Tapping is a layer 1 technique to get access to network traffic without interfering the original traffic and without losing information. The purpose of tapping is monitoring and lawful interception. Depending on the physical situation and different speed requirements (from very slow 2 Mbit up to very fast 100 Gbit links), optical and copper interfaces can be chosen. A network link (connection) has two directions, which means that for 100 Gbit link, the user has to handle up to 200 Gbit. The major issue in tapping a network is not interfering the original traffic. Due to this challenge, it is required to choose a tool which is built with a deep knowledge in layer 1. Several customers are using Cubro’s layer 1 solutions for over a decade.
Cubro’s network packet brokers are capable of steering the traffic in many ways. The tools are passive and are deployed inline behind TAPs. They can be used with or without bypass protection. Steering includes load balancing and traffic tunneling. Cubro supports all major tunnel techniques VLAN, MPLS, GRE, NVGRE, GENEVA, VXLAN. TAP networks can be very complex today, often there are several packet brokers involved. Cubro has systems with more than 1000 ports.
Filtering is another major solution needed to support monitoring applications. Cubro can filter in all 7 layers depending on the equipment. This capability helps the user to save cost because only the relevant traffic needs to be monitored and collected. Cubro NPB supports thousands of filters from 2000 in the smallest unit up to 1 million in the biggest. The amount of filters has no impact on the performance of the unit.
Often specific traffic must be forwarded to specific devices. Cubro products can help to offload the analyzing devices with this filter (separation) capabilities.
Aggregation and filtering
The EX2 is connected to several devices, for instance, span ports. The traffic from various sources can be aggregated to one stream for a monitoring device. This application reduces the overhead associated with each transmission. The appliances can be set up to share the traffic load by load balancing and even filtering the data. This way, only the traffic of interest is sent out to the appliances and it minimizes the possibility of oversubscribing the 1GbE monitor ports.
Load balancing up to multiple 100 G
Load balancing is vital because analyzing and capturing devices are only capable of handling a certain amount of traffic. Cubro helps to load balance the traffic to several devices which share the load. This load balancing is very flexible and supports many ports.
Symmetric load balancing
Symmetric load balancing, or session aware load balancing, is supported on all Cubro G4 Packetmasters at no extra charge. In addition, 10 LB groups with 16 ports are also supported. Symmetric load balancing is a mechanism that interchanges the source and destination addresses to ensure that bidirectional traffic, specific to a particular source and destination address pair flows out of the same member of a trunk group.
Packet slicing means to cut off the payload of an Ethernet packet for monitoring purpose. This can be a requirement for saving the bandwidth and capturing space on the disc. The other reason is security to protect customer payload to be monitored if not necessary. Typically, packet slicing is an expensive add-on in NPB and has typically a reduced bandwidth because it is realized with NPU Processors. 100 Gbit links are connections between data centers or core networks, this means that these links are heavily loaded, and most probably with symmetric traffic. This means that even a half-loaded link could not be aggregated. The only way to aggregate such links is packet slicing to reduce the total bandwidth.
A bypass is a hardware device that provides a fail-safe access port for an in-line active security appliance. EX12 monitors the health of the active, in-line appliance by sending heartbeats to the in-line security appliance. As long as the in band security appliance is on-line, the heartbeat packets will be returned to the EX12, and the link traffic will continue to flow through the in-line security appliance. This function also works on the copper ports with a copper hardware switch. It allows the in-line appliance to be removed or serviced without impacting network traffic.
The EX Series can be connected directly in a live copper link 10/100/1000 without TAPs. The user can set up filters and send the traffic out on the 4 x 10/100/1000 Mbit interfaces. This traffic is small enough to be captured with a standard laptop. This function also allows for the traffic to be removed and inserted in the live links.
The EX Series can also work as a media converter from:
- Copper to Fiber 1 Gbit
- Copper to Fiber 10 Gbit
- Fiber 10 Gbit (SM) to Fiber 10 Gbit (MM), 40 Gbit, 100 Gbit, etc.
Monitoring and troubleshooting
The Packetmaster EX48400 supports 4500 layer 4+ filters. These filters can be used to redirect a small portion of the traffic to a low end, in terms of bandwidth, monitoring tool like a PC with Wireshark. The filtered traffic can be used to troubleshoot routing issues on 100 Gbit link. It is also possible to feed several monitoring Probes with specific traffic.
Monitoring and troubleshooting is a vital part of maintaining and running networks. Growth in traffic and increase in the number of applications has made filtering an important featurefor troubleshooting. Cubro offers smart filtering in any OSI Layer in line rate up to 100 Gbit session aware and application aware in L7.
Filtering – 4500 Flow Rules
A total of 4500 flow rules (filters) can be set in the unit.The red dot marked fields can be used as a match for a packet, stand-alone, combined or with wildcards.For IPSrc and IP, Dst supernets are supported.
Available actions after a positive match include –
- Send out : to one or more ports - even the same as the input is possible.
- Drop : delete the specific packet
- Modify : modify specific fields in the matched packets, VLAN, MPLS, MAC SRC, MAC DST, PORT, VLA, Priority and some more
- Add VLAN : the unit cant aga VLAN on the input to separate the traffic after aggregation
- Strip VLAN : VLAN can be removed, Q in Q is supported
- Add MPLS : add an MPLS Tag to a matched packet
- Strip MPLS : remove an MPLS Tag from a matched packet
- Stacking of rules : this function gives the option to generate very complex filter rules.
This function allows the user to select the media by changing the SFP. The unique design also supports CWDM / DWDM and BIDI SFP.
Amplification for monitoring
It is very common to use optical splitters to monitor the traffic in a network, but a splitter also reduces the optical power on the active link. In multimode networks with higher bandwidths (10 Gbit), this could especially cause transmission problems. A Cubro Media Converter 10 G for amplification can help solve this problem.
Conversion of traffic
The user can convert traffic into a usable form, convert on a physical level from copper to fiber interfaces or vice versa. The application also enables a user to convert bandwidth from 10 to 1 Gbit. The user can convert or modify the traffic so that the tools can handle it, removing tunnels or removing labels like VLAN and MPLS.
With the 10Gb ports on the EXA products, it is possible to convert the traffic from a Mobile Core Network to 1Gb so that a conventional PC with Wireshark can be used. The 10Gb traffic can be converted to 1Gb and also filtered down to one specific mobile user for capture by the tool.
Layer 7 Filtering for troubleshooting
VoLTE SIP filtering (with S1-MME/S1-U interface input)
VoLTE RTP/RTCP filtering (with S1-MM/S1-U interface input)
This application helps to troubleshoot VoLTE traffic in a mobile network. It is available on all EXA models.
Leading Innovation : Cubro offers NPBs with P4 support
The EX32100 and EX48600 are the first NPBs in the market with P4 support. P4 is a language for Silicons. With the help of P4 it is possible to add functions to Silicon, which is impossible in an ASCI. This results in higher performance compared to FPGA. To give an example, we add some extended MPLS features to the unit to support the following MPLS removing actions :
Ethernet|MPLS | IPv4|payload
Ethernet|MPLS | IPv6|payload
Ethernet|MPLS | MPLS | payload
Ethernet|MPLS | MPLS | Ethernet | payload
Ethernet|MPLS | MPLS | MPLS|MPLS | payload
Ethernet|MPLS | XXXX | payload
Removing MPLS tags is not simple because the layer 2 header must be stored and after cutting the MPLS tags the Layer 2 header must be restored. Typically all silicons on the market cannot support more than 2 tags, and as wildcard MPLS removal is not possible. This means the TAG which should be removed must be known in advance.
The Cubro solutions support up to 4 MPLS tags and wildcard removal up to multiple 100 Gbps performance.