Zack
Ixia Principal Product Manager
Blog

DevOps Automation with Performance Benchmarking

November 3, 2016 by George Zecheru

SDN and NFV are technologies that will transform carrier and enterprise networks over the next several years. Service providers are pressured by agile competitors entering the market. Network equipment manufacturers (NEMs) need to quickly respond with solutions to capitalize on SDN/NFV rollouts and migrations.

As the time from development to deployment has been reduced from months to days, an agile development is becoming business critical. But to monetize innovations, faster product rollout must not sacrifice product quality.

The key to a successful NFV migration is having test capabilities integrated into the continuous integration and continuous deployment (CI/CD) test pipeline. Tests need to be virtualized, deployable, configurable, and executable across multiple virtualization environments of private, hybrid, and public cloud infrastructures.

By leveraging the right test tools and process, organizations can gain dramatic improvements in the user experience, can reduce development cost and risks, while accelerating time to market without frustrating their development and IT operations personnel (DevOps).

Use Ixia Developer to Set Up Performance Benchmarks

Ixia Developer makes it easy for DevOps to introduce performance benchmarks into continuous integration to reduce software development risks and costs by discovering performance issues early in the development process.

In this article, we will explore how RFC 2544 Benchmarking provides a rapid and practical method to benchmark the performance of a compute-intensive virtual network function (VNF) such as a virtual router (vRouter) used to secure network communication with IP security (IPsec).

The test topology consists of two open source Vyatta 6.3 routers. configured to secure the traffic between two data centers using an IPsec Site-to-Site VPN tunnel. The protected traffic between the two data centers, “WDC” (West Datacenter) and “EDC” (East Data Center) will be recreated using Ixia Developer.

Ixia Developer is deployed as a standalone virtual machine (VM) running on its own dedicated VMWare ESXi host. The system under test (SUT) is deployed to a separate VMWare ESXi host running only the two Vyatta vRouters (configuration of the vRouters is at the end of this blog). Each Vyatta vRouter includes 3 interfaces:

  • eth0: for management (DHCP – 10.200.134.x/24)
  • eth1: for untrusted interfaces (IPsec)
  • eth3: for the trusted interfaces (clear text)

DevOps1

Similarly, Ixia Developer is configured with 3 interfaces:

  • eth0: management interface to access the web user interface
  • eth1: to simulate protected hosts in the WDC
  • eth2: to simulate protected hosts in the EDC

Before connecting Ixia Developer to the SUT, it was calibrated by running a back-to-back test to create its performance benchmark. To run the calibration test you can follow the same configuration steps and implement the following changes:

  • connect the Ixia Developer virtual test ports to same virtual vSwitch
  • set the IP addresses to be in the same subnet

The following results have been recorded:

DevOps2

DveOps3

Ixia Developer—Configure RFC 2544 Test

RFC 2544 defines a specific set of tests designed to measure and report the performance characteristics of network devices.

This section covers the Ixia Developer configuration steps to determine the maximum rate of forwarding and receiving IP frames without any frame loss. The search algorithm implements a binary search as defined by the RFC 2544 standard.

Set Up New Test

  • Install the RFC 2544 extension for Ixia Developer

DevOps5

  • On the Ixia Developer Dashboard page, click New Test.

DevOps6

Assign Test Interfaces

  • On the Editor page, configure the network entity interfaces:
    • Click the interface icon for either the Client or the Server entity to open the Interfaces window
    • Check an interface (such as eth1) to select it, and then click OK
    • Repeat to configure the remaining Client or Server entity

Configure Network

Modify the network entity properties to match our test topology:

  • Click the entity name (such as ClientEntity) to open the Properties window
  • Modify the settings to match below configurations, then click OK
  • For the ClientEntity network, modify:
    • Network Entity Name: WDC-IXIA-LAN
    • Stack: IPv4
    • IPs per interface: 25
    • Starting IP: 192.168.1.2 / 24
    • Gateway: 192.168.1.1
    • MTU: 9000
  • For the ServerEntity network, modify:
    • Network Entity Name: EDC-IXIA-LAN
    • Stack: IPv4
    • IPs per interface: 25
    • Starting IP: 192.168.2.2 / 24
    • Gateway: 192.168.2.1
    • MTU: 9000

The resulting network configuration is shown below:

DevOps8

Configure Traffic

  • Click “+ Add Traffic to Your Test,” then select “RFC 2544 Traffic”

DevOps9

  • Click the tile to display the configuration parameters
  • Configure the parameters for the RFC 2544 test
    • Min Rate = 1 Mbps
    • Max Rate = 1000 Mbps
    • Resolution = 25 Mbps
    • Frame Size List: 64, 128, 256, 512, 1024, 1280, 1518*

DevOps10

  • Note: IPsec lengthens the IP packet by adding at least one IP header (tunnel mode). The added header(s) varies in length dependent on the IPsec configuration mode but they do not exceed ~58 bytes. When using 1518 bytes/MTU, to avoid fragmentation after IPsec encapsulation you can replace 1518 bytes with 1460 bytes
  • On the Ixia Developer Dashboard page, click Start Test

Ixia Developer—Monitor and Visualize Test Results

To monitor the test and see the results, click the title bar of the statistics widget, and view the statistics. The “RFC 2544 Frame Size Throughout (Mbps)” summarizes the best throughput achieved for each frame size.

DevIOps11

The max achieved values are summarized below:

DevOps12

You can now leverage Ixia Developer’s REST API to include the performance benchmarking into the CI/CD test pipeline. Additionally, you can leverage Ixia Developer’s rich and realistic application traffic and malicious attacks to expand the performance benchmarking by modeling your production traffic.

Related Configuration: Vyatta vRouters

the Vyatta-WDC vRouter configuration used

set system host-name vyatta-wdc

set interfaces ethernet eth0 address dhcp

set interfaces ethernet eth1 address 4.0.0.1/24

set interfaces ethernet eth2 address 192.168.1.1/24

set interfaces ethernet eth1 mtu 9000

set interfaces ethernet eth2 mtu 9000

set service ssh

commit

save

 

set vpn ipsec ipsec-interfaces interface eth1

 

set vpn ipsec ike-group IKE-WDC proposal 1

set vpn ipsec ike-group IKE-WDC proposal 1 encryption aes256

set vpn ipsec ike-group IKE-WDC proposal 1 hash sha1

set vpn ipsec ike-group IKE-WDC lifetime 3600

 

set vpn ipsec esp-group ESP-WDC proposal 1

set vpn ipsec esp-group ESP-WDC proposal 1 encryption aes256

set vpn ipsec esp-group ESP-WDC proposal 1 hash sha1

set vpn ipsec esp-group ESP-WDC lifetime 1800

 

edit vpn ipsec site-to-site peer 4.0.0.2

set authentication mode pre-shared-secret

set authentication pre-shared-secret SECRET

set default-esp-group ESP-WDC

set ike-group IKE-WDC

set local-ip 4.0.0.1

set tunnel 1 local subnet 192.168.1.0/24

set tunnel 1 remote subnet 192.168.2.0/24

top

set protocols static route 4.0.0.1/32 next-hop 4.0.0.2

commit

Vyatta-EDC vRouter configuration used

set system host-name vyatta-edc

set interfaces ethernet eth0 address dhcp

set interfaces ethernet eth1 address 4.0.0.2/24

set interfaces ethernet eth2 address 192.168.2.1/24

set interfaces ethernet eth1 mtu 9000

set interfaces ethernet eth2 mtu 9000

set service ssh

 

set vpn ipsec ipsec-interfaces interface eth1

set vpn ipsec ike-group IKE-EDC proposal 1

set vpn ipsec ike-group IKE-EDC proposal 1 encryption aes256

set vpn ipsec ike-group IKE-EDC proposal 1 hash sha1

set vpn ipsec ike-group IKE-EDC lifetime 3600

 

set vpn ipsec esp-group ESP-EDC proposal 1

set vpn ipsec esp-group ESP-EDC proposal 1 encryption aes256

set vpn ipsec esp-group ESP-EDC proposal 1 hash sha1

set vpn ipsec esp-group ESP-EDC lifetime 1800

 

edit vpn ipsec site-to-site peer 4.0.0.1

set authentication mode pre-shared-secret

set authentication pre-shared-secret SECRET

set default-esp-group ESP-EDC

set ike-group IKE-EDC

set local-ip 4.0.0.2

set tunnel 1 local subnet 192.168.2.0/24

set tunnel 1 remote subnet 192.168.1.0/24

top

set protocols static route 4.0.0.2/32 next-hop 4.0.0.1

commit

Useful commands to monitor Vyatta router

show vpn ipsec sa, show vpn ipsec status, clear interfaces counters, show interfaces counters

show interfaces ethernet eth1 capture