Cubro launches advanced ATCA Platform
Cubro has developed an ATCA chassis-based platform which can extend the performance of probe. The ATCA platform will enable the service providers to get a higher port density for probing and advanced traffic engineering applications. With the use of ATCA platform, the probe performance is up to 600 Gbit; the traffic engineering performance is about 1,2 TB. Typically, there is a mixture of probing blades and traffic engineering blades (GTP load balancing).
Traffic monitoring through the probe is emerging as a viable option for the service provider. It is essential to choose a platform that extends the performance of the probe. A significant amount of unlimited data and the growing complexity of the network demands platforms which can enhance the performance of the demanding environments.
The Probe module for the ATCA platform. The performance can extend by adding probe blades.
Data enrichment for Geolocation application in Mobile networks
A key challenge for a communication service provider in today’s environment is to retain customers. Every operator struggles to find out their customers’ needs and wants. The mobile carrier can benefit by analysing the wealth of data they have and transforming it into useful information which can help them reach their goals.
This customer runs an application to provide location-based customer behaviour analysis. The data for this application comes from network elements such as CDRs. These CDRs are processed and provide a location map and a movement profile of mobile customers. Using this information, the communication service provider can analyse the services their users use and create targeted marketing campaigns. The data is anonymised and used for marketing purpose.
The challenge was that network elements were changed to another vendor and these network elements did not deliver the same data in the CDR. This means the Geolocation Application was not working anymore and as a result, it had a significant impact on the business model of the provider.
Technical Solution from Cubro
The Cubro Probe provided the missing metadata information to the mobile network provider. The probe is connected to S6a/S1-MME/S11 interfaces. The probe analyses the traffic from this interface deciphers the NAS messages and correlates the data to produce a combined XDR.
This XDR is forwarded to a Kafka instance. In the Kafka instance, the XDR from Cubro is correlated with the CDR from the network elements. The output from Kafka is then sent to the Hadoop cluster to produce the analytics.
The usage of the Cubro Probe saves the previous investment in the analytics application, and with the help Cubro, the operator has a smooth transition when he is changing the UTRAN hardware to a new vendor.
In Kafka, both data sources are correlated by a common identifier. However, correlation can be very complicated because often there is no linear correlation possible. In this case, a third source is needed to do a good correlation.
Load balancing up to multiple 100 G
Load balancing is vital because analysing and capturing devices are only capable of handling a certain amount of traffic. Cubro helps to load balance the traffic to several devices which share the load. This load balancing is very flexible and supports many ports.
Symmetric load balancing
Symmetric load balancing, or session-aware load balancing, is supported on all Cubro G4 Packetmasters at no extra charge. In addition, 10 LB groups with 16 ports are also supported. Symmetric load balancing is a mechanism that interchanges the source and destination addresses to ensure that bidirectional traffic, specific to a particular source and destination address pair flows out of the same member of a trunk group.
500 X 10 Gbit port cross-connect with 400 Gbit non-blocking backbone
- EX20400 is connected over 4 x 100 Gbit to one EX32100 to build a 500 port 10 Gbit cross- connect
- The connection is layer 2 transparent
- To ensure full control and secure transfer, all traffic is transported in VXLAN tunnels across the system
- At the output, the VXLAN tunnel head is removed
- Centralized management
100 Gbit port cross-connect full mash
- In this application 6 EX32100s are connected to a fully mashed cross connect with 162 available 100 Gbit ports (27 per box)
- The interconnection between the boxes can be done with one link or with two or more depending on the required bandwidth
- The table below shows how many units can be interconnected and how many ports are available
100 Gbit port cross-connect with central unit
- In this application 6 EX32100s are connected to a central unit with 186 available 100 Gbit ports (31 per box)
- The interconnection between the boxes can be completed with one link or with two or more depending on the required bandwidth
- The table below shows how many units can be interconnected and how many ports are available
The screen shot of the management console shows the cross-connect application. The user defines the connected end point and the application finds the best and shortest way to the endpoint. However, it is also possible to define a hard-coded way.
By clicking on a point, the route is shown as a highlighted path. The application supports any combination of layout, full mesh and central in any combinations and it is self-learning in how the units are connected. Also, we provide all types of traffic statistics.
The EX Series can also work as a media converter from:
- Copper to Fibre 1 Gbit
- Copper to Fibre 10 Gbit
- Fibre 10 Gbit (SM) to Fibre 10 Gbit (MM), 40 Gbit, 100 Gbit, etc.
100 Gbit aggregation
The EX48400 is connected via the Cubro optical TAPs to a 100 Gbit live link.
The aggregation feature combines the traffic both directions to one 100 Gbit output for monitoring purposes. Using the filtering capability of the Packetmaster EX48400, a user can select only the portion of the traffic needed to solve the network problem.
Packet slicing in 100 Gbit line rate
Cubro offers packet slicing option with CRC recalculation on multiple 100 Gbit traffic per unit. The EXA32100 is the only multiple 100 Gbit Network Packet Broker which supports packet slicing in-line rate on all 100 Gbit interfaces. There are three options for slicing - 64, 128 and 256 bytes. This feature can be configured on any output port, and it supports dual-stack IPv4 and IPv6.
The significant advantage of packet slicing in such performance is to get the maximum out of your monitoring tools. This application reduces the load to a factor 10 which implies that a 100 Gbit tool can handle 1 TB traffic. Another benefit is that this is done in the silicon and not on an attached CPU because this is deterministic and prevents jitter and packet drop.
Reduce monitoring cost and increase tool efficiency with Cubro EXA32100 and EXA48600. We provide the best value product to fit your need.
Filtering is another major solution needed to support monitoring applications. Cubro can filter in all 7 layers depending on the equipment. This capability helps the user to save money because only the relevant traffic needs to be monitored and collected. Cubro NPB supports thousands of filters from 2000 in the smallest unit up to 1 million in the biggest. The number of filters has no impact on the performance of the unit.
Layer 7 Filtering for troubleshooting
VoLTE SIP filtering (with S1-MME/S1-U interface input)
VoLTE RTP/RTCP filtering (with S1-MM/S1-U interface input)
This application helps to troubleshoot VoLTE traffic in a mobile network. It is available on all EXA models.
IMSI (International Mobile Subscriber Identity) filtering application
When a mobile network is populated by millions of active users (IMSI), troubleshooting an issue can be a problem. Monitoring a single customer or a group of customers by capturing the entire traffic from the network can be expensive and time-consuming. It can take days to search the database of the monitoring system for the customer’s traffic before analysing it.
The Cubro Sessionmaster EXA does smart filtering to solve this problem. The Sessionmaster can filter, correlate and aggregate the traffic of one customer or a group of customers based on the IMSI. This is done online in Sessionmaster and the user can connect simple monitoring devices (a laptop & Wireshark) to analyse the traffic. The Sessionmaster only forwards the traffic from the required customer(s), which makes it easy to capture with a small device.
The Sessionmaster uses a two-stage concept. Typically, the GN ports carry a lot of traffic up to multiple 10 Gbps and the traffic must be split into smaller portions.
HTTP filtering in the GTPv1 or GTPv2 tunnel in a core UMTS LTE network
This application shows the capability of the Sessionmaster EXA to filter inside the GTP tunnel without removing the GTP header. The application is filtering the HTTP traffic inside the tunnel and load balancing the traffic. As an additional feature, the GTP header could also be removed from the filtered traffic.
In line GTP tunnel de-encapsulate & tunnel encapsulate
This application simplifies a challenging process. With it, the user can remove the GTP tunnel on HTTP traffic only, process the traffic and add the GTP tunnel in the live link.
The process -
- The traffic is sent over a Cubro optical bypass switch to the Sessionmaster EXA, to protect the live link in case of a failure.
- From the bypass, the traffic goes to the EXA. The EXA removes the GTP tunnel but stores the tunnel information.
- The EXA sends the pure (without GTP header) IP traffic to the application server (firewall, IDS, proxy ...).
- The traffic is sent back to the Sessionmaster EXA after being processed.
- The EXA sends the packets (with the original GTP header re-encapsulated) over the optical bypass switch back to the live link.
- The traffic is reinserted in the live link.
GTP Load Balancing in Hardware with EXA32100
For the probe to deliver the expected output, the data session should always be on the same probe, even when the mobile is moving in the network. The CSP has two options to manage the unprecedented traffic. One option is to use several probes to capture all the traffic. This can cost a massive amount of money. In addition to being a more expensive solution, it also requires the probes to be interconnected to share the captured information from different users and to get an overview of all data transferred in the network from the user equipment. One probe should know everything about a data session. If you look for a certain subscriber and experience of using the network; all sessions of this subscriber should be on the same probe. This requires the different probes in different locations to be connected to each other.
Another challenge is that a data session is typically open “forever” or for a very long time. As a result, typical approaches where the session is handled by TEID in the GTP protocol is not very useful because it needs a long time to get all TEID information. This is due to the reason that only when the session is established or updated, this information is transferred.
In addition to this, the third big issue is that on LTE networks the S5/S8 interface between S-GW and P-GW is typically not accessible because these two network elements are physical on the device. This means that only the S1U interface can be used. However, on this interface, the TEID is changed when the user is moving to a different tower, and it is nearly impossible to handle this. (See Figure 1)
It is a complicated matter because in order to follow the inter eNB handover, the full mobility management traffic (MME) must be analysed in real-time and this would be extremely expensive.
The Cubro solution is to load balance based on the inner user IP. The Cubro Sessionmaster EXA32100 assures that all messages belonging to a specific session are correlated before forwarding it to the probe. Since this function is done in hardware, multiple 100 Gbit traffic is possible with one unit. This cost-effective solution load balances and filters traffic in full line rate before sending it to the probe and as a result increases the monitoring tool efficiency.
Tapping is a layer 1 technique to get access to network traffic without interfering the original traffic or losing information. The purpose of tapping is monitoring and lawful interception. Depending on the physical situation and speed requirements (from very slow 2 Mbit up to very fast 100 Gbit links), optical or copper interfaces can be chosen. A network link (connection) has two directions, which means that for a 100 Gbit link, the user has to handle up to 200 Gbit. The major issue in tapping a network is not interfering the original traffic. Due to this challenge, it is necessary to choose a tool which is built with a deep knowledge of layer 1. Several customers have been using Cubro’s layer 1 solutions for over a decade.
Cubro’s network packet brokers are capable of steering traffic in many ways. The tools are passive and are deployed in-line behind TAPs. They can be used with or without bypass protection. Steering includes load balancing and traffic tunnelling. Cubro supports all major tunnel techniques including VLAN, MPLS, GRE, NVGRE, GENEVA and VXLAN. TAP networks today can be very complex, as there are often several packet brokers involved. Cubro has systems with more than 1000 ports.
Monitoring and troubleshooting
The Packetmaster EX48400 supports 4500 layer 4+ filters.These filters can be used to redirect a small portion of the traffic to a low end (in terms of bandwidth) monitoring tool like a PC with Wireshark. The filtered traffic can be used to troubleshoot routing issues on 100 Gbit link. It is also possible to feed several monitoring probes with specific traffic.
Monitoring and troubleshooting is a vital part of maintaining and running networks. Growing traffic and increasing number of applications have made filtering an important feature for troubleshooting. Cubro offers smart filtering in any OSI layer with an in-line rate up to 100 Gbit; it is session-aware and application-aware in layer 7.
Layer 7 filters
All EXA Sessionmaster can be used with thousands of filters, with ZERO performance loss. Almost all the fields in the IPv4 and IPv6 layer 4 headers can be used as a filter match. However, sometimes it is necessary to filter above layer 4. It is now possible to filter up to layer 7 with the new Cubro Sessionmaster EXA series. The Sessionmaster units utilize onboard Network Processors, which are highly optimized CPU's that allow the Sessionmaster to easily handle high bandwidth network traffic with no lost or dropped packets.
Monitoring traffic in a DWDM / CWDM system
With the Cubro Media Converter 10 G and a Cubro MUX / DE¬MUX, a user has the possibility to look into a DWDM/ CWDM system and analyze the data.
Filtering in layer 6
The EXA Series makes it possible to connect with optical or electrical TAPs and filter the S1u and S1MME traffic with the ability to extract the traffic of a single mobile customer. This is filtering and correlation in layer 6. The traffic can be captured with a standard laptop using Wireshark, to get a full session from a specific customer. Up to 256 filters on individual mobile users can run simultaneously. To make the captures even more useful, the GTP tunnel can be removed.
Keyword Search and regular expression
Keyword or regular expression searches are a way to find traffic based on the content of the packet. This is needed to separate traffic, which cannot be done with IP header filters. The Sessionmaster can conduct a keyword or regular expression search in the packets with an in-line rate of up to 20 Gbit with a single CPU and 40 Gbit with a second CPU module. To perform a useful search, the Sessionmaster must decode the protocol. The search depth and the search offset can be configured by the user.
Example : The requirement is to get all “http get” messages for analysis because the “http get” message gives a lot of information about the traffic and saves a lot of bandwidth.
Deep Packet Inspection
Deep Packet Inspection typically entails decoding of packets above layer 4. It is used to identify the network protocol. It is also used to identify the application. There are two major DPI applications:
- Filter with DPI and traffic steering - The Sessionmaster EXA can use its DPI features in the packet stream to identify a packet and then forward this related stream based on rules to an output port (original packets).
- Metadata extraction - XDR - The Sessionmaster EXA Probe can use its DPI feature to look into the packet stream, identify a packet, extract metadata and send this to a server for the next processing step (non-original packets).
Big Data – AI: Machine learning approach on Mobile Network Monitoring Data
The network shown in this image is monitored using monitoring probes. The Probe is connected via a TAP network and aggregation devices (network packet brokers) to the different interfaces of the network. These interfaces are logically and physically different which allows us to get a full view of what’s going on in the network. All of these different interfaces are analysed by probes.
A probe is a device that can decode the traffic from a network and produce metadata records (XDR extended data records). The records are sent to a database which must be very powerful in terms of processing and storage capacity to handle the huge amount of data involved. Such a system produces, even on a mid-size network, a terabyte of data and billions of records each day.
This type of a monitoring probe typically covers the L5 – L7 in the OSI stack.
Why is this done?
Monitoring is important to networks and this data can be used for numerous applications including:
- Improving customer satisfaction
- Network planning, troubleshooting and dimensioning
- Fraud and Security
- Measuring performance
- SLA against customers
- SLA against other providers
- SLA against network vendors
A well-functioning monitoring system can save a lot of money and help to improve performance.
What is the challenge and how can big data and AI be useful?
Monitoring systems typically provide KPIs (key performance indicators). The KPI is a formula, which calculates information on this XDR from the probes and provides results in different graphs. The main issue with the KPIs is that they are predefined in a lab and are not flexible. They are neither customized to the customer's network nor to network changes.
Big networks behave like living organisms and can be influenced by customers’ behaviour, external factors like weather, and the content transported. Therefore, a KPI is not an accurate way to show network behaviour because it is unidimensional - too strict and inflexible.
Typically, KPIs do not take known issues in networks like updates, weather and other external impacts into account. Therefore, KPIs often produce a lot of false positive results. And most importantly, KPIs can by definition, only show known issues - dynamic correlated events, for example, can never be detected with KPIs.
The current approach to big data is to provide an intelligent, flexible and multidimensional view of a network. But despite the help of databases like Hadoop and MongoDB, it is still not possible to add data from multiple sources to produce more useful reports.
Cubro is investing in AI and machine learning project to prove that Big Data, in combination with AI, is a useful approach to solving the issue mentioned above.
Cubro offers two probes to extract metadata out of network traffic. Cubro Mobile Probe is designed for all mobile network protocols 2G/3G/4G/5, while Cubro FlowVista is for pure IP traffic. Both the probes are hardware-based appliances. The heart of the probe is a Cavium multi-core CPU and our own real-time OS. This design provides high performance and high availability.
Both the probes are agnostic to sources and big data stacks and work with Splunk, ELK and more. The additional advantage of the probe is that there is no administrative limit in terms of XDR core port speed. Cubro only charges for the appliance hardware and software. There are no XDR volume charges or bandwidth charges (it is your data).
Metadata and big data are key technologies that provide useful information on how to control networks and protect networks from fraud. These technologies also help to monetize the data from the networks. Let your network earn money for you.
Big Data in Network Operators
Big Data is a buzzword all over the world. The service provider industry believes that big data will play a critical role. What are the possibilities in big data analytics and how can big data help service providers on a daily basis?
There has been an unprecedented growth in network traffic and service providers are facing several problems every day due to cost pressure, customer complaints, compatibility issues and much more. Service providers must find efficient ways to correlate all data sources.
In the past up to now a service provider typically runs numerous monitoring systems, and has hundreds of databases, often with overlapping data, from different sources or the same source. The entire data silo is not consolidated because of technical issues and cost and operating all the data silos is a major cost driver.
Big data is a tool that enables us to consolidate all these different platforms onto one big data storage (not a database). Data sources can be network elements, server logs, and passive probes.
But big data is not the solution. It is only a tool that makes a solution possible.
Passive probing is one of the core competencies of Cubro. The phenomenal growth of data requires that the service provider industry understand the use of big data. Cubro, unlike most other vendors, has an agnostic approach. We focus on providing metadata rather than selling BI and reports. Cubro Probes are highly reliable and offer the best performance, in addition to offering our customers reduced TCO.
The future of visibility 2020 and beyond
Network performance challenges are increasing, and visibility will be a more critical part of the network infrastructure in future. New trends and increased security threats within the network operations would require high-level visibility in order to get more information out of the network. A recent approach is towards self-organizing and self-healing networks.
The primary difference would be that, unlike today, network visibility will no longer be a separate part of the network but would be a service on top of the network infrastructure. This transition process will need a while because this service approach only works on programmable networks (SDN) and the existing legacy networks do not support this approach.
The challenge for visibility in Cloud environment:
Multiple 10.000 physical servers, multiple 100.000 virtual servers and multiple 1.000.000 instances require entirely different switching concepts and also different visibility approach. In such a network environment, the routing is done on tenant id, client id or in application layer and only ip is not usable because the instances are moving between virtual/physical servers. The routing is not between physical servers but between applications.
Due to the large number of servers and endpoints, physical tapping is not a realistic approach. This involves enormous cost and lot of management effort. Another issue is the massive amount of data, and legal issues will not allow a full capture approach.
The solution is smart filtering/routing to feed the traffic to the relevant analytics tools. This must be done inside the network infrastructure because only there the dynamic filtering/routing information is available in real time.
Currently, there is no switch hardware available to perform such task. This application is possible only with programmable switches, hardware or pure software based.
As part of our future development, Cubro will offer the EXA32100 platform in combination with Sonic NOS such a solution. And this confirms that visibility as a service will not be only software based. Software is needed to control the visibility service but, we will require powerful hardware, and security wise a trusted platform to handle the massive amount of traffic (see host controller picture).
The visibility management will be a part of the network orchestration or will have access to it to get routing information in real time. The other part of this visibility approach is the hardware related part which performs the data filtering and packet forwarding in real time.
The challenge is that this application must share the resources with the existing switching/routing without interfering. In order to make this possible, there needs to be hardware resource to the switch, and the visibility application needs to have access to the traffic on a deeper layer than the switching application. This requires an excellent designed NOS.
This is the reason that Cubro is currently porting the Sonic API to all new G5 units. This feature helps to integrate the units in existing networks and use them also as visibility platforms.
Sonic invented, my Microsoft has some brilliant mechanism which allow this approach. The visibility application runs in the layer below the typical switch application and the hardware layer. This gives full access to every packet. In addition, user gets realtime information from the switch application to do realtime smart filtering.
Due to this reason, Cubro is investing in new advanced platforms which can do much more than regular L4 silicon. We see our products in the future as a part of the network infrastructure, which do switching / steering as part of the programmable network and offer advanced, up to L7, functions for the visibility service.
Leading Innovation: Cubro offers NPBs with P4 support
The EX32100 and EX48600 are the first NPBs in the market with P4 support. P4 is a language for silicons. With the help of P4, it is possible to add functions to silicon, which is impossible in an ASIC. This results in higher performance compared to FPGA. For example, we add extended MPLS features to the unit to support the following MPLS removal actions:
Ethernet|MPLS | IPv4|payload
Ethernet|MPLS | IPv6|payload
Ethernet|MPLS | MPLS | payload
Ethernet|MPLS | MPLS | Ethernet | payload
Ethernet|MPLS | MPLS | MPLS|MPLS | payload
Ethernet|MPLS | XXXX | payload
Removing MPLS tags is difficult because the layer 2 header must be stored while the MPLS tags are cut and then the Layer 2 header must be restored. The silicon currently on the market cannot support more than two tags, and as wildcard MPLS removal is not possible, the TAG which should be removed must be known in advance.
The Cubro solutions support up to 4 MPLS tags and wildcard removal up to multiple 100 Gbps performance.