Gigamon Professional E-Learning Guide Module- Architecting for Service Providers Ver. 1.0 SW REL. 5.X CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS COPYRIGHT Copyright © 2019 Gigamon. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without Gigamon’s written permission. TRADEMARK ATTRIBUTIONS Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at www.gigamon.com/legal-trademarks. All other trademarks are the trademarks of their respective owners. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS GigaPRO Professional Architecting for Service Provider Welcome to the Gigamon Professional module describing how to Architect for Service Provider environments. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Service Provider Challenges • Massive customer base • Diverse network topologies • Oversubscribed tools • Monitoring the Customer • Monitoring Internal Operations • Rapid Response to degraded performance and outages • Protecting sensitive customer information and metrics • Analytics and Trending ©2017 Gigamon. All rights reserved. As the number of subscribers continues to increase, service provider networks must increase network capacity and the rollout of network technology in order to keep up with demand. However, service providers face many challenges including: The sheer volume and type of traffic as demanded by a massive customer base and billions of transactions. The use of many diverse technologies in their networks, such as: 2G, 3G, HSPA, LTE, and VoLTE among others. Tool oversubscription, as the tools are inundated with traffic. The constant need to reduce churn and increase customer satisfaction. Gigamon also removes information that is not needed, thereby relieving the tools of unnecessary processing. Monitoring internal operations is extremely critical so there are real-time monitoring tools that alert the operator whenever there are any faults. For example, if a core device goes down, the operator must know about it straightaway. Traffic is monitored at points than in typical Enterprise networks. For instance, traffic is monitored on either side of many devices. If there is degraded performance or outages in the network, a rapid response is a must. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Carrying out network operations, monitoring and increasing performance without violating the customer’s privacy. And finally, the ability to perform analytics and usage trend at any time. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS What Is the Triple Challenge? UNDERSTANDING THE RESOURCE CRUNCH Interdependencies • Deploying IP Voice leads to 100Gb • Deploying 40 / 100Gb leads to CNV • Deploying IP Voice leads to CNV IP Voice & VoLTE 100Gb Network Virtualization Risk Risk Risk ©2017 Gigamon. All rights reserved. Service providers are faced with three interdependent technology upgrades: • deploying IP Voice as well as Voice over LTE services • * high-bandwidth data and • * network virtualization. This requirement for high-bandwidth data and packetized voice services as well as other cloud –based data services in the mobile device network is driving the need to increase data bandwidth across the air-interface to the mobile device. This, in turn, is pushing the service providers to increase bandwidth on the backhaul of the network as well as in the network core. The backhaul is commonly being increased to accommodate 40 gigabit data transfers and the Core speeds are increasing to 100 Gigabit. To be more flexible in providing services on demand, service providers are being pushed towards virtualizing their networks. In the past, operators have been able to deploy new technologies in series. With the current new technologies, due to the interdependency on each other, they are linked. Therefore, instead of deploying new technologies in series, the deployment of one new technology forces the deployment of another new technology, and so on. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS These inter-relationships are making it difficult for the operator to gain confidence in rolling out each new technology, as well as making it difficult to pinpoint source problem areas. When deploying these new technologies, the operator is faced with a number of decisions to make: • • Upgrade the core beforehand due to worries about quality of service issues in general, or wait until bandwidth requirements placed upon the 4G/LTE force the move of voice services from the existing circuit switched 2G? Upgrade core routers in anticipation of rising traffic, or virtualize the core routing network elements first? Virtualize the core first, then deploy VoLTE as a virtualized network function, or deploy VoLTE as a legacy function in their traditional network since the network is already in place? Due to the three technologies being interdependent, deploying any one will result in either of the other two technologies also being deployed. Independent of the starting technology, the interdependencies and technology interrelationships will cause the rollout of all three. To de-risk Triple Challenge deployments and understand technology interactions, monitoring will become critical. No longer can monitoring solutions operate in silos for each technology independent of each other. • IP Voice is a very sensitive service, complete visibility from edge to core is needed to debug complex transport/service layer inter- related issues • Bonded 10 gigabit, 40 gigabit, and 100 gigabit /400 gigabit Transport needs advanced processing across the fabric, but cost effective tools capable of connecting to and monitoring 100 gigabit /400 gigabit transport pipes are not available. • Network virtualization is a complex new technology with no built-in monitoring capability. To deploy NFV is to remove the visibility from a large part of your existing network CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS NFV Design Challenges Network Function Virtualization The market for server virtualization infrastructure has matured, surpassing 75% of all server workloads, and this trend is increasing. Data from Gartner report ©2017 Gigamon. All rights reserved. Network Function Virtualization - or NFV - aims to transform the way that service providers architect their networks because software that emulates the network functions can be dynamically moved to various locations in the network as required, without the need for installation of new equipment. NFV transforms network operations. Virtualization eliminates the dependency between a network function and its hardware by creating a standardized execution environment and management interfaces for the Virtualized Network Functions. This results in the sharing of the physical hardware by multiple Virtualized Network Functions in the form of virtual machines. Further pooling of hardware facilitates a massive and agile sharing of NFV Infrastructure resources. This creates new business opportunities analogous to the cloud computing service models of: Infrastructure as a Service, Platform as a Service, and Software as a Service. Functions which normally run on proprietary hardware in a mobile core can be virtualized using commercial off-the-shelf servers in a cloud environment and easily deployed as redundant services that can be rolled out at a moment’s notice to improve availability and uptime. Providers leverage NFV to reduce their operational costs because virtual versions of these network functions are easier to manage, configure and deploy. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS NFV Architecture Will Drive East-West Traffic Growth, But There’s a Problem…. Virtualized DB Server NFV Virtualized DB Server Virtual Switch Virtualized App Server Virtualized App Server Virtual AAA AAA Virtual Switch Virtual WEB NFV Virtual WEB Virtual AAA WEB Virtual Switch Central, Core Router ©2017 Gigamon. All rights reserved. Service providers have years of experience in monitoring and securing a physical environment. Since Network Function virtualization is both new and evolving their experience in there is also new and evolving, while visibility is often limited and much of the traffic never leaves the virtual space. At the same time NFV is still in its early stages - which means the overall architecture and implementation is still evolving. There is much debate around the standards and capabilities that need to be included in NFV solutions. Suppose an organization needs to enforce a policy for a subset of east-west traffic such as filtering traffic between two workloads or virtual machines. For the network to enforce this policy, packet filters or rules must be configured manually on various devices. Should one of the workloads migrate without network team intervention, the required configuration may not reside at the new device where packets enter the network. It is easy to tap onto a physical link and gain access to traffic flowing north-south as we have seen in other modules. But what about dealing with traffic that never leaves the physical server? How do we tap onto traffic flowing east-west between virtual machines, or see traffic that might be part of different tenant’s that we do not have direct administrative control over? CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS The Solution – Unified Tool Rail THE UNIFIED VISIBILITY PLATFORM ARCHITECTURE DRIVES THE UNIFIED TOOL RAIL ©2017 Gigamon. All rights reserved. This diagram shows the interconnectivity between different parts of the network as well as the connectivity between the traditional network core and virtualized network functions. All of the new and old technologies need to be properly monitored such that the impact of one upon another is minimized, and where there are unknown or misunderstood interactions this behavior can be quantified and resolved. A Unified Tool Rail provides visibility to each new technology and to all the places in the network where issues could manifest. The unified tool rail is superimposed on top of the Gigamon Unified Visibility Platform architecture and offer visibility across the new technologies, eliminating any barriers or silos. All parts of the network are being monitored in unison - including the Network Function Virtualization layer and the more traditional virtualized data center layer allowing for understanding and analysis of how each of the Triple Challenge technology deployments affects the other technologies. Operators can see interactions between the user-generated East/West traffic and interactions with the North/South virtual transport traffic. Visibility allows operators to de-risk the deployment of new technologies, maintain network uptime, deploy technologies faster with the same amount of resources, reduce network and service down time, reduce customer support service call costs and ultimately reduce churn. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Gigamon Solves the Triple Challenge 100Gb Too Much Traffic VoLTE Complex, Sensitive RTP issues Intelligence at the Edge De-Risk & Simplify UNIFIED TOOL RAIL Network Virtualization Lack of Visibility Pervasive Visibility ©2017 Gigamon. All rights reserved. With all of the changes, service providers are fundamentally transforming how they manage and monitor their networks to keep up with escalating amounts of traffic, new handsets, new real-time services and complex subscriber behaviors. The approach to add more analytic and performance management tools has been difficult due to variable rate interfaces and variable throughput processing capabilities - making it problematic to integrate, scale, or aggregate disparate traffic to achieve a holistic view of a subscriber’s daily services and device use. The following high-level summary shows how Gigamon helps with the triple challenge: First and foremost, Visibility matters. A Unified Tool Rail is the best way to manage and monitor the risks represented by the Triple Challenges; and to reduce risk for all of these deployments, whether they deploy at the same time or whether they deploy one after the other. Only the Gigamon Visibility Platform has the “depth of monitoring “, power and features to provide a Unified Tool Rail to solve the Triple Challenge issue. Service providers are advised against relying on spot or “thin-layer” monitoring as a complete and all-encompassing monitoring solution. Those solutions are not suitable, and the service provider will soon find itself buying a “thick-layer” monitoring solution. Proposing a robust and extensible monitoring solution up-front will improve credibility with senior management, and because of the modularity and extensibility of the platform the solution is able to grow and expand to accompany new and expanded services. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS It becomes faster to deploy new technologies as now the new technologies are fully monitored allowing for better understanding of the impacts of one technology on another as well as between various traffic types. It becomes cheaper to deploy monitoring within a well-architected and unified tool rail, and to use that unified tool rail for all three new technologies. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Service Provider Architectures This section covers the different deployment architectures deployed by service providers. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Design Considerations in 3G Networks Subscriber Devices Base Station Subsystem Mobile Core PDN MSC / HLR Network Performance Management GGSN PCU Application Performance Management Gr / Gs SGSN S3 Customer Experience Management S4 RNC Security LTE MME LTE S-GW ©2017 Gigamon. All rights reserved. This diagram shows the network architecture and components in a 3G network. 3G is being phased or integrated into 4G networks. An LTE gateway is included in this architecture to illustrate where 4G interconnects with the older 3G technology. Since 3G networks consist mostly of proprietary nodes and proprietary network control protocols there are not many places where Ethernet traffic is accessible. • Data in the Base Station Subsystem is often not packet based. • Data in the Mobile Core, along with connections to the Base Station Subsystem are IP packet based, but may not be Ethernet. Marked by an orange tapping point, the Gn interface is where GTP version 1 Control Plane and User Plane traffic used by GigaSMART GTP Correlation crosses between the SGSN and GGSN. When integrated with 4G networks the GTP traffic also crosses between the SGSN and MME. The blue tapping points can be used to obtain any other Ethernet traffic for aggregation and filtering before forwarding to tools. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Design Considerations in 4G / LTE Networks Subscriber Devices Access Network Evolved Packet Core PDN HSS Network Performance Management MME eNodeB UE P-GW Application Performance Management X1 / X2 S2 S3 S-GW Customer Experience Management S4 UE eNodeB CDMA 2000 PDSN / FA Security 3G SGSN ©2017 Gigamon. All rights reserved. 4G/LTE is an IP-based and packet-switched evolution of 3G technologies capable of speeds up to 1 gigabit per second. Connections pass from the end user on the left, through the evolved base stations – or eNodeB - and then to and between the MME and SGW – the Serving Gateway - to the Home Subscriber Server, and ultimately to the Packet Data Network on the right. This diagram shows the complex reality in which LTE exists, where it must interact with preexisting network elements, including 3G networks and Internet. The Mobility Management Entity – or MME - authenticates wireless devices and is involved in handoffs between LTE and previous generations of technology. This technology is designed to provide IP-based voice services, plus data and multimedia streaming at speeds of at least 100 megabit per second and up to 1 gigabit per second per user device. Higher per-device speeds leads to ever increasing speeds in the core of the network. Once past the cell site, it’s all IP and this migration to an all-IP architecture offers better spectral efficiency, a seamless migration for earlier technologies, and a path to higher performance. As an all-packet network, there are many more points in the network where the data can be accessed and where packet intelligence can be applied. Orange tapping points again indicate where a visibility solution obtains traffic which can be used for GigaSMART GTP Correlation and FlowVUE operations. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Blue tapping points can be used to obtain other Ethernet traffic for aggregation and filtering, as well as traffic intelligence features before forwarding to tools. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS GTP User and Control Plane Correlation: 4G / LTE Networks with Flow Load Sampling Sampling/Whitelisting Balancing WITH GIGAMON VISIBILITY PLATFORM Subscriber Devices Access Network Evolved Packet Core PDN HSS Centralized Tools MME Flow Mapping® UE Application Performance eNodeB P-GW GTP Correlation S2 S3 S-GW Load Balancing S4 eNodeB Application Management Performance Management Network Performance Management X1 / X2 UE Network Performance Management CDMA 2000 PDSN / FA Customer Experience Management Customer Experience Management Security FlowVUE® Security 3G SGSN ©2017 Gigamon. All rights reserved. Some network monitoring tools are required to see traffic from varying LTE/3G logical interfaces, S1-U, S1-MME or S11, on dedicated tool ports, but do not have the ability to process traffic based on these varying logical interfaces Utilizing LTE/3G Logical interface filtering, traffic flows from varying interfaces can be directed to associated tool ports. Gigamon Visibility Platform nodes can also discriminate between GTP version 1 and GTP version 2 messages. In an LTE network, LTE sessions on the S1U/S11, S2, S3/S4 and S5/S8 interfaces are maintained using GTPv2 Control plane signaling while legacy 3G sessions on the Gn/Gp interfaces are maintained using GTPv1 Control plane signaling. Utilizing the GTP Version filter allows traffic from 3G networks to be forwarded to 3G focused tools while directing LTE traffic to LTE specific tools. By correlating the control and user-plane sessions, Visibility Platform nodes can identify, filter, and forward all sessions specific to a GTPv1 or GTPv2 to one or more monitoring/analytic tools. As traffic levels increase in LTE Mobile Core networks, tool capacity may not be able to scale to support resulting traffic volumes. GTP correlation and other GigaSMART features also provide Load Balancing across tools, which allows for the use of lower speed tools for analysis of the session data for those subscribers. GTP Correlation may be used together with GigaSMART FlowVUE to intelligently choose a representative sample of a volume of traffic. Complete flows are sampled rather than randomly picking packets for analysis. Sampling flows allows for statistically CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS accurate monitoring of the overall subscriber behavior and experience without having to invest in enough tooling to fully monitor aggregated traffic from multiple links or from higher speed 40Gb and 100Gb links. Up to 500,000 high-value subscribers, or subscribers who need extra monitoring can be identified by IMSI in a named whitelist to ensure that these subscribers are monitored with a higher priority and outside of FlowVUE sampling. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Key Design Tapping Points UTRAN SGSN Uu Um GERAN S4 2G S3 S12 3G PCRF Gx eNB S5/S8 SGW S1-U PGW SLc CBC SLg GMLSC/ LRF S1-U S11 X2 SLs MME UE Uu eNB Ub S1-MME S10 MME S6aE HSS/SLF Sv E-SMLC Rx SGi PDN APN Operator Network Services IMS, PSS, etc MSC ©2017 Gigamon. All rights reserved. This diagram indicates the key locations or interfaces that need to be tapped in order to accurately capture the GTP control and user data as they enter the core. These interfaces are the S1-MME, S11, and S1-U interfaces. The S1-MME interface sits between the eNB and the MMEs. The MME communicates with the SGW (Signaling Gateway) using GTP-c messages along the S11 interface. These messages are some of the most important messages looked at from a monitoring perspective. The S1-U interface sits between the eNodeB and the SGW. All user or GTP-u traffic is forwarded using the S1-U interface. Gigamon uses GTP Correlation and whitelisting to obtain specific signal messages on all these interfaces. Note that there are specific tools that can inspect S11 traffic, S1-U traffic, and S1-MME traffic. However, with the Gigamon Visibility Platform, all can TAP these interfaces and the Visibility Platform can then deliver the aggregated traffic to the tools as required. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS S1-MME GigaVUE-HD8 UE MME eNB SGW PCRF PGW PDN HSS Attach Request Attach Request GigaVUE-TA40 GigaVUE-TA40 Uu Authentication Information Request S1MME – S1AP GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 S6a - DIAMETER Authentication Information Response Authentication/Security S6a - DIAMETER NAS Update LocationRequest GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 S6a - DIAMETER Update LocationResponse Create Session Request S11 – GTP-C S6a - DIAMETER Create Session Request S5/S8 – GTP-C Initial Context Setup Request – Attach Accept Create Session Response Create Session Response Create Session Request Gx - DIAMETER S5/S8 – GTP-C S11 – GTP-C Attach Accept Attach Complete Uu QXDM ASCOM Other S1-AP S1-AP SC-TP SC-TP S1MME-S1AP Uu TCPDUMP or Protocol Analyzer TCPDUMP or Protocol Analyzer TCPDUMP or Protocol Analyzer TCPDUMP or Protocol Analyzer TCPDUMP or Protocol Analyzer TCPDUMP or Protocol Analyzer IP IP L2 L2 L1 eNB L1 S1-MME eNB ©2017 Gigamon. All rights reserved. This signal flow diagram identifies which interfaces are tapped and the how the aggregation of this traffic can be filtered and forwarded through a GigaVUE architecture for inspection. Tapping the S1-MME traffic is critical as the MME is responsible not only for attaching the user that has contacted the eNodeB but also for assigning GTP-c data for a particular session with the SGW via the S11 interface. The MME is also involved with the authentication and update location request for the user against the HSS in order to determine whether or not the user can access the network. In general, operators will look at all the messages related to a user: between an eNodeB and an MME, an MME and an SGW, and between an SGW and PGW. They operators will correlate all the messages together to understand traffic from a users perspective. In this example traffic is aggregated from between an eNB and an MME and sent to a GigaVUE-TA10, which is configured with a passall traffic map. Several GigaVUE-TA10’s are aggregated to another GigaVUE-TA10 and then onto a GigaVUE-T40. In this diagram the GigaVUE-TA40 is clustered with a GigaVUE-HD8. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS S11 GigaVUE-HD8 UE MME eNB SGW PCRF PGW PDN HSS Attach Request Attach Request GigaVUE-TA40 GigaVUE-TA40 Uu Authentication Information Request S1MME – S1AP GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 S6a - DIAMETER Authentication Information Response Authentication/Security S6a - DIAMETER NAS Update LocationRequest GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 S6a - DIAMETER Update LocationResponse Create Session Request S11 – GTP-C S6a - DIAMETER Create Session Request S5/S8 – GTP-C Initial Context Setup Request – Attach Accept Create Session Response Create Session Response Create Session Request Gx - DIAMETER S5/S8 – GTP-C S11 – GTP-C Attach Accept Attach Complete Uu QXDM ASCOM Other GTP-C GTP-C UDP UDP S1MME-S1AP Uu TCPDUMP or Protocol Analyzer TCPDUMP or Protocol Analyzer TCPDUMP or Protocol Analyzer TCPDUMP or Protocol Analyzer TCPDUMP or Protocol Analyzer TCPDUMP or Protocol Analyzer IP IP L2 L2 L1 MME L1 S11 SGW ©2017 Gigamon. All rights reserved. Tapping the S1-MME traffic is critical as the MME is responsible not only for attaching the user that has contacted the eNodeB but also for assigning GTP-c data for a particular session with the SGW via the S11 interface. The MME is also involved with the authentication and update location request for the user against the HSS in order to determine whether or not the user can access the network. In general, operators will look at all the messages related to a user: between an eNodeB and an MME, an MME and a SGW, and between an SGW and PGW. They operators will correlate all the messages together to understand traffic from a user’s perspective. In this example traffic is aggregated from between an eNB and an MME and send it to a GigaVUE-TA10, which is configured with a passall traffic map. Several GigaVUE-TA10’s are aggregated, which then send traffic to a GigaVUE-TA10 and then onto a GigaVUET40. In this diagram the GigaVUE-TA40 is clustered with a GigaVUE-HD8. For redundancy traffic can be replicated to a second set of GigaVUE-TA10, GigaVUETA40, and GigaVUE-HD8 nodes. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Internal Operations A B GigaVUE-HD8 GigaVUE-HD8 GigaVUE-TA40 GigaVUE-TA40 GigaVUE-TA10 GigaVUE-TA10 Nx7K Nx7K Nx7K A B Firewall Firewall LoadBal LoadBal Nx7K ©2017 Gigamon. All rights reserved. This is an example Internal Operations network that would exist for activities like data centers, stores, and billing operations. For redundancy purposes, there is an A site and a B site. Note that Side A and Side B usually exist on different subnets, and the visibility architecture should abide by this redundancy separation. As suggested by this design, if the A side becomes operationally down the B side takes over to maintain operations. So, it is important to remember for design considerations, the following points: • Requirements for a visibility node: A high port density. • Tapping points: Changes in traffic suggest possible problems, so TAPs are often deployed before and after load balancers and firewalls – not just between access and distribution layers. • Cluster IP addressing: Members of a GigaVUE cluster must be in the same subnet, and this can impact your cluster design. • Flow map and rules: Establish a process or validation step to ensure that traffic capacity limits within a cluster and going to tools are not exceeded. Keep in mind that full redundancy will likely produce duplicate packets, and correspondingly high traffic rates. The impact of duplication and its effect on various tools should be one of the design considerations. It may be necessary to perform deduplication, load balancing, and possibly even flow sampling to ensure that traffic reaching tools is optimized to meet security and monitoring needs. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Example Tiered Architecture Gx Gn S6b GigaVUE-HD8 GigaVUE-HD8 GigaVUE-TA40 GigaVUE-TA40 DNS S12 Ga S4 PGW S5/S8 Gy GTP S11 SGW GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 MME GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GTP S1-U GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 S1-MME eNB eNB eNB eNB eNB eNB ©2017 Gigamon. All rights reserved. This diagram displays another view of a tiered architecture in use today at a large mobile service provider. Large volumes of S1-U interface GTP-u user data traffic is identified by the purple path. While the associated S1-MME interface GTP-C control traffic shown in blue is taking a different path. Other protocols such as the S11 traffic also take the second path. Note that the traffic types travel the network via different sides of the tiered architecture. This diagram only represents a few protocols and interconnections. There are many more, And at scale with redundancy. Every new eNodeB adds thousands of connections that need monitoring. Scaling visibility to accommodate a network of this size requires a well-designed architecture. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Example Tiered Architecture Cluster Configuration GigaVUE-HD8 GigaVUE-HD8 GigaVUE-TA40 GigaVUE-TA40 PGW S5/S8 GTP S11 SGW MME GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GTP S1-U Map: Passall GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 GigaVUE-TA10 Map: Passall S1-MME eNB eNB ©2017 Gigamon. All rights reserved. Owing to the vast size of the network being monitored, a mobile service provider deployment can easily require hundreds of nodes and tens of thousands of rules. One service provider deployment routinely operates with seventy to eighty thousand rules. Without clustering separate maps would be required for each visibility node along the path, and in this environment where change is frequent rule creation and rule changes would be an arduous administrative task that would also create risk due to typographical error. Additionally, clustering GigaVUE TA Series nodes quadruples the maximum count for those nodes so more specific rules are possible. The example deployment in use at a large mobile service provider uses the maximum supported node count for clustering, starting at the GigaVUE-HD8s where GigaSMART operations including GTP Correlation and Deduplication are applied and traffic is then sent to tools. Within the cluster a single map gathers traffic from the lowest tier in the cluster and forwards that traffic through the cluster to tools, thereby considerably reducing the number or rules required and the risk of error. Below the clustered tiers comparatively simple maps are applied on a per-node basis, largely to get traffic into the cluster where more complex rules are used. Clustering represents an important design feature for really large deployments, both from a rule reduction perspective and from the corresponding reduction in time spent creating and maintaining traffic forwarding rules. Care must be taken in designing clusters for architectures like the previously shown "A" side and "B" side redundancy design used by the service provider, as each side may be using different subnets too. Clusters currently require that all members of a cluster must be in the same subnet. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Increasing Scale • Establish clear guidelines for naming conventions – Node, port, map naming and comments • Ease of configuration through clustering – Multiple nodes managed as a single entity – Simplified traffic mapping from any network port to any tool port • Clustering Resources – GigaSMART as a cluster resource – Increase in GigaVUE-TA Series rule space – Port density through clustering • Flexibility for future growth ©2017 Gigamon. All rights reserved. It is clear that service providers operate very large networks. With hundreds of physical nodes the map rule count will likely be in the tens of thousands. Add virtual traffic access and a Visibility Platform can number in the thousands of nodes. Architecting a deployment for visibility on this scale requires careful planning. The following are important design considerations for the physical deployment: When expecting tens of thousands of maps, be sure to plan summarized or abbreviated naming for nodes, for how ports are named, and for map naming which packs a lot of information into a coded string. Maps names can easily include information about device type, market, ports used, type of traffic monitored, where the traffic is coming from, the tool it is destined for, who requested the traffic, and even whether the map is temporary or permanent. Leveraging 2 to 4-character coded designations that are likely already in use - plus a few additions - a generalized template concatenating a series of these codes can fully describe the map using relatively short names, while imparting considerable information. Node clustering provides many benefits, including: • Multiple nodes managed as a single entity and accessed through a virtual cluster management IP address. This single console can be used for everything from configuration to backups and upgrades. • By clustering the required number of traffic forwarding rules are decreased considerably, directly translating into less time and effort needed to keep up with CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS changing visibility needs. Without clustering the number of rules needed to forward through 4 or 5 different nodes is equal to the node count in the path. In addition to the risk of error, the time required to create 4 or 5 rules instead of one adds up quickly. Done through a cluster the same sequence is performed using a single rule. • Once clustered, any GigaSMART resources become cluster resources. For example, traffic from node 3 can forward to a tool on node 7, but also pass through GigaSMART GTP Correlation on node 6 as a single mapping operation. Without clustering GigaSMART would have to be installed in each node where traffic intelligence operations like GTP Correlation were needed. • GigaVUE TA Series nodes are highly useful in Service Provider environments where traffic from thousands of links needs to be aggregated before it is filtered and sent to tools. Offering high port density but lacking the advanced feature set available from GigaVUE H Series nodes, the GigaVUE TA series nodes may not have enough rules available for environments this large. When GigaVUE TA Series nodes are included in a cluster the available rule count is quadrupled. • And, as service provider networks grow and evolve, the modular nature of most GigaVUE nodes means that it is easy to add support for emerging technologies and to change the port density or interface types. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Solution Scope Identify the Requirements; Size the Solution After choosing specific GigaVUE features for this solution, gather requirements information on a per-location basis. Requirements fall into a number of categories, but the two categories common to all architectures and solution designs relate to port counts and feature capacity. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Service Provider Solutions The following information describes how to size and specify solutions involving features primarily used for just Service Provider environments. • See the Architecting for Visibility training module for sizing solutions which include out of band monitoring • See the Architecting for Security training module for sizing solutions which include GigaSECURE features • See the Architecting for Cloud training module for sizing virtualized environment solutions GigaVUE-VM and GigaVUE® Nodes Metadata Engine Application Session Filtering SSL Decryption Inline Bypass ©2017 Gigamon. All rights reserved. This module is focused upon sizing and specifying features primarily used just in Service Provider environments. Refer to the Architecting for Visibility presentation for information about sizing and specifying typical out of band monitoring features which may be included. Refer to the Architecting for Security presentation for information about sizing and specifying GigaSECURE features which may be included. And refer to the Architecting for Cloud presentation for sizing and specifying features for virtualized environments which may be included. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS 1 Port Requirements Per Location Calculate the total number of ports required for each location. Inline Bypass Network Ports Tool Ports Crossbox Ports Port Speed x Total 1Gb x 10Gb x 40Gb x 100Gb • See Architecting for Visibility for sizing out of band monitoring solutions. • See Architecting for Security for sizing inline bypass solutions. • See Architecting for Cloud for sizing virtual monitoring solutions. ©2017 Gigamon. All rights reserved. Utilize the general Architecting for Visibility presentation instructions for determining a count of required ports for out of band monitoring. If inline bypass is required, or if the GigaSMART features of NetFlow and Metadata, Adaptive Packet Filtering or Application Session Fltering, or SSL decryption are required then utilize the Architecting for Security sizing instructions. If private, hybrid, or public cloud virtualization is involved, the Architecting for Cloud presentation describes what to watch for and how to size virtual traffic monitoring. The next section extends previously described GigaSMART sizing instructions to include GTP Correlation and FlowVUE GigaSMART features which relate more specifically to Service Provider networks. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS 2 GTP Correlation GTP Correlation selectively forwards GTP-u user data plus the associated GTP-c control messages to tools based on Subscriber ID’s. • Identify volumes of traffic for which GTP Correlation is required. Sum the total traffic in packets per second if possible, and in simple bandwidth as a secondary estimate option. • Record the pps requirement per location and specify GigaSMART capacity accordingly. ©2017 Gigamon. All rights reserved. Correlated subscriber traffic can be selected and forwarded to monitoring tools utilizing subscriber attributes such as IMSI, IMEI, MSISDN, or GTP session information, such as GTP Version or Mobile Core Logical Interface. Forwarded traffic on a network this large routinely exceeds the ability of a single tool to process, so stateful load balancing of traffic to tool groups can be configured too. Sum the traffic volume in packets per second, or at least in anticipated bandwidth for each location. Then match GigaSMART engine capacity against the volume recorded per location to derive the needed number of GigaSMART engines at that location. Note that the required GigaSMART capacity for GTP Correlation in a service provider environment is typically a lot greater than for GigaSMART features in an average Enterprise network. As an example, the GigaSMART capacity for one cluster in a large service provider environment included eighteen GigaVUE HD Series GigaSMART line cards, though that capacity is used for Deduplication and FlowVUE too. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS FlowVUE FlowVUE provides for sampling of sessions within a selected volume of traffic. FlowVUE also works closely with the GTP Correlation feature to whitelist highvalue subscribers. • Identify volumes of traffic which should be sampled by session and sent for inspection. Sum the total traffic in packets per second if possible, and in simple bandwidth as a secondary estimate option • Record the pps requirement per location and specify GigaSMART capacity accordingly ©2017 Gigamon. All rights reserved. The GigaSMART FlowVUE feature monitors sessions within a selected volume of traffic, and then sends a configured percentage or count of those sessions to tools. The GTP Whitelist feature allows a defined list of up to 500,000 high-value subscribers to be chosen to receive full time monitoring even with GTP correlated FlowVUE processing enabled. Sum the traffic volume in packets per second, or at least in anticipated bandwidth for each location. Then match GigaSMART engine capacity against the volume recorded per location to derive the needed number of GigaSMART engines at that location. If updating an existing deployment to support Whitelisting be sure to verify that the version 2 control card for the GigaVUE node has the current shipping amount of RAM or include the upgrade kit. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS GigaSMART Requirements Utilize the combined pps or bandwidth requirements for all GigaSMART features to choose a combination of GigaVUE nodes and the corresponding GigaSMART module count that will satisfy the GigaSMART capacity requirement per location. GigaVUE-HB1 GigaVUE-HC1 GigaVUE-HC2 GigaVUE-HC3 GigaVUE-HD4 GigaVUE-HD8 1 Module 1 @ 10Gb 1 @ 20Gb 1 @ 40Gb 2 @ 100Gb 2 @ 40Gb 2 @ 40Gb 2 Modules — — 2 @ 40Gb 4 @ 100Gb 4 @ 40Gb 4 @ 40Gb 3 Modules — — 3 @ 40Gb 6 @ 100Gb — 6 @ 40Gb 4 Modules — — 4 @ 40Gb 8 @ 100Gb — 8 @ 40Gb 5 Modules — — 5 @ 40Gb — — 10 @ 40Gb 6 Modules — — — — — 12 @ 40Gb Interpretation: 2 @ 40Gb equals two engines per module operating at up to 40Gb per engine (80Gb for the module) ©2017 Gigamon. All rights reserved. Performance is measured in packets per second, per engine, so use the total packets per second requirements per feature to calculate the needed number of GigaSMART engines. Since packets per second data is rare, as a rough calculation the bandwidth estimates for all GigaSMART features can be used to find approximate GigaSMART module counts that will satisfy the GigaSMART capacity requirement per location. The first row of the table includes the GigaVUE-HB1 and GigaVUE-HC1 which have GigaSMART functionality built into the system board. The other node types show the supported number of GigaSMART engines per module, along with the interface bandwidth for each engine. To help interpret the table, the bottom right cell indicates that the GigaVUE-HD8 supports up to six modules per node, with a total of twelve engines available from six modules. Each engine supports up to 40Gb of traffic. Calculated out, the bottom right cell indicates that a fully loaded GigaVUE-HD8 offers up to 480 gigabits per second of GigaSMART capacity. Refer to the Architecting for Visibility presentation for more information about sizing and GigaSMART requirements which may be needed. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Module Requirements Update the total port counts to pick node and module combinations to match. List the resulting module types separately, then match the module totals against chassis capacity, allowing as required for expected growth per location. Substitute port modules for GigaSMART modules having ports where appropriate. ©2017 Gigamon. All rights reserved. Use the updated GigaSMART module requirement and any updated totals for port counts to review the module and line card choices for each node type in order to produce deployment options for each location. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS Thank You This completes the training module describing Service Provider solution sizing. CONFIDENTIAL – USE BY GIGAMON EMPLOYEES AND PARTNERS UNDER NDA – NOT FOR CUSTOMERS