Shulou(Shulou.com)06/01 Report--

10G Network Divider: traditional products and New challenges

Network shunt (Network Distributor) is a kind of network traffic filtering and collection equipment, which works in the third and fourth layers. It is specially used in the field of Internet traffic analysis. It is a device for traffic filtering, attenuation, switching and shunting in order to reduce back-end analysis. At present, the existing Rong Teng network shunts include gigabit, 10G (POS, WAN, LAN), 40G (POS, LAN), 100G Ethernet, PON (EPON, GPON), WIFI, 3G and LTE.

A network shunt is sometimes called a traffic collector (Traffic Collector) or a network probe (Network Probe).

1. Introduction | Rong Teng network shunt

10G backbone link has been deployed in operators for more than ten years since 2003. 10G links are divided into 10G LAN (Ethernet), 10G POS and 10G WAN. Ten years ago, performing network monitoring, signaling analysis, big data analysis, IDC protection, and content audit on such links was a major challenge for vendors, mainly because:

(1) at that time, 10G backbone link technology was only in the hands of router manufacturers, and router manufacturers were relatively strong. The shunt needs special functions such as large capacity rules, packet shunting, feature mode, DNS rules, two-stage table filtering, output QoS, dynamic IP monitoring and other special functions, which requires hardware manufacturers to innovate deeply and develop new products. However, router manufacturers think that this is a niche market and are not willing to invest in research and development, but use routers (or locally modified router line cards) as shunts. Manufacturers in the field of traffic analysis do not have the ability to negotiate and negotiate.

(2) the manufacturers in the analysis field lack a complete understanding of the business and acceleration capabilities, and the manufacturers in the analysis field are good at capturing messages from ordinary Ethernet network cards and then using software for flow reorganization and protocol analysis. all its technologies are deposited on the X86 platform. Such solutions require a large number of servers to be clustered to form a complete 10G link analysis system, and the performance is usually not very high.

(3) the processing capacity of the previous server is limited, because there are few cores, the delay of memory access can not be hidden, even after repeated optimization, it can not achieve the processing performance above Gbps.

The current situation has been completely different, the competition in the field of shunt is fierce, and several competitive manufacturers such as Rong Teng Network have been formed, and the manufacturers in the field of analysis have had a good precipitation to the business after ten years of accumulation, dare to put forward their own needs, and have a deep understanding of how the computing load is distributed between hardware and software. In addition, the traffic processing capacity of the server has also increased from 300-400Mbps to about 2Gbps. Therefore, the 10G shunt is currently faced with the problem of adding new functions, increasing density and further reducing cost.

2. Challenge | Rong Teng network shunt

It is estimated that among the three major operators in China, the 10G optical fiber (including 10G LAN, 10G WAN and 10G POS) at the backbone link and the edge of the backbone link has reached a scale of about 10,000. Deploying audit and signaling analysis systems on so many links faces some new challenges:

(1) how to protect user investment and expand the ability of a single chassis to support different links: the network of operators is built step by step, which determines that there are many kinds of links in a city, including 2.5G, 10G, 40G, 100G and so on. Even on the 10G link, it can be divided into 10G Ethernet LAN, 10G Ethernet WAN and 10G POS. In many cases, the analyst vendor may not know the type of protocol at the link layer until it is online.

(2) how to increase the product density: because of the many links and complex types, the density of the equipment is better to be higher, the system is smaller, and the power consumption is relatively low.

(3) Fine shunting ability: it can filter out most of the traffic based on DPI (Deep packet Inspection) at the stream level, so as to effectively reduce the load of the back-end analysis server.

(4) performance-to-price ratio: ten years ago, the shunt accounted for 50% of the overall solution cost, although it has dropped to about 20%, but the cost is still an important consideration for manufacturers.

3. Solution

Traditional 10G shunt generally only has the functions of simple protocol conversion, 10,000-level multivariate group filtering, packet shunting and so on. With the development of technology, application requirements such as supporting string rules, flow management, DNS rules and more than 10 million multigroup rules have been excavated, which requires hardware manufacturers to have stronger R & D strength and technical precipitation. The new shunt equipment generally adopts the processing flow shown in figure 1. Fig. 1 processing flow of the new 10G shunt equipment

In the whole processing flow, data extraction performs different functions for different links, such as ordinary Ethernet uses PHY chip to complete this function, while POS and WAN need Framer. Multi-group filtering and content filtering have two processing methods: software and hardware. The processing ability of content filtering is very important. The maximum packet throughput on the 2.5G/s POS link is 6Mpacket/s, and the shortest processing time of each message is 167ns. The maximum packet throughput of 10G/s POS link is 26Mpacket/s, and the shortest processing time of each message is 37ns. At present, in terms of high-speed keyword matching, there are FPGA+SRAM, TCAM and pure software, which have their corresponding advantages and disadvantages. Using TCAM (Ternary Content Addressable Memory) for keyword filtering has the characteristics of high speed and good rule dynamics, but because TCAM is based on the first match, that is, only the address that matches first can be reported. Content audit and application behavior analysis are based on multi-matching, that is, the same message may match multiple keywords, and TCAM has the characteristic of limited length. TCAM is used to solve the problem of content pattern multi-matching, which is to solve the problems of long rules and rule storage order. Link sharing multiple matching (Linking Shared Multi-Match,LSMM) is a better solution. The basic idea is that each table item in TCAM consists of a previous paragraph number and a segment content. If there are n table items stored in the TCAM, you need to extend the bit in each table entry to store the address of the previous paragraph rule (the front chain domain). Before each matching, the content to be matched is preceded by a pre-chain domain and fed into the TCAM device for matching. When hitting the prefix segment of a rule, it needs to be recorded in memory, which is called partial hit table, and the hit message location and segment index are recorded. Through the TCAM well-ordered rule allocation method, after the rule set with arbitrary rule length is allocated and stored in TCAM, no matching will be missed for the messages of multiple rules in any matching rule set. Large-scale flow management is another key technology. Good hashing and parallel access to memory between multiple channels of DDR and Bank can improve part of the performance. In addition, the performance of flow management can be improved through intelligent flow table allocation, lock-free timeout, multi-channel virtual queue and other supporting technologies. Considering the density, size, power consumption and cost of the equipment, the 10G shunt of Rong Teng network (including PET160A, PET160B, PET320A and PET320B) filters packets through multi-tuple filtering, flow management and DNS rules, and can perform more fine traffic classification. The PET device adopts a modular structure, and the daughter card can be expanded to increase the ability to support the interface. The unique multilink protocol encapsulation (MPE) makes the data extraction module modular, which can support 32 network ports in a 1U cabinet. Each network port can be of different types, such as Gigabit Ethernet, 2.5G POS, 10G LAN, 10G POS, 10G WAN, 40G Ethernet, etc., and the input and output of each interface can be completely different. Users can configure it freely, except for 40G Ethernet which needs to be configured with different daughter cards. Other interfaces can use a daughter card (only software configuration is required).

Figure 2 PET160 figure 3 PET320

This gives the user more choice, and if there are only 1-2 pairs of links, you can configure a daughter card using PET160. If there are many links, you can choose PET320 full match. When the capacity of the PET320 link is exceeded, the PET device can be used for concatenation. As shown in figure 4, 3 PET320B can input 92 interface traffic, with a maximum capacity of 920Gbps. If you continue to expand, more input interfaces can be added, and their input link types can be different. This significantly increases the scalability of the system and protects the investment of users. Figure 4 PET320 concatenated deployment

4. Rong Teng network shunt | conclusion

In the high-speed network environment, with the rapid increase of backbone network bandwidth and traffic, complex network applications emerge in endlessly. Traditional network IDS, content audit system and signaling analysis system face great challenges in data capture and data processing. 10g shunt is a complex system. The design and implementation of such a system requires comprehensive consideration of cost, volume, power consumption, density, and required fine shunt functions. | Rong Teng network shunt

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.