Topology for Testing SDN Policy Offload Reference Pipeline - UG1668

SDN Policy Offload Reference Pipeline User Guide (UG1668)

Document ID
UG1668
Release Date
2024-02-15
Revision
1.1 English

This section describes two topologies for testing the architecture.

Single DSC Topology

Figure 1 shows a single Distributed Services Card (DSC) topology used for testing the architecture. The VXLAN packets are sent from workload-1 (WL-1), which creates an initiator flow (iflow) for the inner IP and a responder flow (rflow) for the reverse path from workload-2 (WL-2). An unencapsulated IP packet is returned so that the existing rflow is hit and the packet is forwarded or dropped based on policy and route evaluation.

Figure 1. Single DSC Topology for Testing

Dual DSC Topology

Figure 2 shows a dual DSC topology. Two DSCs are connected back-to-back using port Eth 1/2. The other uplink ports of DSC1 and DSC2 (Eth1/1) are connected to Ixia traffic generator ports 1 and 2, respectively. The SDN Policy Offload reference P4 program runs on both DSCs. 

DSC-1 is based on a permitted security policy and route and route LPM lookup routes IP traffic from port-1 to DSC-2 via port Eth1/2.

DSC-2 is based on a permitted security policy and LPM route evaluation forwards the IP packet to Ixia port-2. For performance analysis, traffic should be started and run symmetrically from Ixia port-1 and port-2 for testing bi-directional throughput.

Figure 2. Dual DSC Topology for Testing