Layer 1 tapping
A Network TAP gives access to network traffic without interfering the original traffic or losing information. It mirrors the traffic that passes between two network nodes. The purpose of tapping is to make monitoring efficient. Depending on the physical situation and speed requirements (from very slow 2 Mbit up to very fast 100 Gbit links), optical or copper interfaces can be chosen. A network link (connection) has two directions, which means that for a 100 Gbit link, the user has to handle up to 200 Gbit. The major challenge in tapping a network is not interfering the original traffic. Due to this challenge, it is necessary to choose a tool which is built with a deep knowledge of layer 1. Several customers have been using Cubro’s layer 1 solutions for over a decade.
Steering of traffic
Cubro’s network visibility tools are capable of routing the content in many ways. The tools are passive and are deployed in-line behind TAPs. They can be used with or without bypass protection. Steering includes content routing, load balancing and traffic tunnelling. Cubro supports all major tunnel techniques including VLAN, MPLS, GRE, NVGRE, GENEVA and VXLAN. TAP networks today can be very complex, as there are often several packet brokers involved. Cubro has systems with more than 1000 ports.
Filtering in all OSI layers
Filtering reduces the traffic loads on security tools and, therefore, it is needed to support monitoring applications. Cubro can filter in all 7 layers depending on the equipment. This capability helps the user to save money because only the relevant traffic needs to be monitored and collected. Cubro network packet brokers support thousands of filters from 2000 in the smallest unit up to 1 million in the biggest. The number of filters has no impact on the performance of the unit. This application helps get more visibility and security from less monitoring and security tools capacity.
Often specific traffic must be forwarded to specific devices. Distributing traffic load per device by sending it to different probes or appliances in order to scale the monitoring is an important feature of Cubro network packet brokers. Cubro products can help to offload the analysing devices with their filter (separation) capabilities.
Aggregation and filtering with Cubro Packetmaster EX2
The EX2 is connected to several devices, for instance, span ports. The traffic from various sources can be aggregated to one stream to a monitoring device. This application reduces the overhead associated with each transmission. The appliances can be set up to share the traffic load by load balancing and even filtering the data. This means that only the traffic of interest is sent out to the appliances, which minimizes the possibility of oversubscribing the 1GbE monitor ports. The EX2 prevents tool oversubscription by pre-filtering traffic.
Load balancing traffic up to multiple 100 G
Load balancing is vital because analysing and capturing devices are only capable of handling a certain amount of traffic. Cubro network packet brokers reduce the latency reported to the attached network monitoring and help to load balance the traffic to several devices which share the load. The load balancing is flexible and supports many ports.
Session-aware load balancing
Session-aware load balancing is supported on all Cubro G4 Packetmasters at no extra charge. In addition, 10 LB groups with 16 ports are also supported. Session-aware load balancing is a mechanism that interchanges the source and destination addresses to ensure that bidirectional traffic, specific to a particular source and destination address pair flows out of the same member of a trunk group.
Packet slicing in 100 Gbit line rate
Cubro offers packet slicing option with CRC recalculation on multiple 100 Gbit traffic per unit. The EXA32100 is the only multiple 100 Gbit Network Packet Broker which supports packet slicing in-line rate on all 100 Gbit interfaces. There are three options for slicing - 64, 128 and 256 bytes. This feature can be configured on any output port, and it supports dual-stack IPv4 and IPv6.
The significant advantage of packet slicing in such performance is to get the maximum out of your monitoring tools. This application reduces the load to a factor 10 which implies that a 100 Gbit tool can handle 1 TB traffic. Another benefit is that this is done in the silicon and not on an attached CPU because this is deterministic and prevents jitter and packet drop.
Reduce monitoring cost and increase tool efficiency with Cubro EXA32100 and EXA48600. We provide the best value product to fit your need.
Packet slicing refers to cutting off the payload of an Ethernet packet for monitoring purpose. This can be a requirement for saving bandwidth and capturing space on the disc. The other reason is security, protecting customer payload and monitoring whether packet slicing is necessary. Typically, packet slicing is an expensive add-on in NPB with a reduced bandwidth because it is realized with NPU Processors. 100 Gbit links are used as connections between data centres or core networks, which means that these links are heavily loaded, usually with symmetric traffic. This means that even a half-loaded link cannot be aggregated. The only way to aggregate such links is to use packet slicing to reduce the total bandwidth.
Bypass Application with EX12
A bypass is a hardware device that provides a fail-safe access port for an in-line active security appliance. EX12 monitors the health of the active, in-line appliance by sending heartbeats to the in-line security appliance. As long as the in-band security appliance is online, the heartbeat packets will be returned to the EX12, and the link traffic will continue to flow through the in-line security appliance. This function also works on the copper ports with a copper hardware switch. It allows the in-line appliance to be removed or serviced without impacting network traffic.
The EX Series can be connected directly to a live copper link 10/100/1000 without TAPs. The user can set up filters and send the traffic out to the 4 x 10/100/1000 Mbit interfaces. This traffic is small enough to be captured with a standard laptop. This function also allows for the traffic to be removed and inserted in the live links.
The EX Series can also work as a media converter from:
- Copper to Fiber 1 Gbit
- Copper to Fiber 10 Gbit
- Fiber 10 Gbit (SM) to Fiber 10 Gbit (MM), 40 Gbit, 100 Gbit, etc.
Monitoring and troubleshooting
The Packetmaster EX48400 supports 4500 layer 4+ filters.These filters can be used to redirect a small portion of the traffic to a low end (in terms of bandwidth) monitoring tool like a PC with Wireshark. The filtered traffic can be used to troubleshoot routing issues on 100 Gbit link. It is also possible to feed several monitoring probes with specific traffic.
Monitoring and troubleshooting is a vital part of maintaining and running networks. Growing traffic and increasing number of applications have made filtering an important feature for troubleshooting. Cubro offers smart filtering in any OSI layer with an in-line rate up to 100 Gbit; it is session-aware and application-aware in layer 7.
Filtering – 4500 Flow Rules
A total of 4500 flow rules (filters) can be set in the unit.The fields marked with a red dot can be used as a match for a packet, either alone, combined or with wildcards. For IPSrc and IP, Dst supernets are supported.
Available actions after a positive match include –
- Send out : to one or more ports it is even possible to send it through the input
- Drop : delete the specific packet
- Modify : modify specific fields in the matched packets, VLAN, MPLS, MAC SRC, MAC DST, PORT, VLA, Priority and many more.
- Add VLAN : the unit can tag a VLAN on the input to separate the traffic after aggregation
- Strip VLAN : VLAN can be removed, Q in Q is supported
- Add MPLS : add an MPLS Tag to a matched packet
- Strip MPLS : remove an MPLS Tag from a matched packet
- Stacking of rules : this function makes it possible to generate very complex filter rules.
This function allows the user to select the media by changing the SFP. The unique design also supports CWDM / DWDM and BIDI SFP.
EXA8 as a Netflow Probe
The EXA8 has another interesting application. The appliance can work as Netflow Probe in combination with 4 link aggregator plus TAP (in line feature). The unit can work in line because the integrated TAPs help to protect the live link in case of a power outage. The EXA8 can also aggregate the tapped links, and produce Netflow CDRs to forward them to a Netflow collector.
The advantage of this solution is the combination of the three features - tapping, aggregation and probing in one small light weight unit. The unit is easy to install and maintain. The EXA8 offers more features, better performance at a lower price.
Conversion of traffic
The user can convert traffic into a usable form, on a physical level: from copper to fibre interfaces or vice versa. The application also enables a user to convert bandwidth from 10 to 1 Gbit. The user can convert or modify the traffic so that the tools can handle it, removing tunnels or removing labels like VLAN and MPLS.
With the 10 Gb ports on the EXA products, it is possible to convert the traffic from a Mobile Core Network to 1 Gb so that a conventional PC with Wireshark can be used. The 10 Gb traffic can be converted to 1 Gb and also filtered down to one specific mobile user for capture by the tool.
Amplification for monitoring
It is common to use optical splitters to monitor the traffic in a network, but a splitter also reduces the optical power on the active link. This can cause transmission problems, especially in multimode networks with higher bandwidths (10 Gbit). A Cubro Media Converter 10 G for amplification can help solve this problem.
Layer 7 Filtering for troubleshooting
VoLTE SIP filtering (with S1-MME/S1-U interface input)
VoLTE RTP/RTCP filtering (with S1-MM/S1-U interface input)
This application helps to troubleshoot VoLTE traffic in a mobile network. It is available on all EXA models.
Deep Packet Inspection (DPI)
Typical firewalls on your routers read only the labels or headers on the data packets of Internet traffic. Deep Pack Inspection pores beyond the header information of the Open System Interconnection (OSI) reference model to inspect the payload of the packet in the application layer.
Layer 7 is the application layer that contains the actual messages. The inspection strips off the headers and can identify the program or service being used. Further, it performs the packet analysis happens in real time, which avoids any delay in data traffic.
With DPI application, user can filter and analyse messages, open and close ports, perform in-line spam screening, eliminate attacks against the BIOS, ward off secure socket layer sniffing and perform SSL session inspections.
Simple DPI Integration – IMSI Based LB
Mixed traffic (including S1-MME/S11/S6a/S1-U)
- EXA40(1): Auto Study for eNB/xGW IP address from S1MME, LB traffic to EXA40D
- EXA40D (1): Processing control plane traffic and get correlation meta data, then send meta data to EXA40 (2), and output control plane traffic by IMSI
- EXA40D (2): Correlation user plane and control plane meta data, then output user plane traffic by IMSI
- EXA40 (2): Aggregate output traffic from EXA40D(1)/(2) by IMSI based VLAN (same IMSI has same VLAN tag)
- EXA40D (1): 80Gbps/U (40G per CPU, 2x)
- EXA40 (2): 5~6Gbps/U (Control plane decoding only)
Mixed traffic (including S1-MME/S11/S6a/S1-U)
When the future traffic to be load balanced will be in the line of 100GE, we can upgrade:
- EXA48 (Position 1) to EX32100 (32x100G)
- EXA40D (Position 1 and 2) to EXA24160 (each unit can handle 120G+ user plane traffic and 10G control plane traffic)
- By EX32100, we can connect up to 32 EXA24160 nodes for 2.4T traffic and have 20xEXA24160 (to replace EXA40D (2)) to process user plane and 12xEXA24160 (to replace EXA40D (1)) to process control plane traffic.
- The final output traffic can use EX32100/EX48600 combination to many 10G/40G end points
Leading Innovation: Cubro offers NPBs with P4 support
The EX32100 and EX48600 are the first NPBs in the market with P4 support. P4 is a language for silicons. With the help of P4, it is possible to add functions to silicon, which is impossible in an ASIC. This results in higher performance compared to FPGA. For example, we add extended MPLS features to the unit to support the following MPLS removal actions:
Ethernet|MPLS | IPv4|payload
Ethernet|MPLS | IPv6|payload
Ethernet|MPLS | MPLS | payload
Ethernet|MPLS | MPLS | Ethernet | payload
Ethernet|MPLS | MPLS | MPLS|MPLS | payload
Ethernet|MPLS | XXXX | payload
Removing MPLS tags is difficult because the layer 2 header must be stored while the MPLS tags are cut and then the Layer 2 header must be restored. The silicon currently on the market cannot support more than two tags, and as wildcard MPLS removal is not possible, the TAG which should be removed must be known in advance.
The Cubro solutions support up to 4 MPLS tags and wildcard removal up to multiple 100 Gbps performance.