Network Visibility Briefs

Understanding Link Aggregation

Link aggregation is a way of bundling a bunch of individual (Ethernet) links together so that they act as a single logical link. For link aggregation, physical ports must reside on a single switch. Split Multi-Link Trunking (SMLT) and Routed-SMLT (RSMLT) remove this limitation so that physical ports can be connected or /split between two switches. If you have a switch with a whole lot of Gigabit Ethernet ports, you can connect all of them to another device that also has multiple ports and balance the traffic between these links to improve performance.

Link aggregation uses software to combine two to eight physical interfaces at layer 2 or layer 3 of the OSI model. The goal is to have these multiple physical links act as a single logical interface. The most important feature of link aggregation is its ability to enhance or increase network capacity while maintaining a fast transmission speed and eliminating the need to use additional hardware devices, thus reducing cost. Link aggregation brings traffic from separate sources or locations together and forwards the traffic to a single monitoring tool as one stream. Link aggregation can be enhanced further by using traffic replication, which allows the same traffic stream—aggregated traffic in this case—to be sent to more than one monitoring tool.

This can be used to improve visibility of both sides of a link over a single interface. Aggregation is used to accomplish two key tasks. The first is to increase overall bandwidth between two switches or servers where the logical aggregate interface is configured. This can eliminate bottlenecks by allowing data to be transmitted and received over multiple interfaces. The second key reason to use link aggregation is to eliminate any single points of failure between switches. You can lose one or more physical interfaces on a logical aggregate interface, but as long as one physical connection is up and operational, you maintain connectivity. Link aggregation provides fast and transparent recovery in case one of the individual links fails.

Link aggregation also supports network load balancing. Different load balancing algorithms can be set by network engineers or administrators. Furthermore, network speed is increased in small increments, which leads to savings in both resources and cost. Link aggregation can also affect how efficiently connected tools operate. When monitoring tools require great network visibility to perform efficiently, consolidating traffic from many locations and sources is essential to those tools. When link aggregation is combined with traffic replication, copies of the same combined traffic can be forwarded to various analysis tools.

Cubro’s Aggregation TAP series combines traffic from various sources and divides it into two traffic streams, each of which has the aggregated data from the duplex flows, which allows network staff to monitor a full duplex connection with a single monitoring tool.

Bypass Switches

A bypass switch (or bypass TAP) is a simple piece of hardware that allows you to connect inline security tools to your network – without the risk of network downtime. It provides a fail-safe access port for an in-line active security appliance such as an intrusion prevention system (IPS) or next-generation firewall (NGFW).

Active, in-line security appliances are single points of failure in live computer networks because if the appliance loses power, experiences a software failure, or is taken off-line for updates or upgrades, traffic can no longer flow through the critical link. The bypass switch or bypass TAP removes this point of failure by automatically 'switching traffic via bypass mode' to keep the critical network link up. These switches safeguard a network with automated failover protection, preventing temporary tool outages from escalating into costly network outages.

A bypass switch has four ports. Two network ports create an in-line connection in the network link that is to be monitored. This connection is fully passive; if the bypass switch itself loses power, traffic continues to flow unimpeded through the link. Two monitor ports are used to connect the in-line monitoring appliance. During normal operation, the bypass switch passes all network traffic through the appliance as if it were directly in-line itself. But when the in-line appliance loses power, is disconnected, or otherwise fails, the bypass switch passes traffic directly between its network ports, bypassing the appliance, and ensuring that traffic continues to flow on the network link.

Bypass switches can detect when an in-line tool has failed or lost power through heartbeat packets. Heartbeat packets are signals sent from the bypass switch, through the in-line tool at regular intervals. If a packet doesn’t make it back to the bypass switch, the in-line tool is assumed to have failed, and network traffic is rerouted.

Cubro Bypass Switches are deployed between network devices and in front of security tools, providing a reliable separation point between the network and security layers. They enable the comprehensive support of network and security tools without the risk of network interruptions. Bypass switches also make it possible for multiple security tools to process traffic from a single network link.

Advantages of using a Cubro external bypass switch:

  • Keeps network traffic flowing when the in-line appliance fails.
  • Allows the in-line appliance to be removed or serviced without impacting network traffic. For example, an IPS can be taken offline for upgrades, maintenance or troubleshooting
  • The in-line appliance can be moved from one network segment to another without impacting network traffic.

Cubro's (GUI) for configuring NPBs

Network Packet Brokers are important tools which perform a number of network visibility tasks. They simplify complicated network problems because trying to connect every tool to every network device is complicated and expensive. Configuring NPBs via command line interfaces can be tedious and error-prone. Cubro Network Packet Brokers have a graphical user interface (GUI) in addition to a traditional command line interface (CLI) which makes it easier for customers to set up and use their Cubro devices.

Definition of GUI:
A GUI is a graphical (rather than purely textual) user interface for a computer system. The term came into existence because the first interactive user interfaces to computers were not graphical; they were text-and-keyboard oriented and usually consisted of commands which had to be remembered and computer responses that were infamously brief. The command interface of the DOS operating system is an example of the typical user-computer interface before GUIs arrived. An intermediate step in user interfaces between the command line interface and the GUI was the non-graphical menu-based interface, which lets the user interact by using a mouse rather than by having to type in keyboard commands.

Cubro’s GUI features for NPB users:

  • Makes creating monitoring filters more fault-proof – The traditional command line interface uses many commands and it is possible to mistype or forget the commands. Keeping track of a long command line can be difficult. Customers find it much easier to use the WebGUI as it removes some sources of error.
  • Makes testing and troubleshooting filters more efficient – The filters which are created in NPB require testing to ensure they pass the correct data. WebGUI makes this process much faster and more efficient.
  • Makes provisioning of SPAN sessions faster – Creating SPAN sessions using a command line interface requires typing several commands. This can be done much faster using the WebGUI.
  • Makes the filter-changing process quicker – When the connections between tools and NPBs are changed, it is often necessary to change filter rules. This can be done much more quickly with the WebGUI rather than using a command line interface.
  • No special training required – To use Cubro’s WebGUI, customers do not need any special training. The graphical interface is simple to use and can be used by a highly skilled engineer or even a junior engineer.

Cubro’s Sessionmaster for Data Centres

The increasing sophistication of network equipment and design combined with the increased traffic on networks have changed the face of network management. With advanced application-level traffic-shaping techniques, network hardware can now slice and dice distinct data flows and treat them accordingly. This increasing focus on Layer 4-7 services requires more sophisticated network monitoring. Some businesses need monitoring for certain functional needs whereas it is required for security purposes or by law in other cases. A typical functional use case would be the recording of conversations, for example, recording an executive’s conversation with a customer to provide feedback/improvement suggestions or to provide training to new staff.

All businesses that need monitoring require the deployment of a specialized Intelligent Network Packet Monitoring solution, a Network Packet Broker (NPB). There are multiple ways in which the NPB can be deployed. One method of classification is in-line, wherein the NPB sits in the path of traffic and performs certain functions. This method is suitable for situations where the throughput needs are not very high and the application is not latency sensitive. However, in situations where there is high throughput and latency requirements are low, an offline method is chosen, wherein the data packets are mirrored on the SPAN ports and sent to the device, which is sitting off to the side rather than in-line.

Challenges for Data Centre:

Networks are critical for traditional uses: client/server communications, server/storage data transfer, and long distance communications for branch or internet access. In these traditional uses, the computational workloads or storage has tended to reside on one side of the connection, and the network was used to access the results. In more modern workloads, the computation and data are distributed. By examining and controlling the network, we can gain better control over program behaviour, and maintain visibility over its actions.

Perhaps one of the most significant challenges that today’s data centres face is identifying the correct mirroring point in the scenario of east west traffic, i.e. the traffic that flows within the data centre. North south traffic, i.e. the traffic coming in and going out of the data centre, is less of a challenge, as we can enable the SPAN at the data centre entry/exit point since that is a single point through which all north south traffic flows. However, the amount of east west traffic increases daily and optimization through determining the correct mirroring point can reduce duplicate traffic flowing through the data centre network.

Functions of a typical Network Packet Broker

  • Traffic/Packet Filtering – Analyse and store only those packets which are needed by applying packet matching rules.
  • Traffic/Packet De-duplication – Remove the duplicate packets that are being monitored
  • Load balancing - Load balancing is another factor that makes network packet brokers the prime devices to enhance network security. They effectively delegate all network traffic to the relevant monitoring tools.
  • Removal of Repetitive Data - During the deep packet inspection process, a Network Packet Broker checks each packet for redundant or repeating data. It removes all such packets that contain redundant data, which ultimately saves your monitoring tools from becoming overloaded. During this secure removal process, original packets remain intact without having to face the threat of data compromise or data loss and are successfully delivered to the monitoring tools.
  • Optimization of Packets - Apart from deep packet inspection and possessing the ability to remove repetitive data packets, network packet brokers optimize the packets in a number of other ways as well, including conditional packet slicing and time stamping. Optimizing packets allows monitoring tools to function more effectively and efficiently.

Advantages of Cubro’s Sessionmasters for Data Centres:

Best practice recommendations around NPBs include finding a solution that delivers true link layer visibility. In some cases, this simply means implementing tools to monitor network devices and individual links. In other cases, monitoring all the way to the application layer is required.

Cubro’s Sessionmaster offers the ability to monitor network-only functions, as well as to monitor and alert the customer regarding network and application issues that may arise. Deep Packet Inspection (DPI) is a technology by which a deeper examination of the packet, up to layer 7, can be performed.


Defining Layer 7 Visibility

The Open Systems Interconnection (OSI) model, developed by the International Standards Organization (ISO), divides network communication into seven layers. Layers 1-4 are considered the lower layers, and mostly concern themselves with moving data around. Layers 5-7, the upper layers, contain application-level data. Networks operate on one basic principle: "pass it on." Each layer takes care of a very specific job and then passes the data onto the next layer.

Layer 1 is called the physical layer, layer 2 is the data link layer, layer 3 is defined as the network layer, layer 4 is transport layer, layer 5 is referred to as the session layer, layer 6 is the transport layer and layer 7 is application layer. Layer 7 in the OSI Model supports application and end-user processes. In this layer, communication partners are identified, quality of service is determined, user authentication and privacy are considered, and any constraints on data syntax are noted. Everything at this layer is application-specific. This layer provides application services for file transfers, e-mail, and other network software services. Telnet and FTP are applications that exist entirely at the application level.

Layer 3 and layer 4 network visibility solutions are limited to basic attributes, such as source and destination IPs, protocol types, and the number of active connections. These must be known in order to route network packets, but they offer no data about the packets’ actual payload. Whereas with layer 7 visibility, a user can gain insight into client type, request destination, a number of consecutive requests, etc.

Layer 7 visibility offers granular information to a security solution, which differentiates between legitimate users and malicious DDoS bots. In a load balancing context, Layer 7 visibility helps the user understand the exact load being transferred, which is critical information for all traffic distribution decisions. It lets the system assess each server’s response time and then use this data as an indication of availability. The result is optimal load distribution, as opposed to hit or miss alternatives.

Layer 7 visibility is also useful for server health checks. With a layer 7 failover solution, a user is able to devise a more accurate health check process. For example, a user can set up and monitor a specific URL that shows if the application’s database is up and running.

Introduction to VLANs

Virtual LANs (VLANs) allow network administrators to subdivide a physical network into separate logical broadcast domains. A VLAN might comprise a subset of the ports on a single switch or subsets of ports on multiple switches. By default, systems on one VLAN don't see the traffic associated with systems on other VLANs on the same network. On a Layer 2 network, all hosts connected to a switch are members of the same broadcast domain and broadcast domains can only be physically separated across different switches by routers.

Ports on switches can be assigned to one or more VLANs, allowing systems to be divided into logical groups. For example, they can be divided based on which department they are associated with and based on rules to be established about how systems in the separate groups are allowed to communicate with each other. These can range from the simple and practical (computers in one VLAN can see the printer on that VLAN, but computers outside that VLAN cannot), to the complex and legal (e.g., computers in the trading departments cannot interact with computers in the retail banking departments).

As VLANs are a Layer 2 protocol, Layer 3 routing is required to allow communication between VLANs, in the same way that, a router would segment and manage traffic between two subnets on different switches. In addition, some Layer 3 switches support routing between VLANs, allowing traffic exchange to occur at the core switches and as a result increasing performance by avoiding sending traffic through the router.

As networks scale, it becomes necessary to introduce multiple broadcast domains in order to segment traffic for performance, security or logistics reasons. Without the use of VLANs, this would typically require each network segment to have its own separate switch infrastructure, with one or more routers managing communication between each switch segment.

Some VLAN functions include:

  • Separating network management traffic from end user or serve traffic
  • Isolating sensitive infrastructure, services, and hosts such as corporate users from guest users
  • Prioritizing or implementing Quality of Service (QOS) rules for specific services, such as VoIP Phones
  • Providing network services for different clients in an ISP, data centre or Office Building using the same switch and router infrastructure
  • Separating groups of hosts logically, irrespective of physical location—for example, allowing Human Resources employees to share the same network subnet and access the same network resources, regardless of their location within the building

Difference between optical TAPs and copper TAPs

A network test access point (TAP) is a simple device that connects directly to the cabling infrastructure to split or copy packets which can be used for analysis and security. It is a hardware component that connects into the cabling infrastructure to copy packets for monitoring purposes.

How TAPs work
Different TAPs have different network speeds and therefore different cable structure. The network TAP is fixed between the two endpoint devices and is connected directly to each of them. This enables the TAP to see and copy the traffic and offer simple network visibility solutions.

Simple steps on how to use a TAP

  • Place the TAP on a shelf or in a rack
  • Connect the cables (the correct ones)
  • Verify that it is working

TAPs are simple devices that run for years and are generally placed in secured locations. Once the traffic is tapped, the copy can be used for any sort of monitoring, security, or analytical use. TAPs can be standalone devices or integrated directly as a module inside a visibility node. In both cases, traffic is copied for monitoring, security, and analysis as the traffic continues to pass through the network unimpeded.

Optical splitters or Optical TAPs
Optical TAPs are made by connecting optical fibres. There is an optical splitter between the network ports. The splitter splits an optical stream into two paths. A portion of the light continues onto its original destination; the second path is directed to a monitor port. These TAPs are available in a wide variety of speeds and cable types. Cubro’s optical TAPS have speeds of 1Gb, 10Gb, 40Gb and 100Gb.

Copper TAPs
A copper TAP can be used with any in-line copper network link, delivering permanent monitoring access ports. The copper TAP provides an out-of-band monitoring or security tool, with all traffic as if it were sitting in-line. The TAPs send copies of traffic, including Layer 1 and Layer 2 errors, from each side of the full-duplex network link to its respective monitor ports. The copper TAPs have an advantage that they have no IP addresses and are therefore not exposed to external attacks.

TAP failures
Most TAP failures are due to improper cabling. If the cables are mixed and matched incorrectly then the TAP will not work. Match each TAP to the cable type in use and never bend cabling beyond specifications. To make the usage simple, Cubro’s optical TAP has different coloured ports which make it easy for customers to use.

Cubro provides optical TAPs, Copper TAPs and aggregator TAPs which are designed to enable flawless in-line monitoring of 1G, 10G, 40G and 100G networks. These TAPs offer 100% visibility of link traffic to security and network monitoring tools. They are an extremely useful tool in drastically lowering the high costs associated with monitoring.

Scalability in Network Architecture

There has been a huge surge in network traffic and no industry is immune from being overwhelmed by data. Network visibility is a requirement for all industries ranging from financial corporations, telecom companies, shipping and logistics firms, to retailers, pharmaceuticals, insurance, government and healthcare. All are vulnerable to becoming constrained due to scalability issues.

With non- scalable tools, companies are limited by the number of switches and the architecture does not allow them to address all their network visibility concerns. As a result, they end up investing huge sums in changing their entire network architecture.

If a company’s existing network monitoring setup consists of a limited number of network TAPs feeding a monitoring switch, the system provides limited visibility and is not scalable. Such a system is also not capable of addressing regular microbursts in network traffic. Furthermore, the architecture generates substantial duplicate packets that the switch is not equipped to eliminate, creating challenges for monitoring. In such cases, when a company needs to install new TAPs and new port SPANs to accommodate network expansion, the old switch is not able to handle the load.

A scalable solution which offers multi-stage filtering, de-duplication and other features helps a network operate more efficiently. Customers can ease these problems by building scalable network monitoring solutions.

  • Tools that can intelligently aggregate data and precisely channel it to the appropriate monitoring tools without missing or dropping data, and which provide 100-percent visibility. Instead of using several TAPs, SPANs and tools, a scalable tool can provide 100 percent visibility of all data passing through it.
  • With a scalable solution, it is easy to add ports to handle the change in network traffic. Network expansion is easy to accommodate if there is room to add more ports. A solution that consists of small boxes with a low port count might serve a momentary need, but in the process of fixing one problem complexity has been added to the network.
  • As networks move from 1G to 10G speeds; and from 40G and 100G speeds; data centres will need new hardware if the ports on their monitoring switches aren’t able to handle the increase. This can cause network unavailability which can lead to dropped packets and loss of visibility. Data centres need tools which provide an easy path to migrate to future high-speed technologies.

Scalability and simplicity seem to go hand-in-hand. An elegant, well-designed network architecture makes scalable network monitoring possible. Cubro’s network packet brokers enable cost-effective network traffic scaling. With these network packet brokers, customers benefit from cost-effectiveness, scalability, and flexibility. Cubro’s advanced NPBs offer centralized visibility architectures that ensure high performance, scalability, and advanced traffic optimization features.

Towards a more transparent network…

In recent years, the demand for network visibility tools has increased because they make existing monitoring tools work better and save costs for the users. Network Packet Brokers (NPBs) gather and aggregate network traffic from switch SPAN ports or network TAPs and then tap that traffic to enable the more efficient use of security and performance tools – in-line and/or passive. They make existing security and performance tools work better, enabling users to get more out of their investments and lengthen the life of these tools.

The growing complexity of enterprise networks has created a need for more effective solutions to the issues related to specific blind spots. Companies look for cost-efficient solutions that cater to their specific needs - high port density, agility, security, scalability and network visibility. As a result, instead of adding new monitoring tools which lead to higher costs, hours of configuration time and additional management complexities; the companies use NPBs which enable the migration to higher network speeds and increase the effectiveness of security and monitoring tools that are already in place.

Preventing failures is much more effective than repairing them, especially when it comes down to providing a reliable and secure data environment to customers. With proper visibility into your network, you can capture the data you need to prevent costly outages. NPBs provide comprehensive network visibility solutions for monitoring networks. The final goal of a visibility architecture is to be able to capture data smartly at regular intervals for troubleshooting or any other monitoring needs.

These days, organisations are boosting network speeds up to 10 Gbps and higher, but have already invested significantly in security and monitoring tools that only work at 1 Gbps. This is another reason that NPBs are necessary, as their load balancing capabilities provide for even distribution of packets from a single high-speed link to less expensive or pre-existing tools designed for lower throughput.

Cubro is among the leading vendors of TAPs and Network Packet Brokers (NPBs) and is a partner to the world’s largest telecommunication companies and enterprises with installations on all continents. Our mission is to provide simple, flexible and reliable network visibility solution to our customers. We successfully tailor our products to meet the exact requirements of customers and offer excellent technical support at all stages.

Types of Cubro Network TAPs

Cubro’s wide range of network TAPs includes Optical TAPs, BIDI(bidirectional) TAPs, Flex TAPs, Copper TAPs, Converter TAPs and Aggregation TAPs. Here’s a brief introduction to the different kind of TAPs:

Optical TAPs are used to connect a monitoring tool to the network without affecting the network link and performance by moving cables and interrupting traffic. These TAPs are completely passive, so even if the TAP loses power, it fails-open to ensure traffic continuity. Optical TAPs provide 100% visibility because they pass 100% of all network traffic without introducing bottlenecks or points of failure into your network design.

BIDI TAPs are fibre TAPs designed for use in Cisco 40G BIDI networks, specifically Application Centric Infrastructure (ACI). BIDI transceiver technology utilizes multiple wavelengths within a single cable so the standard fibre TAP technology will not work.

Flex TAPs are built using fibre-optics and deliver 100% visibility into network traffic and permanent, passive access points while preserving top network performance. Flex TAPs allows a user to effectively monitor network performance, avoiding issues of degradation and disruption. These TAPs are compatible with all protocols and monitoring devices and can be deployed at any in-line connection on the network without increasing overhead or management workflows.

Copper TAPs (Cubro Copper 10/100/1000 TAPs) allow the uninterrupted passage of full duplex data over standard Category 5/6 copper network cables. The TAPs duplicate network signals, including any existing physical errors to the transmit-only monitoring ports. They feature auto-negotiating between 10Mbps, 100Mbps and 1000Mbps. The TAPs can also work as converter TAPs in Gbit mode and, convert copper signals to optical signals.

Converter TAPs have been developed based on the latest PHY chips. The TAPs are also converter TAPs because the output ports are SFP, so the user can select which media they want by changing the SFP. There are also some special add-ons available - PoE powered and PoE transparent. With these advanced options, it is possible to look into the physical details and change some parameters for faster recovery.

Aggregation TAPs are new intelligent TAPs for network data packets that feature high port density, diversified operation modes, flexible deployment and easy management and maintenance. With excellent adaptiability to various network environments, the TAPs can provide telecommunication data for IDS, Network Protocol Analyser and Signalling Analyser in real-time as needed.

Encrypted traffic SSL - Why does network visibility matter for enterprises?

SSL-encrypted traffic is a fast-growing portion of all enterprise traffic. According to several research studies, approximately 25 to 35 percent of all enterprise traffic is encrypted in SSL and this number is growing. In many networks, half of all internet-bound traffic is already encrypted (mostly HTTPS) and it is likely that more than three-quarters of network traffic will be encrypted within the next couple of years. With an increasing number of advanced threats hiding in SSL traffic, it is more important than ever to monitor and manage encrypted traffic in an enterprise. Decrypting/inspecting SSL traffic has created a number of challenges for security and networking teams in enterprises.

What is SSL?
SSL stands for Secure Sockets Layer. It is the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems. SSL traffic is increasing because it is encrypted traffic and prevents criminals from reading and modifying any information transferred. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).

It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. The information in question could be anything sensitive or personal, including credit card numbers, telephone numbers and other financial information, as well as names and addresses.

Challenges due to encrypted SSL traffic
Decrypting/inspecting SSL traffic has created a number of challenges for security and networking teams in enterprises. SSL-based malware entering a network can easily go undetected and exploit a host or series of hosts. And since the traffic is invisible, it is not possible for an enterprise to know how much traffic is encrypted on the network on any given day. As a result, it is not easy to know if the monitoring tools are handling all traffic. SSL decryption is required for data loss prevention and application performance monitoring.

Cubro Solution
Cubro Sessionmaster EXA Series is the next development stage of Cubro’s product line of network packet brokers, which offer the application of delivering SSL/TLS decryption to various in-line and out-of-band monitoring and security tools. The Sessionmaster helps maximize the overall efficiency, security and performance of the network infrastructure. Due to the sensitivity of the data involved, the SSL decryption capabilities in Sessionmaster provides the ability to selectively decrypt traffic based on policies using a variety of parameters including IP address, ports, VLAN tags, domain names and URL categories.

What is IMSI Filtering?

IMSI Filtering with Cubro Sessionmaster
The International Mobile Subscriber Identity (IMSI) number is central to identifying users on a carrier network. It is a unique number that is assigned to a cell phone or mobile device to identify it on the GMS or UTMS network. Typically, the IMSI number is stored on the SIM card of the mobile device and is sent to the network as required. An IMSI number is 15 digits long, and includes the Mobile Country Code (MCC), Mobile Network Code (MNC), and Mobile Station Identification Number (MSIN).

Why do we need IMSI Filtering?
IMSI is used to identify the user of a cellular network and is exchanged in GTP-control (GTP-C) sessions. GSC keeps track of the IMSIs that a mobile provider is interested in monitoring and correlates these to the corresponding data/user-plane sessions for the subscriber and/or group of subscribers. IMSI filtering is used for the following reasons:

  • To reduce the load on monitoring equipment
  • To prevent VIP and classified customers from being monitored
  • Either for small scale monitoring or to capture a single subscriber with Wireshark or similar tools

The challenge faced in IMSI filtering is the high load and the fact that the IMSI is not found in any packet depending on the network design and technology used (2G/3G/4G). The IMSI information is typical for a different logical and physical interface. To make IMSI filtering possible, aggregation, load balancing, session correlation and filtering functions must be combined.

The Cubro Sessionmaster can provide all these functions in one box. Look at this solution for up to 100 Gbit and one million IMSI filtered out (white-list).

Mobile Network Monitoring Using a Probe

A monitoring probe is used to monitor LTE network. A probe is a device which can decode the traffic from the network and produce meta data records (XDR extended data records). The probe is connected via a TAP network and aggregation devices (Network Packet Brokers) to the different interfaces of the network. These interfaces should be logically and physically different to get a full view of the network traffic. All these different interfaces are analysed by a probe. These records are sent to a database. The database must be very powerful in terms of processing and storage in order to handle the huge amount of data. Such a system produces, even on a mid-size network, terabyte of data which means a billion of records per day. Typically, such a monitoring probe covers the layer 5 – layer 7 in the OSI stack. Mobile network monitoring provides protocol traces, call statistics, CDRs, information on bandwidth utilization and many KPIs.

Why is monitoring required?

Real time response to issues in the network is a key factor in attaining customer satisfaction. This can be achieved by network monitoring because it makes the network visible and enables network engineers to detect abnormalities. Monitoring is important to networks and this data can be used for several applications like:

  • Improving customer satisfaction
  • Network planning, trouble shooting and dimensioning
  • Detecting fraud and security related issues
  • Performance measurement -
    • SLA against Customers
    • SLA against other providers
    • SLA against network vendors

A good working monitoring system can save a lot of money and help to improve the performance. Mobile network monitoring is vital because all mobile operators want to maintain a superior quality of service.

Difference between Cubro Mobile Probe and FlowVista Probe

The Cubro Probe is a passive device which receives network traffic from TAPs and Network Packet Brokers (NPBs) and extracts metadata. Cubro Probes can analyse and process network business and signalling in real time. The probe correlates this decoded information and generates XDRs (extended data records) which are sent to a database system where they are stored and presented by an application; these are typically called monitoring systems. Each Cubro Probe can be customized based on customer needs. There are three main differences between the two types of Probes – Mobile Probe and FlowVista Probe – are based on the type of traffic, output format and depth of decoding.

The three main differences between the two types of Probes – the Mobile Probe and the FlowVista Probe – which are based on the type of traffic handled, output format and depth of decoding.

Mobile Probe

  • The Mobile Probe is designed exclusively for mobile networks because of its specific interfaces. This probe cannot be used for other networks, or in, for example, a data centre.
  • The output is in our proprietary XDR format and the user needs Cubro software to collect the data. However, our approach is open and if a customer does not want to use our software to collect the data, we can discuss options which allow the customer to develop their own software.
  • The Mobile Probe decodes the signalling traffic to L7 and correlates the protocols to provide a user full output. A user plan is also decoded to layer 5 or 6. For example, you are able to tell if a user is working on Skype or Whatsapp but you cannot see or analyse the content.

FlowVista Probe

  • FlowVista Probe can be used in all networks, including data centres, enterprises and more including a mobile network for specific interfaces (GI and GN).
  • FlowVista Probe produces Netflow V9 CDR. This is a standardized format.
  • FlowVista Probe decodes the transport information up to L4 and can also do deep packet inspection (DPI) which means that if you look into the network traffic then you can see a lot of http and https traffic (L4) and find the applications which are transported inside http, for instance Skype, Whatsapp, telegram and many more (more than 1000 different varieties).

Features and Benefits of the Cubro Sessionmaster

The Cubro Sessionmaster filters and modifies traffic up to layer 7 (application layer) of the OSI model. The Sessionmaster works with network processors which are highly optimized processors for handling network traffic. Compared to the legacy processors, many network-related functions are implemented in the hardware of the network processors and the Sessionmaster can, therefore, process a large amount of data.

The maximum load on the Sessionmaster is 400 Gbit/sec. The other advantage of the Sessionmaster is the number of rules it can accommodate (up to one million) and the very fast change rate of rules per second (up to 12000). The Cubro Sessionmaster can be used as an endpoint device or in-line.

Sessionmaster features

  • Powerful Network Protocol Identifying
    • Pv4/IPv6, TCP/UDP/SCTP, HTTP, L7, etc
    • Gn/IuPS, S11, S1-MME/S1-U/S6a, etc
  • Ultra-detailed Traffic
    • Pv4/IPv6 5-tuple, LTE/3GPP 5-tuple in the tunnel, supporting mask /range
    • IP 7-tuple (dip, sip, dp, sp, pro, input port, vlan id)
  • Classification
    • Keywords; keywords + 7-tuple rules to facilitate detailed classifications
    • Gn, S1-MME, S11, S6a, S1-U, etc protocols in PSC/EPC
  • Traffic Classification Rule
    • 8 groups of 7-tuple ACL rules, each group containing 2048 IPv4 rules and 2048 IPv6 rules
    • 64 groups of keyword rules, each group containing up to 128 keywords
    • 2048 extensible IP rules
    • Millions of accurate 5-tuple rules (non-range and non-mask)
    • Real-time rule configuration and updating
  • Packet Processing
    • Time stamping, ns-level
    • Slicing
    • Replication
    • IP fragment reassembling
    • VLAN tag adding or deleting
    • Identifying GTP upstream and downstream traffic
    • GRE/GTP/MPLS header stripping
    • Packet order preserving
    • 4 GB data burst buffering
  • Filter on the inner IP addresses in any kind of non-encrypted tunnel like GTP, GRE, VXLAN, GENEVA, and so on.
  • Session and Service based load balancing (inner IP in a tunnel)
  • Filter on protocol flags for advanced trouble shooting, it is possible to match to any byte within the packet.