Monitoring Tunneled Traffic over SPAN Port

Telecom Core Network Monitoring with Link-Capture™ Software
Platform
Napatech SmartNIC
Content Type
Application Note
Capture Software Version
Link™ Capture Software 12.11

Napatech SmartNICs can distribute tunneled traffic over SPAN port to multiple CPU cores based on subscriber IP addresses.

Tunneled traffic over SPAN port

This figure shows an example of the tunneled traffic monitoring over span port in the telecom core network.


An example of the tunneled traffic monitoring over span port in the telecom core network. The SmartNIC receives upstream traffic and downstream traffic on the same port in this example.

The SmartNIC receives upstream traffic and downstream traffic on the same port in this example.

Delivering tunneled traffic from/to one subscriber to the same stream

The IP addresses of SGW and PGW are used to determine whether a frame is upstream or downstream traffic in this setup. See figure Tunneled traffic over SPAN port. This is an NTPL example for IPv4 traffic.
Define SGW = Macro("3")
Define PGW = Macro("4")
Define IPv4SrcField = Field(Layer3Header[12]/32)
Define IPv4DstField = Field(Layer3Header[16]/32)
Define HashUp = Hash(HashWord0_3=InnerLayer3Header[12]/32)
Define HashDown = Hash(HashWord0_3=InnerLayer3Header[16]/32)

KeyType[Name=kt_IPv4; Access=Full] = {32}
KeyDef[Name=IPv4Src; KeyType=kt_IPv4] = (IPv4SrcField)
KeyDef[Name=IPv4Dst; KeyType=kt_IPv4] = (IPv4DstField)
KeyList[KeySet = SGW; KeyType = kt_IPv4] = ([10.10.10.1])
KeyList[KeySet = PGW; KeyType = kt_IPv4] = ([172.20.20.1])

Assign[StreamId=(0..3); Hash= HashUp] = Key(IPv4Src)==SGW OR Key(IPv4Dst)==PGW
Assign[StreamId=(0..3); Hash= HashDown] = Key(IPv4Src)==PGW OR Key(IPv4Dst)==SGW
This is an NTPL example for IPv6 traffic.
Define SGW = Macro("3")
Define PGW = Macro("4")
Define IPv6SrcField = Field(Layer3Header[8]/128)
Define IPv6DstField = Field(Layer3Header[24]/128)
Define HashUp = Hash(HashWord0_3=InnerLayer3Header[8]/128)
Define HashDown = Hash(HashWord0_3=InnerLayer3Header[24]/128)

KeyType[Name=kt_IPv6; Access=Full] = {128}
KeyDef[Name=IPv6Src; KeyType=kt_IPv6] = (IPv6SrcField)
KeyDef[Name=IPv6Dst; KeyType=kt_IPv6] = (IPv6DstField)
KeyList[KeySet = SGW; KeyType = kt_IPv6] = ([23a8:0cd6:0:0:0:0:0:1])
KeyList[KeySet = PGW; KeyType = kt_IPv6] = ([2001:0db8:0:0:0:0:0:10])

Assign[StreamId=(0..3); Hash= HashUp] = Key(IPv6Src)==SGW OR Key(IPv6Dst)==PGW
Assign[StreamId=(0..3); Hash= HashDown] = Key(IPv6Src)==PGW OR Key(IPv6Dst)==SGW
These configuration examples carry out the following scenario.
  • The SmartNIC receives upstream traffic and downstream traffic on the same port.
  • The IP addresses of the gateways (SGW and PGW) are used to determine whether a frame is upstream or downstream traffic.
    • Upstream traffic: The outer-layer source IP address field of a frame contains the SGW IP address, and the outer-layer destination IP address field contains the PGW IP address.
    • Downstream traffic: The outer-layer source IP address field of a frame contains the PGW IP address, and the outer-layer destination IP address field contains the SGW IP address.
  • The hashing is done based on the inner header of a frame where the IP address of a subscriber is located.
    • Upstream traffic: The inner-layer source IP address field is used for hashing.
    • Downstream traffic: The inner-layer destination IP address field is used for hashing.
  • As a result, all the traffic from/to one subscriber is delivered to the same stream on the host.
See DN-0987 for more information on the key match functionality.