Agilio OVS Firewall Software

The Agilio OVS Firewall Software is designed to enable zero-trust stateful security in data centers using OpenStack-based automation. Agilio OVS Firewall Software, combined with Agilio intelligent server adapters (ISAs), enable zero-trust stateful security while significantly improving server-based networking performance. Agilio OVS Firewall Software restores valuable CPU cores by offloading OVS and connection tracking (Conntrack) to Netronome’s ISAs.

Agilio OVS Firewall

This gives users the ability to define more intelligent filtering policies, security groups, access control lists, and stateful firewall applications. The solution is a drop-in accelerator for OVS, making it compatible with existing network tools, controllers and orchestration software. This, combined with XVIO, now brings the same security and performance to VirtIO-based VM workloads.

Features

Netronome Agilio intelligent server adapters and Agilio software track the features of standard OVS, which are continuously evolving and include server-based networking functions such as flexible match-action forwarding, connection tracking (Conntrack), network overlay control with tunneling protocols such as VXLAN and NVGRE, and fine-grained statistics and meters. These features enable functions such as L2/L3 forwarding, network virtualization, security, load balancing and analytics.

Architecture

Agilio Firewall Software, combined with Agilio intelligent server adapters (ISAs) enable zero-trust stateful security while significantly improving server-based networking performance. Agilio Firewall restores valuable CPU cores by offloading Open vSwitch (OVS), and Linux connection tracking (Conntrack) to Netronome’s family of ISAs. Provisioning of the zero-trust security policies is enabled through standard OVS interfaces and related OpenStack security group support.

The Agilio OVS Firewall Software augments the Agilio OVS Software product through the addition of Netfilter Connection Tracking (Conntrack). This gives users the ability to define more intelligent filtering policies, rules to replicate security groups, access control lists, and stateful firewall applications. Agilio OVS Firewall Software offloads the Conntrack functionality to the NFP datapath instead of NetFilter software in the kernel boosting performance dramatically. Performing this connection tracking in the NFP, in addition to standard OVS match/action profiles, adds value by offloading and accelerating the enforcement of the most comprehensive policies, thereby eliminating the bottlenecks associated with implementation of zero-trust stateful security within a server.

ROI Calculator

When OVS is offloaded and accelerated using the Agilio solution, server throughput increases significantly while freeing up CPU cycles for more VMs and applications. This means that more application-level work can now be accomplished by a fixed pool of compute servers. Alternatively, the same amount of work can now be accomplished with significantly fewer servers. This leads directly to savings on equipment costs and overall data center power and cooling, as well as the ability to better monetize existing resources. This ROI calculator shows the value of the Agilio 40GbE intelligent server adapter when used in a rack of servers with OVS.

Calculate Your Savings

Benchmarks

Standard OVS and Conntrack without acceleration struggles with packet processing which ties up valuable server CPU resources and creates a bottleneck that starves applications. Netronome Agilio intelligent server adapters reclaim up to 50% of the server CPU resources previously dedicated to OVS and stateful security, while at the same time delivering 4X or more of the packet data throughput to more applications. For detailed benchmarking results, see the Enabling Efficient and Scalable Zero-Trust Security Whitepaper.
Performance graph in Gigabits per second
Performance graph in CPU utilization