g5 network packet broker - cubro.comg5 network packet broker april 2020 @cubro conﬁdential agg vs....

G5 Network Packet Broker April 2020

@Cubro Confidential

AGG vs. EXA - An overview

2

AGG = classical high-end NPB with L4 functions

● 10G, 25G, 40G and 100G in one unit● 100% throughput at all ports

simultaneously● Non-blocking backplane● Aggregation● Filtering up to Layer 4● Load balancing

● Two products● AGG-48600● AGG-32100

● Previously classified as “EX”

EXA = classical high-end NPB with L7 functions

● All features of AGG plus some advanced features

● Filtering up to L7 via “string search”● Time stamping● GTP load balancing● GTP inner IP filtering● VXLAN VNI filtering

● Two products● EXA48600● EXA32100

@Cubro Confidential

● L2 - L4 filtering● VLAN tag modification / stripping● Packet Slicing in line rate on all ports ● 25 Gbit support ● 24MB memory for bursting protection ● Non-blocking design● SerDes tuning for third party optical modules ● Up to 60 ports per load balancing group● Up to 4000 simultaneous filtering rules in IPv4 mode and 2000 in IPv6 mode ● NTP synchronisation● TACACS+ and RADIUS Authentication● SNMPv2● SNMPv3 (Roadmap 2020)● Syslog (Roadmap 2020)● Management via Web UI

Cubro G5 – Highlights (AGG & EXA)

3

@Cubro Confidential

● VXLAN VNI tag filtering ● Timestamping incl. PTP time synchronization ● PTP synchronisation● Keyword search for advanced filtering ● GTP inner IP hashing (symmetric and asymmetric) and filtering● GTP inner IP dual stack support ● Individual Hashing per port group (Load-balancing)● Active Tunnel Endpoint (Tunnel Termination)● ERSPAN termination ● GRE / NVGRE termination ● GTP termination ● MPLS termination (Up to 5 labels)● MPLS-in-UDP termination● VNtag termination ● VXLAN termination● Management via Rest API and CLI

Cubro G5 – Highlights (EXA version only)

4

@Cubro Confidential

● 48 x SFP/SFP+ for 1G/10G

● 6 x QSFP28 for 40G/100G – each of these ports can be used in 4 x 10G or 4 x 25G split mode

● When all ports are in split mode it supports 72 x 10G

● Each port can be used simultaneously as input and output and is totally independent from other ports

● Non-blocking architecture

● All ports are open – no software licence to enable ports

Sessionmaster EXA48600

5

EXAfeatures

@Cubro Confidential

● 48 x SFP/SFP+ for 1G/10G


● When all ports are in split mode it supports 72 x 10G




Aggregator AGG-48600

6

@Cubro Confidential


● When all ports are in split mode it supports 128 x 10G/25G




Sessionmaster EXA32100

7

EXAfeatures

@Cubro Confidential

Aggregator AGG-32100

8


● When all ports are in split mode it supports 128 x 10G/25G




GTP FunctionalityEXA48600 & EXA32100

@Cubro Confidential

GTP = GPRS Tunneling ProtocolGTP is used to transport packet data from the eNodeB to the internet via an IP tunnel.

GPRS Tunneling Protocol

10

@Cubro Confidential

GTP is an IP in IP Tunnel. This is used on many mobile Interfaces like GN, S5, S8 and S1U. GTP consist of two types of packets GTP-C and GTP-U.

GTP-U = is the user plane where the user traffic is transported

GTP-C = is the control plane of the protocol

Difference between Control and Userplane

11

@Cubro Confidential

Cubro G5 devices (EXA32100 and EXA48600) are the only network packet brokers on the

market which can do inner IP filtering in hardware at full line speed.

Cubro offers the most cost efficient solution:

● Usually the S1-U interfaces are the most loaded on a mobile network

● Other Vendors can do this also but in expensive CPU (task based) solutions

● Cubro G5 series handles GTP applications in hardware to support TByte of network traffic with unique IP

filtering & load balancing

● The EXA32100 provides all kinds of relevant interface for this task (32 x 100 Gbit, 32 x 40 Gbit, 128 x 25 Gbit,

128 x 10 Gbit)

Cubro EXA G5 series – The Perfect GTP Solution

12

@Cubro Confidential

GTP load-balancing

● Balance output traffic to probes by means of inner IP address

GTP Inner IP filtering including IP range filtering

● Drop traffic by simple inner IP filtering to avoid overload on monitoring probes

GTP Inner Layer 4 (application) filtering

● Filter applications directly on S1-U interface and feed the traffic to the right monitoring system

GTP tunnel termination

● Remove GTP tunnel header

Advanced GTP Applications

13

@Cubro Confidential

● The difference between the Outer and Inner IP is the IP address range

● The outer IP address range is from a few hundreds to thousands

● The inner IP address range is millions and each subscriber has his unique IP

● Typically, a probe needs GTP-U and GTP-C to produce useful Metadata (this cannot

be done with outer IP Load-balancing)

GTP Filtering and Load-balancing

14

@Cubro Confidential

If the outer IP address is used for load-balancing, several issues will happen.

● The monitoring session for a user will be interrupted when the customer is moving to another

location

● Because of the small amount of outer IPs the load-balancing could be asymmetric. This means

the output ports can be overloaded which cause packet drop and bad monitoring quality.

● The corresponding GTP-C traffic is not on the same port like the GTP-U traffic

○ On LTE, GTP-C and GTP-U are handled by different mobile interfaces (S11 and S1-U)

Outer IP Load Balancing

15

@Cubro Confidential

A simple and scalable solution to offload irrelevant traffic from the probes and save cost

GTP Inner IP Range Filtering

16

@Cubro Confidential

A simple and scalable solution to offload irrelevant traffic from the probes and save cost.

The idea is to monitor the user DNS traffic on the S1U interface directly. Thus, allowing to get the

“pure” user traffic and having a central point of tapping.

GTP Inner Port Filtering - e.g. DNS

17

@Cubro Confidential

EXA48600 and EXA32100 can directly filter inside the tunnel (inner IP = user IP and/or inner TCP/UDP Port).

Filtering Inside GTP Tunnel

18

n x 100G (S1-U and S11)

DNS Analysis Tool

All DNS Traffic

Load-balanced User traffic (incl. DNS)

All signalling traffic

VXLAN FunctionalityEXA48600 & EXA32100

@Cubro Confidential

EXA48600 & EXA32100

EXA48600 & EXA32100 support following VXLAN features

VXLAN header removal

Filtering on outer IP (tunnel IP)

Filtering on VXLAN VNI

Filtering on inner IP and/or inner layer 4 port nr.

Filtering on VXLAN VNI and/or inner IP and/or inner layer 4 port nr.

@Cubro Confidential

VXLAN Header Removal

n x 100G

n x 10G or n x 40G or n x 100G

to Monitoring

Removes VXLAN header and aggregates traffic to single/multiple outputs.

Packet Slicing possible to further reduce output bandwidth.

Allows to use non-VXLAN monitoring equipment

@Cubro Confidential

VNI and inner IP filtering

VXLAN header 50B

Allows simultaneous filtering on:–VXLAN identifier

–Inner IP source and/or destination

–Inner L4 /TCP/UDP) source port and/or destination port

@Cubro Confidential

VNI and IP filtering – Use case

Rule Packet # Source IP Dest IP VXLAN Action Direction

S6a-rule 1 IP-A IP-B VXLAN-A Filter - drop Fabric à Border

2 IP-A IP-B VXLAN-B Send to Probe Border à Fabric

3 IP-B IP-A VXLAN-B Send to Probe Fabric à Border

4 IP-B IP-A VXLAN-A Filter - drop Border à Fabric

Rule: Match VXLAN VNI + Source_IP + Dest_IPAction: Drop or send to output

@Cubro Confidential

Summary

VXLAN plays an important role in virtual environments.

Cubro Sessionmaster EXA48600 & EXA32100 are a perfect choice for this growing applications and support a full range of VXLAN features.

THANK YOU

Cubro Network VisibilityGhegastraße 3 1030 Vienna, Austria

Tel.: +43 1 29826660Fax: +43 1 2982666399Email: [email protected]

Cubro Asia Pacific8, Ubi Road 2 #04-12 ZervexSingapore 408538

Tel.: +65-97255386Email: [email protected]

Cubro North America105 Strowger BlvdBrockville, Ontario,Canada K6V 5K1

Tel: 613-213-0222Email: [email protected]

Cubro Japan8-11-10-3F, Nishi-Shinjuku, Shinjuku,Tokyo, 160-0023 Japan

Email: [email protected]

g5 network packet broker - cubro.comg5 network packet broker april 2020 @cubro conﬁdential agg vs....

Documents