TAPs provide access to monitoring packets. They pass network traffic without introducing any bottlenecks or points of failure. Therefore, the user gets access to network traffic without interfering the original traffic or losing information. Tapping is recommended for monitoring and lawful interception. Depending on the physical situation and speed requirements (from very slow 2 Mbit up to very fast 100 Gbit links), optical or copper interfaces can be chosen. A network link (connection) has two directions, which means that for a 100 Gbit link, the user has to handle up to 200 Gbit. TAPs do not introduce delay, nor alter the content or structure of the data. It is necessary to choose a tool which is built with a deep knowledge of layer 1. Cubro provides optical and copper TAPs in single mode and multi-mode fibres.
The network packet brokers are capable of redirecting traffic in many ways to the appropriate service for optimization and management of that traffic type. The tools are passive and are deployed in-line behind TAPs. They can be used with or without bypass protection. Steering includes load balancing and traffic tunnelling. Cubro supports all major tunnel techniques including VLAN, MPLS, GRE, NVGRE, GENEVA and VXLAN. TAP networks today can be very complex, as there are often several packet brokers involved. Cubro has systems with more than 1000 ports.
Filtering is another major solution needed to support monitoring applications. Cubro can filter in all 7 layers depending on the equipment. This capability helps the user to save money because only the relevant traffic needs to be monitored and collected. Cubro NPB supports thousands of filters from 2000 in the smallest unit up to 1 million in the biggest. The number of filters has no impact on the performance of the unit.
Often specific traffic must be forwarded to specific devices. Cubro products can help to offload the analysing devices with their filter (separation) capabilities.
Aggregation and filtering
The EX2 is connected to several devices, for instance, span ports. The traffic from various sources can be aggregated to one stream to a monitoring device. This application reduces the overhead associated with each transmission. The appliances can be set up to share the traffic load by load balancing and even filtering the data. This means that only the traffic of interest is sent out to the appliances, which minimizes the possibility of oversubscribing the 1GbE monitor ports.
Load balancing up to multiple 100 G
Load balancing is vital because analysing and capturing devices are only capable of handling a certain amount of traffic. Cubro helps to load balance the traffic to several devices which share the load. This load balancing is very flexible and supports many ports.
Symmetric load balancing
Symmetric load balancing, or session-aware load balancing, is supported on all Cubro G4 Packetmasters at no extra charge. In addition, 10 LB groups with 16 ports are also supported. Symmetric load balancing is a mechanism that interchanges the source and destination addresses to ensure that bidirectional traffic, specific to a particular source and destination address pair flows out of the same member of a trunk group.
The EX Series can be connected directly to a live copper link 10/100/1000 without TAPs. The user can set up filters and send the traffic out on the 4 x 10/100/1000 Mbit interfaces. This traffic is small enough to be captured with a standard laptop. This function also allows for the traffic to be removed and inserted in the live links.
The EX Series can also work as a media converter from:
- Copper to Fibre 1 Gbit
- Copper to Fibre 10 Gbit
- Fibre 10 Gbit (SM) to Fibre 10 Gbit (MM), 40 Gbit, 100 Gbit, etc.
Monitoring and troubleshooting
The Packetmaster EX48400 supports 4500 layer 4+ filters.These filters can be used to redirect a small portion of the traffic to a low end (in terms of bandwidth) monitoring tool like a PC with Wireshark. The filtered traffic can be used to troubleshoot routing issues on 100 Gbit link. It is also possible to feed several monitoring probes with specific traffic.
Monitoring and troubleshooting is a vital part of maintaining and running networks. Growing traffic and increasing number of applications have made filtering an important feature for troubleshooting. Cubro offers smart filtering in any OSI layer with an in-line rate up to 100 Gbit; it is session-aware and application-aware in layer 7.
Filtering – 4500 Flow Rules
A total of 4500 flow rules (filters) can be set in the unit.The fields marked with a red dot can be used as a match for a packet, either alone, combined or with wildcards. For IPSrc and IP, Dst supernets are supported.
Available actions after a positive match include –
- Send out : to one or more ports it is even possible to send it through the input
- Drop : delete the specific packet
- Modify : modify specific fields in the matched packets, VLAN, MPLS, MAC SRC, MAC DST, PORT, VLA, Priority and many more.
- Add VLAN : the unit can tag a VLAN on the input to separate the traffic after aggregation
- Strip VLAN : VLAN can be removed, Q in Q is supported
- Add MPLS : add an MPLS Tag to a matched packet
- Strip MPLS : remove an MPLS Tag from a matched packet
- Stacking of rules : this function makes it possible to generate very complex filter rules.
Massive two-tier load-balancing
The service provider wanted to do 6,5 to 7 TB session aware load balancing to a DPI application. However, the traffic was delivered asymmetric and over 90 x 100 Gbit links. Moreover, the traffic was from fixed net users and mobile users. The fixed net traffic was significantly asymmetrical implying that the request and answer were not on the same port, and the mobile traffic, as usual, was in the GTP tunnel.
Cubro offered a two-tier load-balancing concept which was based on EXA32100 and EXA48600. In the first stage, the GTP tunnel is removed from the mobile traffic which is the only solution for the asymmetrical traffic issue. Compared to other vendors, GTP tunnel removal in hardware is a standard feature on Cubro products even when the load is very high.
Cubro is able to identify the challenges the customers face and can provide the right solution. In this case, the asymmetrical traffic was a major issue, but Cubro solved this problem by developing a learning load balancing mechanism. This was only possible to develop because the EXA32100 has a high-performance host controller. The units are constantly learning all network relations and based on this information it was possible to solve the asymmetric traffic challenge. Besides this, the advanced network packet broker can remove several MPLS, VLAN, and VXLAN tags to make the traffic readable for the DPI.
In the second stage we use 16 EXA48600 as output. Each of the 6 EXA32100 units was connected to each EXA48600.
Hold on; you don’t have enough ports! That is true for some other visibility vendors but not for Cubro because we can use input and output separately. We can feed 16 links / 32 ports to the unit and still have 32 optical outputs to forward the traffic to the second stage.
In order to handle traffic coming from different sources, you need several rules, and Cubro offers up to 8000 rules per unit. In the second stage the user can do a “simple” layer 4 dual-stack (IPv4 and IPv6) session aware load balancing.
Session-aware load balancing is useful only if the session stays on the same probe forever. This is possible with Cubro monitoring load balancing application which is a unique feature of Cubro product. This works differently than a standard switch load balancing.
A usual hash based load balancing is designed for live traffic. Therefore, the load balancing cannot assure that every hash has a deterministic port relation. This means the load balancing is session aware but not necessarily forwarded to the same port. Especially, when a session stops for a while, then it can happen that after restarting the session is on another port. This is not good for monitoring because this means the traffic is on another probe. We at Cubro don’t do that, and our hash has a deterministic port relation!
Amplification for monitoring
It is common to use optical splitters to monitor the traffic in a network, but a splitter also reduces the optical power on the active link. This can cause transmission problems, especially in multimode networks with higher bandwidths (10 Gbit). A Cubro Media Converter 10 G for amplification can help solve this problem.
Big Data – AI: Machine learning approach on Mobile Network Monitoring Data
The network shown in this image is monitored using monitoring probes. The Probe is connected via a TAP network and aggregation devices (network packet brokers) to the different interfaces of the network. These interfaces are logically and physically different which allows us to get a full view of what’s going on in the network. All of these different interfaces are analysed by probes.
A probe is a device that can decode the traffic from a network and produce metadata records (XDR extended data records). The records are sent to a database which must be very powerful in terms of processing and storage capacity to handle the huge amount of data involved. Such a system produces, even on a mid-size network, a terabyte of data and billions of records each day.
This type of a monitoring probe typically covers the L5 – L7 in the OSI stack.
Why is this done?
Monitoring is important to networks and this data can be used for numerous applications including:
- Improving customer satisfaction
- Network planning, troubleshooting and dimensioning
- Fraud and Security
- Measuring performance
- SLA against customers
- SLA against other providers
- SLA against network vendors
A well-functioning monitoring system can save a lot of money and help to improve performance.
What is the challenge and how can big data and AI be useful?
Monitoring systems typically provide KPIs (key performance indicators). The KPI is a formula, which calculates information on this XDR from the probes and provides results in different graphs. The main issue with the KPIs is that they are predefined in a lab and are not flexible. They are neither customized to the customer's network nor to network changes.
Big networks behave like living organisms and can be influenced by customers’ behaviour, external factors like weather, and the content transported. Therefore, a KPI is not an accurate way to show network behaviour because it is unidimensional - too strict and inflexible.
Typically, KPIs do not take known issues in networks like updates, weather and other external impacts into account. Therefore, KPIs often produce a lot of false positive results. And most importantly, KPIs can by definition, only show known issues - dynamic correlated events, for example, can never be detected with KPIs.
The current approach to big data is to provide an intelligent, flexible and multidimensional view of a network. But despite the help of databases like Hadoop and MongoDB, it is still not possible to add data from multiple sources to produce more useful reports.
Cubro is investing in AI and machine learning project to prove that Big Data, in combination with AI, is a useful approach to solving the issue mentioned above.
Filtering in layer 6
The EXA Series makes it possible to connect with optical or electrical TAPs and filter the S1u and S1MME traffic with the ability to extract the traffic of a single mobile customer. This is filtering and correlation in layer 6. The traffic can be captured with a standard laptop using Wireshark, to get a full session from a specific customer. Up to 256 filters on individual mobile users can run simultaneously. To make the captures even more useful, the GTP tunnel can be removed.
Layer 7 Filtering
All EXA Sessionmaster can be used with thousands of filters, with ZERO performance loss. Almost all the fields in the IPv4 and IPv6 layer 4 headers can be used as a filter match. However, sometimes it is necessary to filter above layer 4. It is now possible to filter up to layer 7 with the new Cubro Sessionmaster EXA series. The Sessionmaster units utilize onboard Network Processors, which are highly optimized CPU's that allow the Sessionmaster to easily handle high bandwidth network traffic with no lost or dropped packets.
Conversion of traffic
The user can convert traffic into a usable form, on a physical level: from copper to fibre interfaces or vice versa. The application also enables a user to convert bandwidth from 10 to 1 Gbit. The user can convert or modify the traffic so that the tools can handle it, removing tunnels or removing labels like VLAN and MPLS.
With the 10Gb ports on the EXA products, it is possible to convert the traffic from a Mobile Core Network to 1Gb so that a conventional PC with Wireshark can be used. The 10Gb traffic can be converted to 1Gb and also filtered down to one specific mobile user for capture by the tool.
IMSI (International Mobile Subscriber Identity) filtering application
When a mobile network is populated by millions of active users (IMSI), troubleshooting an issue can be a problem. Monitoring a single customer or a group of customers by capturing the entire traffic from the network can be expensive and time-consuming. It can take days to search the database of the monitoring system for the customer’s traffic before analysing it.
The Cubro Sessionmaster EXA does smart filtering to solve this problem. The Sessionmaster can filter, correlate and aggregate the traffic of one customer or a group of customers based on the IMSI. This is done online in Sessionmaster and the user can connect simple monitoring devices (a laptop & Wireshark) to analyse the traffic. The Sessionmaster only forwards the traffic from the required customer(s), which makes it easy to capture with a small device.
The Sessionmaster uses a two-stage concept. Typically, the GN ports carry a lot of traffic up to multiple 10 Gbps and the traffic must be split into smaller portions.
Layer 7 Filtering for troubleshooting
VoLTE SIP filtering (with S1-MME/S1-U interface input)
VoLTE RTP/RTCP filtering (with S1-MM/S1-U interface input)
This application helps to troubleshoot VoLTE traffic in a mobile network. It is available on all EXA models.
In-line GTP tunnel de-encapsulate & tunnel encapsulate
This application simplifies a challenging approach. With it, the user can remove the GTP tunnel on HTTP traffic only, process the traffic and add the GTP tunnel in the live link.
The process -
- The traffic is sent over a Cubro optical bypass switch to the Sessionmaster EXA, to protect the live link in case of a failure.
- From the bypass, the traffic goes to the EXA. The EXA removes the GTP tunnel but stores the tunnel information.
- The EXA sends the pure (without GTP header) IP traffic to the application server (firewall, IDS, proxy ...).
- The traffic is sent back to the Sessionmaster EXA after being processed.
- The EXA sends the packets (with the original GTP header re-encapsulated), over the optical bypass switch back to the live link.
- The traffic is reinserted in the live link.
Keyword Search and regular expression
Keyword or regular expression searches are a way to find traffic based on the content of the packet. This is needed to separate traffic, which cannot be done with IP header filters. The Sessionmaster can conduct a keyword or regular expression search in the packets with an in-line rate of up to 20 Gbit with a single CPU and 40 Gbit with a second CPU module. To perform a useful search, the Sessionmaster must decode the protocol. The search depth and the search offset can be configured by the user.
Example : The requirement is to get all “http get” messages for analysis because the “http get” message gives a lot of information about the traffic and saves a lot of bandwidth.
Deep Packet Inspection
Deep Packet Inspection typically entails decoding of packets above layer 4. It is used to identify the network protocol. It is also used to identify the application. There are two major DPI applications:
- Filter with DPI and traffic steering - The Sessionmaster EXA can use its DPI features in the packet stream to identify a packet and then forward this related stream based on rules to an output port (original packets).
- Metadata extraction - XDR - The Sessionmaster EXA Probe can use its DPI feature to look into the packet stream, identify a packet, extract metadata and send this to a server for the next processing step (non-original packets).
Meta data extraction
Cubro offers two probes to extract metadata out of network traffic. Cubro Mobile Probe is designed for all mobile network protocols 2G/3G/4G/5, while Cubro FlowVista is for pure IP traffic. Both the probes are hardware-based appliances. The heart of the probe is a Cavium multi-core CPU and our own real-time OS. This design provides high performance and high availability.
Both the probes are agnostic to sources and big data stacks and work with Splunk, ELK and more. The additional advantage of the probe is that there is no administrative limit in terms of XDR core port speed. Cubro only charges for the appliance hardware and software. There are no XDR volume charges or bandwidth charges (it is your data).
Metadata and big data are key technologies that provide useful information on how to control networks and protect networks from fraud. These technologies also help to monetize the data from the networks. Let your network earn money for you.
Big Data in Network Operators
Big Data is a buzzword all over the world. The service provider industry believes that big data will play a critical role. What are the possibilities in big data analytics and how can big data help service providers on a daily basis?
There has been an unprecedented growth in network traffic and service providers are facing several problems every day due to cost pressure, customer complaints, compatibility issues and much more. Service providers must find efficient ways to correlate all data sources.
In the past up to now a service provider typically runs numerous monitoring systems, and has hundreds of databases, often with overlapping data, from different sources or the same source. The entire data silo is not consolidated because of technical issues and cost and operating all the data silos is a major cost driver.
Big data is a tool that enables us to consolidate all these different platforms onto one big data storage (not a database). Data sources can be network elements, server logs, and passive probes.
But big data is not the solution. It is only a tool that makes a solution possible.
Passive probing is one of the core competencies of Cubro. The phenomenal growth of data requires that the service provider industry understand the use of big data. Cubro, unlike most other vendors, has an agnostic approach. We focus on providing metadata rather than selling BI and reports. Cubro Probes are highly reliable and offer the best performance, in addition to offering our customers reduced TCO.
Leading Innovation: Cubro offers NPBs with P4 support
The EX32100 and EX48600 are the first NPBs in the market with P4 support. P4 is a language for silicons. With the help of P4, it is possible to add functions to silicon, which is impossible in an ASIC. This results in higher performance compared to FPGA. For example, we add extended MPLS features to the unit to support the following MPLS removal actions:
Ethernet|MPLS | IPv4|payload
Ethernet|MPLS | IPv6|payload
Ethernet|MPLS | MPLS | payload
Ethernet|MPLS | MPLS | Ethernet | payload
Ethernet|MPLS | MPLS | MPLS|MPLS | payload
Ethernet|MPLS | XXXX | payload
Removing MPLS tags is difficult because the layer 2 header must be stored while the MPLS tags are cut and then the Layer 2 header must be restored. The silicon currently on the market cannot support more than two tags, and as wildcard MPLS removal is not possible, the TAG which should be removed must be known in advance.
The Cubro solutions support up to 4 MPLS tags and wildcard removal up to multiple 100 Gbps performance.