General bypass application v1.4 2016
-
Upload
christian-ferenz -
Category
Technology
-
view
1.852 -
download
0
Transcript of General bypass application v1.4 2016
Optical & Electrical Bypass
with any Packetmaster EX
Advantage of Bypass Solution
Cubro offers bypass solutions from 10 Mbit up to 100 Gbit
Cubro bypass solution is flexible in terms of changing interface type
Cubro bypass solution offers integrated monitoring function
Available on all Packetmaster EX models
Cubro bypass solution is flexible in terms of changing bandwidth
Best price performance relation per link
2 Years warranty, no port activation fee, no add on software fees.
Full Rest api for easy integration and script language support on all units
CUSTOMER SATISFACTION
General function
Bypass Switches provide fail-safe Inline tool protection for your security and monitoring devices.
General function
The last software upgrade gives every Cubro Packetmaster the ability to work as a bypass switch with heartbeat functionality. The Cubro Bypass solution supports data rates from 1 to 100 Gbit . Special Features: Multilink support Multiple heartbeats for multiple service testing Input output traffic compare option Monitoring support Switch to spare support Packet Broker and Bypass in one unit support Flexibility Security feature DDoS protection
Cubro Bypass Concept
Any Cubro Packetmaster hase the ability to work as a bypass switch with heartbeat functionality, on any port at any port speed.
But the Packetmaster is not failsafe !
This is the reason we need the external bypass switch to make the Packetmaster failsafe !
This modular concept reduce the cost and bring a lot flexibility.
&
Man
agem
ent c
onne
ctio
n
Each Packetmaster EX can work as Bypass Switch
Bypass links copper link fibre link 1 Gbit fibre link 10 Gbit fibre link 40 Gbit fibre link 100 Gbit
EX2 1 1** 1** 0 0
EX5-2 12 1 0 0EX6 0 12 1 0 0
EX12 4 2 3 0 0EX32 0 8* 8* 0 0
EX32+ 0 8* 8* 0 0
EX484-3 0 12* 12* 1 0
EX48400 0 12* 12* 1 1
EX20400 0 0 20* 12* 1
* alternative usage ** with external optical switch
Each Packetmaster can produce heart beat packets and with his inline switching function he function as a bypass switch combined as NPB. The table below show the amount of links what every EX can support. By using a external optical or copper switch the amount of links can be doubled.
Gbit Copper Bypass with EX2
normal function Device fail mode
Gbit Copper Bypass with EX2
Monitoring option Spare device option
1 or 10 Gbit fiber bypass with EX2
• User defined heartbeat • Changes of interface type (SM/MM)
only by changing the switch and the SFP in the EX2
• Separate working mode in EX2 • Web UI configuration with EX2 GU• Monitoring function
1 or 10 Gbit fibre bypass with EX2 function diagram
working mode heart beat path
1 or 10 Gbit fibre bypass with EX2 function diagram
working mode non heart beat pass
1 or 10 Gbit fibre bypass with EX2 function diagram
device failure mode
Even in failure mode the EX is still checking the bypassed device for recovery
1 or 10 Gbit fibre bypass with EX2 function diagram
Power outage failure mode
The optical switch is automatically closing the connection.
1 or 10 Gbit fibre bypass with EX2feature set
User defined heart beat traffic Monitoring capability's Multiple bypass trigger options
Heart beat Port down Management port ping Inline port ping Rest Api active device checking via management port External Web or SSH trigger Time trigger Inline bandwidth check
In port black list filter
1 or 10 Gbit fibre bypass with EX2 technical data
Switching time < 100 ms (power out)
Detection time on device failure <1 Sec
Insertion Loss: Network Port: 1.25 dB, Monitoring Port: 1.25dB
Management via WEB or SSH ore Rest API
1 or 10 Gbit fibre bypass with EX2
The kit comes with all parts what you need for bypass optical 1 link
CUB.HTB-BY-SM-1G-KITCUB.HTB-BY-MM-1G-KITCUB.HTB-BY-SM-10G-KITCUB.HTB-BY-MM-10G-KIT
1 or 10 Gbit fibre bypass with EX2
The kit comes with all parts what you need for bypass an copper link
CUB.HTB-BY-RJ45-1G-KIT
3 link MM or SM solution
The Cubro Bypass for 100 Gbit per link in multimode is realized with optical MEMS switches. Each link uses2 switches combined into one module. The switching mechanism offers the reliability of a solid state device. By implementing latched optical switches power is only needed during switching. Even if the power fails the optical switches stay in the programmed state.
Options to activate the bypass:1. manually via SSH or HTTP2. power fail3. smart detection of the bypassed device
optical output power
Optical Parameters SM:
Wavelength 1260 - 1700 nmInsertion Loss 1 - 2 dBCrosstalk 75 dBReturn loss 55 dBPolarisation Dependent Loss 0.03 dB
Optic Parameters: MM
Wavelength 850 nmInsertion Loss 1 – 2,5 dBCrosstalk 75 dBReturn loss 55 dBPolarisation Dependent Loss 0.03 dB
Switching Time 0.4 ms Durability cycles No wear
Advantage
Cheaper than old solution Up to 3 links in 1 U MM and SM and Copper combination More flexebilty in case of change mm to sm Works for 100/1 Gbit/10 Gbit/100 Gbit
2 links in 1 U
Bypass standalone function
live mode passive mode
The bypass switch can be controlled via RS232 or Ethernet interface, the configuration can be manual or fully automated (example a Packetmaster)
Option 1 multimode (SR) solution
The Cubro bypass for 40 and 100 Gbit multimode a link is realized with a mems optical switch per link 16 switches are uses, this 16 switches are combined to one module. The switching mechanism offers the reliability of a solid state device. The optical switch is a latched version, this means it needs only power during switching. Even when power fails the optical switch stays in the programmed state.
Options to activate the bypass:
1) manually via SSH or HTTP2) power fail3) smart detection of the bypassed device
Optic Parameters:
Wavelength 850 nmInsertion Loss 1 – 2,5 dBCrosstalk 75 dBReturn loss 55 dBPolarisation Dependent Loss 0.03 dBSwitching Time ms 0.4 Durability cycles No Wear
Packetmaster EX12
Packetload 176 GbitPorts Gbit 8 SFP or 8 Base-T
Ports 10 Gbit 12 SFP/SFP+
Ports 40 Gbit none
GUI CLI/WEB/GUI
Packetbuffer YES
Delay 2 µs
Dual Power YES
12000 Filters Layer 4 MPLS tag/detag VLAN tag/detag Header modification Layer 4 Load balancing Layer 3 GRE de/encapsualtion All ports activated All software activated Low power design
Old and new Bypass switch
New modular concept
• 3 links in one U or 20 links in 3 U (Flex module – similar like flex tap)
• SM MM Copper mixed configuration
• Easy expandable
• Cheaper
General Function
10 Gbit firewall bypass with monitoring output
monitoring before and after firewall !
General Function
10 Gbit firewall bypass with monitoring output
monitoring before and after firewall !
Normal Operation
The traffic passes the optical bypass with no delay, then the traffic is passing the EX 12 with a very small delay < 1 µs. The EX12 adds a heart beat traffic. These heart beat packets pass the firewall and the EX12 detects them again. If the amount of heart beats per second is correct the EX12 knows the firewall is working properly.
1
2
8
7
6
5
3
4
Firewall fail
If the heart beat packets are not detected by the EX12, the Packetmaster goes in bypass mode and bypasses the firewall. The switching time is in range of 3 µs.
1
2
4
3
Firewall fail and re-route to spare
In the case a spare firewall is available the Packetmaster can also re-route the traffic to this unit. This feature is also available as manual function for software testing and upgrades.
1
2
6
5
3
4
PM fail
In the theoretical case that the Packetmaster fails, the optical bypass will bypass the Packetmaster to ensure the firewall works normal.
The Packetmaster sends keep alive massages to the Bypass switch so thatthe Bypass knows the status of the Packetmaster.
1 432
Monitoring Function
The monitoring function is available in any operation mode. It supports layer 4 filtering and port aggregation to any monitoring device.
1
2
8
7
6
5
3
4
Security Function 1/3
This solution also provides a security option. The EX12 offers 12000 filter rules, these rules can be used to block unwanted traffic by hardware filters, based on blacklists, for example per country.
The EX12 is immune against DoS attacks because there is no software stack. The Packetmaster can also provide a bandwidth meter function that can limit the incoming traffic to protect the firewall.
Security Function 2/3
Security Function 3/3
DDoS detection through a dedicated probe, example Cubro Probe, probe is net flow probe which can detected fraud and send this information to the Packetmaster, where this traffic can be blocked.
Packetmaster EX20400
64000 Filters Layer 4 MPLS tag/detag VLAN tag/detag / Q in Q Header modification Layer 4 Load balancing Layer 4 GRE de/encapsulation VXLAN de/encapsulation All ports activated All software activated Low power design Jumbo Frames 12000 Bytes
Packetload 2,4 TbpsPorts 40 Gbit 20
Ports 100 Gbit 4
GUI CLI/WEB/GUI
Packetbuffer YES
Delay 1 µs
Dual Power YES
4 x 10 Gbit 20 x 40 Gbit + 4 x 100 Gbit 84 x 10 Gbit (with breakout cable) + 4 x 100 Gbit
100 Gbit
Normal Operation 100 Gbit (LR4) Bypass
100 Gbit (LR4) Bypass
100 Gbit bypass and load balancing for active probes
100 Gbit (LR4) Bypass
Application: In line 100 Gbit link, session aware load balance the traffic to several 10 Gbit live probes.
The probes process the traffic and the PM is aggregating the traffic back to the live link.
I case of an probe failure the PM is rebalancing thetraffic to the remainingProbes.
In case of an PM errorthe optical switch by passthe full solution.
Multi link multi device application with EX32
1 traffic from protecting optical bypass switch
2 traffic is sent from input to the LB group1 and 3 (2a)
3 received traffic from IPS is filtered port 80 and 8080 is sent to WAF all traffic is sent to 6 and inserted in the live link
4 all http/https traffic is forwarded to the WAF the received traffic from WAF 5 is reinserted to the live link 6
EX32 with 2 link bypass switch
Multi link multi device application with EX32
To integrate spare units there are two options.
1) Add the spare units to the LB group, this spare port are shutdown. In case of a failure the original ports are shutdown and the spar ports get up and start working.
2) Configure 6 load balancing groups and move the traffic by changing the rules.
Option 1 is faster in terms of service recover.
Multilink bypass solution
16 link bypass solution
16 optical bypass switches in a 19” Cubro flex frame
2 x EX32 for heart beat detection.
If you have any additional question or need help contact us.
Support / Additional Questions
EMEA North America APAC
Cubro Acronet GesmbHGeiselbergstr. 17 Floor 5 & 61110 ViennaAustria
Tel.: +43 1 29826660Fax: +43 1 2982666399
Email: [email protected]
Cubro US337 West Chocolate AveHershey, PA 17033
Tel.:717-576-9050Fax.: 866-735-9232
Sam ReedEmail: [email protected]
Cubro Asia Pacific 175A, Bencoolen Street #08-06/07, Burlington Square, Singapore - 189650
Tel.: +65-97255386
Joe LimEmail: [email protected]
www.cubro.net
End
www.cubro.net