GTP Traffic with TEID Distribution and SWRSS
Overview GTP Traffic Distribution with TEID Distribution and SWRSS
The topic provides an overview of asymmetric fat tunnel solution for GTP traffic with TEID distribution and SWRSS.
With TEID-based hash distributions feature, the GTP packets would be distributed to the flow thread according to the hash value calculated by TEID. The algorithm of hash calculation is same as GTP distribution in flow module, which ensures the GTP packets would not be reinjected again in the flow process.
There is a 4-byte field inside GTP payload called tunnel endpoint identifier (TEID), which is used to identify different connections in the same GTP tunnel.
A fat GTP tunnel carries data from different users. IPsec tunnels on the security gateway could be a fat tunnel due to the fat GTP tunnel. vSRX Virtual Firewall can create one GTP session with a high-bandwidth of GTP traffic. However, the throughput is limited to one core processor's performance.
If you use TEID-based hash distribution for creating GTP-U sessions, then you can:
Enable vSRX Virtual Firewall and vSRX Virtual Firewall 3.0 instances to process asymmetric fat tunnels for parallel encryption on multiple cores for one tunnel.
You can split a fat GTP session to multiple sessions and distribute them to different cores. This helps to increase the bandwidth for fat GTP tunnel.
The TEID based hash distribution creates GTP-U sessions to multiple cores. The clear text traffic acts as a fat GTP tunnel. This helps a fat GTP session to split into multiple slim GTP sessions and handle them on multiple cores simultaneously.
GTP Traffic Performance with TEID Distribution and SWRSS
vSRX Virtual Firewall instances support Software Receive Side Scaling (SWRSS) feature. SWRSS is a technique in the networking stack to increase parallelism and improve performance for multi-processor systems. If NICs do not have sufficient number of queues as flow thread (FLT), based on vSRX Virtual Firewall type, then Software RSS (SWRSS) is enabled by flowd process.
With Software Receive Side Scaling (SWRSS) support on vSRX Virtual Firewall and vSRX Virtual Firewall 3.0, you can assign more vCPUs to the vSRX Virtual Firewall regardless of the limitation of RSS queue of underlying interfaces.
Based on SWRSS you can improve the GTP traffic performance using Tunnel endpoint identifier (TEID) distribution and asymmetric fat tunnel solution by:
Assigning specific number of vCPUs for input output flow usage—With SWRSS enabled, you can assign more vCPUs for input/output (IO) threads when the IO threads are less. Or you can assign less vCPUs for IO threads if the flow process is consuming more vCPU. Use the
set security forwarding-options receive-side-scaling software-rss io-thread-number <io-thread-number>
.Distributing the packets to flow threads according to the TEID inside the packet, which would avoid reinjecting the packets in flow process—This feature is enabled when both SWRSS is enabled and when you configure the
set security forwarding-process application-services enable-gtpu-distribution
command.With this feature, the GTP packets would be distributed to the flow thread according to the hash value calculated by TEID. The algorithm of hash calculation is same as GTP distribution in flow module, which ensures the GTP packets would not be reinjected again in flow process.
Utilizing fragment matching and forwarding mechanism in input/output thread when GTPU distribution is enabled—This mechanism ensures that all the fragments of the same packet would be distributed to one flow thread according to the TEID.
SWRSS uses IP pair hash to distribute packets to flow threads. For GTP traffic with GTPU distribution enabled, TEID distribution is used to distribute packets to the flow threads. For fragmented packets, TEID cannot be retrieved from non-first fragments. This will require fragment matching and forwarding logic to ensure all fragments are forwarded to the flow thread based on TEID.
Enabling GTP-U TEID Distribution with SWRSS for Asymmetric Fat Tunnels
The following configuration helps you enable PMI and GTP-U traffic distribution with SWRSS enabled.
Before you begin, understand:
SWRSS concepts and configurations.
How to establish PMI and GTP-U
With Software Recieve Side Scaling (SWRSS) enabled, you can assign more vCPUs for input/output (IO) threads when the IO threads are less. Or you can assign less vCPUs for IO threads if the flow process is consuming more vCPU. You can configure the number of IO threads required. With SWRSS is enabled and IO threads configured, reboot the vSRX Virtual Firewall for configuration to take effect. After IO threads are configured, distribute the GTP traffic to the configured IO threads according to TEID-based hash distribution for splitting a fat GTP session to multiple slim GTP sessions and process them on multiple cores in parallel.
When PMI mode is enabled with TEID distribution and SWRSS
support, performance of PMI is improved. If you want to enable PMI
mode then run the set securtiy flow power-mode-ipsec
command.
The following steps provide you details on how to enable SWRSS, configure IO threads, enable PMI mode for GTP sessions with TEID distribution for obtaining asymmetric fat tunnels: