Tunnel Acceleration Behavior
Understand tunnel acceleration as it relates to tunnel
content inspection.
The following sections provide background
information about GTP-U, GRE, and VXLAN tunnel acceleration, which
may be helpful to know before you decide to
Disable Tunnel Acceleration.
GTP-U
Criteria
that must be met before GTP tunnel acceleration is enabled:
- Generic tunnel acceleration is enabled under (in
General Settings, Tunnel Acceleration is checked).
- GTP Security is enabled under (in
General Settings, GTP Security is checked).
- No Tunnel Inspection policy rule with GTP-U protocol is enabled.
- After you commit the configuration, you must reboot to load
the GTP-U parser program.
Criteria for identifying
GTP-U packets in hardware:
- UDP destination port is
2152.
- GTP.version is 1 and GTP.protocol_type is 1.
How
tunnel acceleration alters the flow ID:
Benefits
of GTP-U Tunnel Acceleration
If GTP-U acceleration is
enabled, the main benefit occurs if there is a lot of tunneled traffic
that can be offloaded. A large percentage of GTP traffic is sourced
from mobile devices and is mostly web traffic, which won’t be offloaded
when the inner payload is inspected.
The GTP Security feature
is fully functional without acceleration and the performance benefit
is tied to the amount of inner payload traffic that can be offloaded
by the hardware. For example, anything that would normally get marked
as L7 complete will be offloaded and
handled solely in hardware as an inner application inside of GTP.
GRE
Criterion
for tunnel acceleration taking effect with GRE:
- Generic
tunnel acceleration is enabled under (in
General Settings, Tunnel Acceleration is checked).
Criterion
for identifying GRE packets in hardware:
How tunnel acceleration alters the flow ID:
- Flow key is the same with and without tunnel acceleration.
Benefits
of GRE Tunnel Acceleration
- With TCI: GRE passthrough
traffic will see approximately 30% increase in performance in flow
handling with tunnel acceleration compared to the same traffic without
tunnel acceleration.
- Without TCI: There is no performance impact for GRE traffic
when disabling tunnel acceleration if no tunnel content inspection
(TCI) policies are being used.
VXLAN
Criterion
for tunnel acceleration taking effect with VXLAN:
- Generic
tunnel acceleration is enabled under (in
General Settings, Tunnel Acceleration is checked).
Criterion
for identifying VXLAN packets in hardware:
- UDP destination
port is 4789.
What is changed:
- UDP
destination port is changed to VXLAN network identifier (VNI) value
from VXLAN header.
- Encoding is changed to 2.
Benefits of VXLAN Tunnel
Acceleration
- Generic: Fewer session resources
consumed because we need only the VNI session and not the outer
VXLAN UDP session. For VXLAN, we will parse the VXLAN header to
extract the VNI and use the VNI to derive a unique flow ID for each
VNI within a VXLAN tunnel.
- With TCI: VXLAN passthrough traffic will see approximately
30% increase in performance in flow handling with tunnel acceleration
compared to the same traffic without tunnel acceleration.
- Without TCI: Even without TCI, we will see approximately
10% improvement in performance in flow handling with tunnel acceleration
compared to the same traffic without tunnel acceleration. The different
flow ID could cause flows to be placed on different dataplanes and
thus cause a difference in how the load of a single VXLAN tunnel
is distributed for the various VNIs that would be passed in the
tunnel. Unless there are VXLAN flows with several VNIs, the performance impact
will be mostly negligible.