Pay attention to vswitch details

We started the public comparison test of the vswitch. This test focuses on the security field, such as the authentication method supported by the switch, port control capability, and some standard or non-standard security functions developed by the vendor.

Performance testing is not the focus of this test. However, we have conducted two tests: simple performance forwarding and acl performance forwarding.

In the simple performance forwarding test, we tested the forwarding of the mesh topology. Two Gigabit ports and two groups of 10 10-Gigabit ports each performed two-way communication, the remaining four 10-Gigabit ports are used for full-network communication, that is, one pair of the other three ports.

Then, the latency test is to test the latency of the vswitch's Mbit/s and Gbit/s.

After this test is completed, the ACL is added. We require that 10 ACLs be added to each port of the device to be tested, and that the switch discard the packets that enter the udp destination port number of the switch from 1001 to 1010. This idea comes from virus prevention of shock waves. Some engineers Discard Virus data packets in this way to ensure network security. This is a relatively preliminary method. Repeat throughput and latency tests.

In general, the throughput test and latency test results after the ACL is added are not much different from the former, and even some products have lower latency. After all, the latency test requires multiple sampling and taking the average value. If we take the average value three times in the test, there may still be some results offset. In general, the latency difference is not big after the acl is added.

All the switches we receive support the 2/3/4-layer ACL, but the difference is quite big. For example, in some vswitches or versions, only a total of less than 100 ACLs are supported. In this way, 10 unified ACLs will be insufficient when submitted to all ports. When configuring some products, you can see that the acl serial numbers are many, such as 1-255, but it fails to be submitted to 10th.

Many users may never deploy an acl on a vswitch. However, if a network exception occurs, the acl is a good emergency solution. I don't think it will be a long-term solution ). However, it is not difficult to see how much support the vendor does not support it. You can add it several times. The difference is really big.

Our tests are still ongoing. In addition to a few products with incorrect versions, performance tests have come to an end. Next we will test the accessibility, authentication, and other security features of the acl. Many of these tests are very different. manufacturers have different understandings and practices.