Introduction
Modern Network Operations Center (NOC) heavily depend on the ability to collect, correlate, and analyze mobile network events to identify and respond to security threats. Depending on the subscriber base and the volume of traffic, monitoring all subscribers' traffic can severely constrain the existing network monitoring probes and require either procuring new probes or upgrading the existing ones. Instead, service providers can get better ROI by optimizing the traffic to be monitored. This Gigamon Validated Design (GVD) illustrates using a combination of whitelisting, sampling, and Advance Flow Slicing (AFS), to achieve the goal.
Design Overview
The following example illustrates the deployment of Gigamon Subscriber-Aware Filtering and Advance Flow Slicing (AFS) solution in a service provider's 5G mobile core network that has Gigamon devices deployed at two sites such as San Francisco (CPN) and San Jose (UPN).
At the San Francisco site, control plane traffic tapped from interfaces N11 (HTTP2 packets) and N4 (PFCP packets) are fed to CPN1 and CPN2 for correlation before forwarding the traffic to network monitoring probes for inspection.
Note: The CPN1 and CPN2 are logical entities placed in a single Gigamon chassis with one dedicated GigaSMART engine each.
At the San Jose site, user plane traffic tapped from N3 interface (GTP-U packets) is optimized using AFS such that only the first 10 packets per subscriber is forwarded to the correlation engine. Post correlation, the traffic is looped back and is subjected to whitelisting VIP/high-value/suspicious subscribers using SUPI and the remainder traffic is further optimized by sampling at 80% before forwarding to the probes for inspection. UPN Gigamon device has two GigaSMART engines, one for applying AFS and another for applying GTP correlation, whitelisting and sampling.
The illustration depicts using a physical loopback for feeding traffic between the GigaSMART engines. Alternatively, a hybrid port can also be used (recommended). CPN and UPN devices are connected via an IP network for programming the UPN.
Figure 1: Gigamon Subscriber-Aware Filtering and Advanced Flow Slicing solution
To learn more about this solution, read complete details on the Gigamon Community: Enable-tools-to-monitor-large-number-of-subscribers-by-reducing-the-packets-per-flow-5-10-01.
