>
    Tunnel Acceleration Behavior
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Tunnel Content Inspection
    4. Tunnel Acceleration Behavior
    Download PDF

    Tunnel Acceleration Behavior

    Table of Contents

    Tunnel Acceleration Behavior

    Understand tunnel acceleration as it relates to tunnel content inspection.
    The following sections provide background information about GTP-U, GRE, and VXLAN tunnel acceleration, which may be helpful to know before you decide to Disable Tunnel Acceleration.

    GTP-U

    Criteria that must be met before GTP tunnel acceleration is enabled:
    1. Generic tunnel acceleration is enabled under
      Device
      Setup
      Management
       (in General Settings, Tunnel Acceleration is checked).
    2. GTP Security is enabled under
      Device
      Setup
      Management
       (in General Settings, GTP Security is checked).
    3. No Tunnel Inspection policy rule with GTP-U protocol is enabled.
    4. After you commit the configuration, you must reboot to load the GTP-U parser program.
    Criteria for identifying GTP-U packets in hardware:
    1. UDP destination port is 2152.
    2. GTP.version is 1 and GTP.protocol_type is 1.
    How tunnel acceleration alters the flow ID:
    • If GTP-U packet passes both identification criteria, the firewall sets the following in flow key:
      • Encoding bit: 1
      • UDP destination port: tunnel endpoint identifier (TEID)
      • Source address: 0
    • Otherwise, the packet is processed as a normal UDP packet.
    Benefits of GTP-U Tunnel Acceleration
    If GTP-U acceleration is enabled, the main benefit occurs if there is a lot of tunneled traffic that can be offloaded. A large percentage of GTP traffic is sourced from mobile devices and is mostly web traffic, which won’t be offloaded when the inner payload is inspected.
    The GTP Security feature is fully functional without acceleration and the performance benefit is tied to the amount of inner payload traffic that can be offloaded by the hardware. For example, anything that would normally get marked as
    L7 complete
     will be offloaded and handled solely in hardware as an inner application inside of GTP.

    GRE

    Criterion for tunnel acceleration taking effect with GRE:
    • Generic tunnel acceleration is enabled under
      Device
      Setup
      Management
       (in General Settings, Tunnel Acceleration is checked).
    Criterion for identifying GRE packets in hardware:
    • IP protocol 47
    How tunnel acceleration alters the flow ID:
    • Flow key is the same with and without tunnel acceleration.
    Benefits of GRE Tunnel Acceleration
    • With TCI
      : GRE passthrough traffic will see approximately 30% increase in performance in flow handling with tunnel acceleration compared to the same traffic without tunnel acceleration.
    • Without TCI
      : There is no performance impact for GRE traffic when disabling tunnel acceleration if no tunnel content inspection (TCI) policies are being used.

    VXLAN

    Criterion for tunnel acceleration taking effect with VXLAN:
    • Generic tunnel acceleration is enabled under
      Device
      Setup
      Management
       (in General Settings, Tunnel Acceleration is checked).
    Criterion for identifying VXLAN packets in hardware:
    • UDP destination port is 4789.
    What is changed:
    • UDP destination port is changed to VXLAN network identifier (VNI) value from VXLAN header.
    • Encoding is changed to 2.
    Benefits of VXLAN Tunnel Acceleration
    • Generic
      : Fewer session resources consumed because we need only the VNI session and not the outer VXLAN UDP session. For VXLAN, we will parse the VXLAN header to extract the VNI and use the VNI to derive a unique flow ID for each VNI within a VXLAN tunnel.
    • With TCI
      : VXLAN passthrough traffic will see approximately 30% increase in performance in flow handling with tunnel acceleration compared to the same traffic without tunnel acceleration.
    • Without TCI
      : Even without TCI, we will see approximately 10% improvement in performance in flow handling with tunnel acceleration compared to the same traffic without tunnel acceleration. The different flow ID could cause flows to be placed on different dataplanes and thus cause a difference in how the load of a single VXLAN tunnel is distributed for the various VNIs that would be passed in the tunnel. Unless there are VXLAN flows with several VNIs, the performance impact will be mostly negligible.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.