 3-5xincrease in available CPU resourcesresources

Kernel CPU cycle useKernel CPU cycle use and interrupts are

significantly reduced


20 Gbps IPS Application Performance

•Computationally intense iprocessing

•~4000 PCRE rules•Variable packet sizes•Variable protocol mix• Inline measurements


Heterogeneous MulticoreMulticore

Processing ArchitectureArchitecture


www netronome comwww.netronome.com


Backup


NFP-3200 Summary• High performance

• 40 cores @ 1.4 GHz• 1,800 instructions / packet at 30M pps• 20 Gbps of packet, flow, and content

processing• I/O virtualization

• PCIe Gen2 with SR-IOV supportpp• Highly integrated design

• 20Gbps of line-rate security/crypto• Integrated MAC, PKI, PCIe, Interlaken, ARM

• Unmatched ease of use• Proven tools, software development kit,

product-ready software, reference platforms

40 – 100G Gbps Network

Flow Processor18© Netronome Systems Inc MMX

Netronome Network Flow EngineNFE-3240NFE 3240

• 20Gbps of line rate packet processing per NFE• 6x1GigE, 2x10GigE (SPF+), netmod interfacesg , g ( ),• PCIe Gen2 (8 lanes)• Nanosecond packet timestamping• Hardware cryptography supporta d a e c yptog ap y suppo t• Flexible/configurable memory options• TCAM based traffic filtering• Virtualized Linux drivers via SR-IOVVirtualized Linux drivers via SR IOV• Hardware-based stateful flow management• Dynamic flow-based load balancing to x86

Highly programmable, intelligent acceleration cards for network security appliances and serverscards for network security appliances and servers


World's Highest Performance Appliance PlatformO• Intelligent Network Optimized Virtualization Adapters

• 20 Gbps PCIe cards

• Flow processing solutions up to 200Gbps• Pluggable front facing I/O• Three layers of packet, flow and application processing

• Open APIs for application accelerationp pp• Snort, Bro, ntop, switching / routing• Custom applications

• Up to 200 Gbps minimum sized• Up to 200 Gbps minimum sized packet performance for network and security applications!

• Highest performance solution per $$$$$ in the world!pe $$$$$ t e o d


The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous Multicore Architectures

Documents

Transcript of The Network\'s IN the (virtualised) Server: Virtualized Io In Heterogeneous Multicore Architectures