Open Packet Broker powered by SONiC: Next Genaration NPB Solution-NPB2.0
written by Asterfuison
Table of Contents
Introduction
In enterprise or data center networks, the high volume of monitoring tools and massive link traffic presents challenges when sending traffic directly to them. Network Packet Brokers (NPBs) address this by processing traffic and forwarding specific data streams to designated analysis platforms. This prevents overloading the monitoring tools.
In comparison, Asterfusion’s Open Packet Broker powered by SONiC—the NPB 2.0 solution—extends functionality by leveraging the hardware advantages of the CX-M and 800G switch platforms. It utilizes ARS Flowlet for intelligent traffic distribution and integrates with an OpenWiFi controller. Combined with a Web UI and one-click DevOps deployment, it enables centralized policy management and supports high-bandwidth deployments from 100G to 800G. Simultaneously, the Web UI and DevOps integration streamline deployment and operational processes.
Together, these strengths meet diverse requirements, from enterprise campuses to large-scale data centers.
Ⅰ. Traditional TAP & NPB: Status & Limitations
To deeply understand the Open Packet Broker powered by SONiC—the NPB 2.0 solution, let’s first examine traditional NPB and TAP solution and the role of each device. This will provide a clear baseline for comparison with NPB 2.0.

Let’s first understand the two types of devices:
TAP: A Network TAP is physically deployed in-line on each critical link. It copies the traffic on that link and sends the mirrored traffic to the NPB for centralized processing, without affecting the normal communication of the original link. It can be considered the bridge connecting the production network and the NPB Fabric (only passive TAPs are discussed here).
NPB: Network Packet Broker, typically deployed between TAPs and monitoring/security tools. It is responsible for aggregating traffic from multiple TAPs and performs forwarding, filtering, or load balancing based on policies. The NPB delivers traffic downstream in a pass-through manner without modifying the original frames.
Additionally, if no TAP is deployed in the network, SPAN (traffic mirrored from switch ports or VLANs) can be used. This traffic is also aggregated and further processed by the NPB.
The diagram above (Figure 1) shows the connection between the NPB network and the production network. The NPB workflow can be summarized as: receives mirrored traffic from TAP or SPAN interfaces → remains transparent → forwards traffic based on packet fields (MAC, VLAN, port, IP, or protocol), can perform basic aggregation/filtering → outputs the processed traffic to IDS/IPS, monitoring, or analysis platforms.
In the above scenario, separate TAP and NPB devices are required, necessitating additional procurement costs. Furthermore, facing high-speed link scenarios like 400G and 800G, the choices for meeting traffic capture requirements are more limited. The lack of a unified management platform, combined with low flexibility and high deployment costs in SMB environments, are critical issues that traditional solutions must address.
Asterfusion Open Packet Broker powered by SONiC NPB2.0 not only resolves the above problems but also delivers additional benefits.
Ⅱ. Asterfusion NPB 2.0: Core Upgrades
NPB2.0– the Open Packet Broker powered by SONiC – is not merely an enhancement of traditional solutions, but a containerized architecture built on SONiC NOS, delivering comprehensive innovation in architecture, functionality, and deployment models to address these challenges.
Its core advantages include:
- Containerization & Open Platform: As a key feature of the Open Packet Broker powered by SONiC, it is based on the open Enterprise SONiC platform, it inherits SONiC’s openness and flexibility. The Packet Broker is containerized on SONiC, enabling modular feature expansion and rapid iteration. Users can flexibly upgrade NPB functionalities without hardware replacement, while the Web UI provides a user-friendly experience that reduces operational complexity.


- Network Simplification: NPB 2.0 supports flexible deployment modes, operating as an out-of-band monitoring agent or enabling In-line deployment. In In-line mode, it provides real-time security protection for traffic passing through security tools (e.g., blocking, packet modification), reducing the number of physical TAP devices and simplifying network architecture.
- Native Integration of Intelligence & Security
- Automation Ready: Natively integrated with Ansible, supporting batch policy deployment and management via playbooks for integration into DevOps workflows (Proposed by Belgian IT consultant Patrick Debois).
- Network Monitoring: Built-in Prometheus AsterNOS exporter, working with Grafana, enables monitoring of the NPB device’s own status and network traffic metrics.
- Link-Level Security: Built-in MACsec encryption ensures the confidentiality and integrity of monitoring data transmitted over carrier dark fiber.
- Hardware Acceleration & High-Speed Interconnect
- Intelligent Traffic Scheduling: Supports ARS Flowlet-based LAG load balancing, effectively resolving packet loss caused by “elephant flows” within the NPB network.
- High-Speed Optical Connectivity: Supports 400G/800G ZR/ZR+ optical modules. This is suitable not only for high-speed data center tap scenarios but also enables direct processing of tap signals from long-distance (110KM) DCI/MAN links, or using NPB with ZR modules for long-haul connectivity, saving dedicated equipment.
For more about the NPB2.0 architecture and capabilities, please refer to SONiC-based Network Packet Broker 2.0: Transforming Network Visibility and Efficiency
While discussing features provides a foundation, the real benefits become clear when applied to specific scenarios. Next, we will illustrate the tangible experiences and gains NPB 2.0 delivers for customers from three perspectives: DCI Egress, SMB Environments, and DevOps Operations.
Ⅲ. Open Packet Broker powered by SONiC-NPB2.0 Scenario-Specific Value
To facilitate understanding, the following diagram illustrates the operational workflow of NPB 2.0 when traffic arrives.

As shown in the diagram, after traffic enters the NPB device, it undergoes different processing stages, including operations like tunnel stripping, filtering, and replication. The specific functions enabled can be flexibly configured according to network policies.
Based on this, let’s examine the specific application scenarios:
1. DCI/MAN Egress/High Speed Monitoring
In 400G DCI/MAN egress scenarios, the NPB device can aggregate traffic by connecting to the production network in two ways:
- Bypass Mode: The NPB connects in a bypass manner, obtaining traffic through TAPs, without affecting the forwarding of the original link.
- In-line Mode: The NPB is deployed directly in the network path, performing “preliminary traffic processing” on the link. It works with backend security tools, which are responsible for the actual interception/blocking, achieving true traffic protection. Additionally, in In-line mode, this approach can reduce the number of required 400G ZR modules.
Let’s first introduce the Bypass Mode.

In the scenario shown in the diagram above, the NPB is connected to the production network in Bypass mode to achieve centralized traffic collection and processing. Leveraging 400G ZR modules, NPB 2.0 can directly handle the 400G traffic generated by DCI interconnects without the need for splitting or additional adaptation equipment. This enables real-time monitoring and analysis of egress traffic over long-distance links.
Compared to traditional solutions, it eliminates the need to purchase carrier wavelength division equipment services, allowing for the autonomous deployment of monitoring systems in DCI scenarios. More importantly, Asterfusion’s 400G ZR modules support the processing of 400G ZR optical signals. This means that after upgrading to a 400G network, efficient traffic collection and analysis can be achieved even over long-distance DCI links, while simultaneously simplifying the deployment process.

As data centers enter the 400G high-speed era, the 400G NPB enables line-rate forwarding and high-performance traffic processing, preventing bottlenecks in the monitoring links. It simultaneously performs filtering, deduplication, and distribution, maximizing the efficiency of downstream security and monitoring tools.
As shown in Figure 6, breakout cables can also be used to split high-bandwidth ports into multiple lower-speed ports, enhancing the utilization efficiency of the 400G NPB’s ports.
For example, if the current network has not yet reached 400G and only uses 200G links, a single 400G port can be split into two 200G ports using an MPO-16 to 2x MPO-8 breakout cable, thereby achieving efficient use of port resources.
This approach, a core advantage of the Open Packet Broker powered by SONiC, not only meets current network requirements but also provides excellent scalability for future upgrades to 400G.


Unlike Bypass mode, deploying the NPB device in In-line mode within the production network offers two main advantages:
- Reduced Quantity of 400G ZR Modules
- In the TAP Bypass method shown in Figure 5, the TAP only performs optical splitting and cannot alter the optical signal. Consequently, a total of four 400G ZR modules are required between the two DCI endpoints and the NPB devices.
- In the In-line method shown in Figure 8, where the NPB is deployed within a DC room, only 400G VR/SR modules are needed between the DCI link and the NPB. This saves two 400G ZR modules, reducing deployment costs.
- Preliminary Traffic Processing & Security Enhancement
- In In-line mode, the 400G NPB is deployed directly on the service path, enabling real-time analysis and preliminary processing of passing traffic. In this mode, only the traffic that is actually forwarded passes through the security tools, allowing for effective protection measures—such as filtering suspicious traffic—thereby improving network security efficiency while optimizing traffic distribution and analysis performance.
By flexibly choosing between Bypass or In-line deployment modes in 400G DCI/MAN Egress/High-Speed scenarios, and combining this with Breakout technology to enhance port utilization, the NPB not only accomplishes high-bandwidth traffic collection and analysis over long distances but also significantly reduces the number of 400G ZR modules and the associated deployment costs. This is difficult to achieve with traditional solutions.
2. DevOps-Ready NPB Switch
Facing large-scale, dynamically changing networks, traditional manual operations models are no longer adequate. NPB 2.0 provides a new answer:

- Ansible Automation: Through Ansible Playbooks, operations teams can use scripts to unify and automate the deployment and management of thousands of policies on the NPB, enabling “one-click operations.” This solves the problem of complex and inefficient policy management.
- Unified Visualization: The combination of the Prometheus Exporter on AsterNOS and Grafana provides powerful real-time monitoring and visualization capabilities, making network status clear at a glance. This addresses the lack of a unified monitoring view in traditional solutions.

DevOps teams pursue efficiency and automation. Within CI/CD pipelines, operators can leverage Ansible to perform batch deployment and management of policies on the NPB, achieving automation and rapid iteration of policy configuration. Simultaneously, the Prometheus Exporter on AsterNOS and Grafana enable visual monitoring of NPB status and traffic metrics, enhancing operational visibility and decision-making efficiency.
When your network upgrades to a 400G DCI/MAN scenario and you aim to manage it uniformly using DevOps, NPB 2.0 is not merely “capable” of meeting the requirements—it is an efficient solution that simultaneously addresses the three major challenges of high performance, observability, and automated management.
3. All-in-One SMB Solution
The core demand of SMB (Small and Medium-sized Businesses) users is a solution that is “simple, low-cost, and all-in-one.” The NPB 2.0 solution meets this need through its integrated design:

As shown in Figure 11, the Asterfusion CX102S-8GT-(DPU)-M-SWP device supports two optional Marvell OCTEON CN9130 DPUs, providing robust data processing capabilities.
When deployed as an NPB, it can flexibly configure its 8x1G PoE ports as data collection ports and 2x10G SFP+ ports as data forwarding ports. This process natively supports media conversion from 1G electrical interfaces to 10G optical interfaces. This flexible configuration allows the device to efficiently collect and forward multi-source traffic while acting as an electrical TAP, simultaneously supporting seamless connectivity between interfaces of different rates.
In this configuration, the NPB’s role is similar to a traditional “Electrical TAP” but with far superior functionality. This solution inherits the core advantages of the electrical TAP approach: high cost-effectiveness and simple deployment, effectively meeting the monitoring needs of most enterprises, and is particularly suitable for SMBs with limited budgets and IT resources.
However, the value of the CX102S extends far beyond this. Leveraging the AsterNOS operating system running on the NPB switch and pre-installed analysis software like ntopng on the DPUs, it evolves progressively into an “intelligent processing center”:
- Beyond Traditional NPB: The two DPUs come pre-installed with the analysis software ntopng. Traffic from the service ports is directed by the switch’s hardware forwarding engine to the DPUs, where the ntopng software performs deep analysis and visualization, providing profound traffic visibility and insights. Support for NetFlow data telemetry enables localized processing and flexible output of monitored traffic.
- All-in-One Solution: What we deliver is an “Active TAP based on NPB / NPB 2.0 / Ntopng” all-in-one solution. It integrates three major functions—flexible traffic collection, intelligent traffic brokering, and deep traffic analysis—into a single device. This greatly simplifies network monitoring architecture and significantly reduces the Total Cost of Ownership.
For SMBs, this strategy—enabled by the Open Packet Broker powered by SONiC—represents achieving maximum outcomes with minimal investment: a single device accomplishes what previously required a team and multiple pieces of equipment.
Ⅳ. Key Enhancements for Open Packet Broker powered by SONiC
Having addressed foundational architecture and scenario needs, the Asterfusion NPB 2.0 solution enhances its modern network core value with key technologies. These resolve operational pain points and point to the future of network traffic processing.
1. ARS Flowlet: Dynamic Traffic Distribution
In data center environments, when single-port bandwidth cannot meet traffic demands, NPB 2.0 can create LAGs (Link Aggregation Groups) to achieve multi-port load balancing, ensuring traffic integrity. LAG supports configuring hash seeds and hash keys (e.g., IP, port, MAC), and allows setting the hash mode on the ingress physical interface. The default mode is src-dst-ip-port, while custom configurations are also supported.
Building on this, traditional load balancing often struggles with sudden elephant flows, easily causing link congestion and packet loss. ARS Flowlet technology dynamically senses link status, splits elephant flows into multiple flowlets, and intelligently distributes them across multiple paths within the LAG, achieving fine-grained load scheduling. This not only enhances the forwarding efficiency of the NPB fabric but also provides non-blocking traffic for the core network, ensuring monitoring tools can capture complete and continuous data streams.

As shown in Figure 12, within the LAG on Leaf1:
- Before using Flowlet: The entire elephant flow is assigned by the hash algorithm to a single link within the LAG. When this link becomes busy, it can become overloaded while other links remain idle, potentially causing link congestion and packet loss.
- After enabling Flowlet: The elephant flow is split into multiple flowlets. NPB 2.0 intelligently schedules these flowlets based on real-time link status, allowing different flowlets to be assigned to different links within the LAG. This enables multiple links to share the forwarding task simultaneously.
This approach, a key capability of the Open Packet Broker powered by SONiC, not only fully utilizes the aggregated LAG bandwidth but also reduces congestion, improves overall link utilization, and ensures the integrity and continuity of the monitored data streams.
For more about ARS flowlet, please refer toARS on SONiC Stops Elephant Flow-Induced Network Latency in Data Centers
2. MACsec Encrypts NPB Traffic
MACsec (Media Access Control Security) is a technology that encrypts and authenticates data frames at the data link layer of Ethernet, providing security encapsulation for the original frames. Specifically, the EtherType of the data frame is marked as 0x88E5 (the Ethernet type identifier for MACsec protocol data frames). Simultaneously, identifiers such as SecTAG (Security Tag), Secure Data, and ICV (Integrity Check Value) are added. This ensures the security of data transmission within the local area network.

When transmitting monitoring traffic over carrier dark fiber, data is vulnerable to eavesdropping or tampering. Traditional network encryption methods, such as IPsec software-based encryption, introduce performance overhead in high-bandwidth scenarios.
The Open Packet Broker powered by SONiC, leveraging the hardware capabilities of the Asterfusion Switch platform, incorporates built-in MACsec functionality. This enables encryption of monitoring traffic at the link layer.
MACsec is accelerated by the ASIC engine on Asterfusion hardware, achieving line-rate encryption with minimal impact on latency and bandwidth. This also ensures the confidentiality and integrity of sensitive monitoring traffic.

3. ERSPAN: Extending the Network
ERSPAN (Encapsulated Remote Switched Port Analyzer) enables the tunneling of traffic from different physical locations and network nodes over an IP network, aggregating it onto a central NPB 2.0 platform for unified processing. This significantly expands the scope of traffic collection— a critical capability of the Open Packet Broker powered by SONiC—providing the foundation for network-wide, unified security and performance monitoring.
NPB Functionality: The NPB supports ERSPAN tunnel decapsulation, restoring the original Ethernet frames and enabling cross-tier network monitoring capability. Beyond ERSPAN, the NPB also supports other tunneling protocols like VXLAN, MPLS, and GRE.
Application Scenario: In large campus or complex network environments characterized by high traffic volume and complex structures, where security monitoring and performance analysis demands are critical, the NPB can uniformly process traffic from distributed sources (e.g., ERSPAN). It then flexibly forwards this traffic to various analysis tools, eliminating the need for each tool to individually access mirrored traffic, thereby improving efficiency and manageability.

Ⅴ. Conclusion: Asterfusion NPB 2.0 Benefits
In summary, the Asterfusion NPB 2.0 solution – Open Packet Broker powered by SONiC – delivers core benefits across the following dimensions:
- Architecture Simplification & Cost Optimization: By integrating TAP and NPB functionalities, and providing an all-in-one solution for SMBs, it reduces the number of physical devices, saves rack space, and lowers procurement costs. Simultaneously, automated management and unified monitoring reduce manual operational efforts, decreasing labor costs.
- Efficiency Improvement: The containerized architecture, Web UI, and native integration with Ansible and Prometheus/Grafana enhance operational efficiency. The Leaf-Spine architecture combined with Flowlet scheduling ensures high-speed traffic forwarding performance.
- Security Enhancement: Built-in MACsec encryption provides link-layer security for DCI dark fiber transmission, preventing traffic eavesdropping or tampering.
- Scenario Adaptability: The solution adapts to various scenarios to meet your needs:
- High-Speed Scenarios: 400G/800G ZR/ZR+ support meets long-distance monitoring requirements for DCI/MAN egress.
- SMB Scenarios: All-in-one solution fulfills the need for low cost and easy operation.
- DevOps Scenarios: Native automation integration aligns with efficient operational workflows.
- Large-Scale Scenarios: ERSPAN and Leaf-Spine architecture support cross-regional, ultra-large-scale centralized monitoring.
- Future-Readiness: A complete product portfolio covering 1G to 800G, based on open SONiC and a containerized architecture, provides continuous evolution and flexible scalability, enabling rapid adaptation to future technologies and requirements.
In a word, Asterfusion NPB 2.0– the Open Packet Broker powered by SONiC – is not merely an upgrade replacement for traditional TAP+NPB solutions; it actively drives the transformation of network monitoring from “distributed, manual, and proprietary” to “centralized, automated, and flexible,” providing solid support for the stable, secure, and efficient operation of modern networks.
Portfolio

Contact us if you are interested in NPB2.0 or want to talk to us !