Network Packet Broker Powered by SONiC: PB-APP Solution

Introduction

After watching this video, let’s talk about the Asterfusion NPB Solution more clearly and specifically.

As mentioned in Open Packet Broker powered by SONiC, you should now have a clear understanding of our next-generation Network Packet Broker powered by SONiC.

The next-generation Network Packet Broker is based on the SONiC architecture, with containerized modules, and is compatible with switch ASICs as the underlying hardware. It can be installed like an app on a phone, as PB-APP on top of Enterprise SONiC-AsterNOS, making the installation process simple yet powerful. For simplicity, you can refer to it as the PB-APP solution.

In a nutshell, the Open Packet Broker powered by SONiC – PB-APP is an open architecture + standardized containerized SONiC + universal switch ASIC + lower cost → surpassing P4 NPB.

This article will explain why the next-generation packet broker surpasses P4 NPB, focusing on software functionality, hardware with DPU all-in-one for SMB, and deployment methods. From this, you’ll understand why customers choose our solution.

Evolution Participants of the Network Packet Broker

In the development of Network Packet Brokers (NPB), our company has had long-term practice and deployment experience. Having been deeply involved in the evolution of packet brokers, we can summarize it into three development stages, in light of our new solution.

First Generation Network Packet Broker: In the early stages of NPB development, vendors commonly used FPGA (Field-Programmable Gate Array) chips to build private racks in order to meet high-performance, low-latency packet processing demands. While FPGA offered high hardware flexibility, it had long development cycles, high power consumption, and was proprietary, often leading to significant vendor lock-in for users.

Second Generation Network Packet Broker: With Intel’s release of the P4 programmable ASIC, it became evident that P4 could not only fulfill packet broker functions but also reduce costs. Devices based on P4 chips are more compact, flexible, and can replace the proprietary FPGA-based devices. At this point, we became one of the largest users of Intel P4 chips.

Next Generation Network Packet Broker: With Intel’s end-of-life (EOL) announcement for this chip, the industry began seeking alternative solutions for packet brokers. We turned our focus to open networking, leveraging containerized SONiC architecture and universal switch ASICs to implement standard packet broker functions along with advanced features.

During this transition, we gained the expertise, confidence, and technical capability to transform packet broker solutions—saying goodbye to the era of P4-based packet brokers and embracing a new generation based on open networking and universal switch ASICs.

Comprehensive Product Support Across All Scenarios

To support the Network Packet Broker powered by SONiC, Asterfusion has developed a full-stack product lineup ranging from campus networks to data centers, with speeds spanning from 1G to 800G.

As mentioned earlier, the confidence behind this solution comes from three key factors: first, our deep involvement in the evolution of packet broker technology; second, the use of universal switch ASICs as the underlying hardware support; and third, our confidence stems from the containerized, open network architecture based on SONiC.

Why make such a choice? Let’s explore this from two perspectives: software flexibility and hardware universality.

Software Flexibility: Containerized SONiC

Based on SONiC and the SAI interface, the solution runs on top of Enterprise SONiC-AsterNOS in software form. This means that, at the software level, all Asterfusion switches can function as network packet broker devices, or the NPB capabilities can be integrated as an extension of the switch into the network, covering the full product range from campus networks to data centers.

For software functionality, in addition to basic features like aggregation, replication, filtering, and load balancing, more refined extensions have been made in the areas of filtering and load balancing, along with other advanced features, which will be detailed later.

Note: As the configuration is containerized, the Network Packet Broker powered by SONiC-PB APP solution does not require any modifications to the underlying NOS—AsterNOS. This allows the expansion of PB functions without impacting the existing switches or network structure.

Hardware Universality: Standard Switch ASIC

As mentioned earlier, the Network Packet Broker powered by SONiC-PB APP solution is based on universal switch ASIC products, enabling it to inherit the line-rate forwarding capability of the switch ASIC. This significantly improves the forwarding performance of the NPB in the network, with specific benefits including:

• The switch has dedicated TCAM, which supports more granular traffic ACL filtering (ranging from a few thousand to tens of thousands) and QoS priority scheduling, without causing performance degradation as the number of rules increases.
• Lower latency and greater throughput, which scales with the development of switches. For instance, some switches now support up to 51.2Tbps with 800G switching ports.

In terms of chip support, it spans from Marvell’s Prestera and Teralynx to Broadcom’s Trident 3 and Tomahawk.

At the same time, because the product is based on SONiC switches, it is naturally compatible with the leaf-spine (Clos architecture) network topology for future expansion. This allows the extension to a sufficiently large packet broker fabric capable of handling multi-terabit traffic scenarios.

As shown in the diagram, network traffic from the production network is diverted or port-mirrored to TAP leaf devices, then routed to NPB Spine nodes for interconnection and aggregation, and sent to Tool leaf devices. Through traffic replication or load balancing, the traffic reaches the final security analysis tools.

One more advantage comes from the hardware: Asterfusion offers hardware products based on SONiC, which are also equipped with Marvell Octeon DPU. This allows us to build an advanced feature resource pool for the NPB based on the DPU.

By combining the standard switch and DPU resource pool, all advanced feature services can be invoked on demand and allocated in a unified manner. This enables more efficient utilization of advanced features, which is reflected in the diagram above.

It is precisely due to the combination of software flexibility and hardware universality that the Network Packet Broker powered by SONiC/PB APP solution is well supported across Asterfusion’s entire product line from campus networks to data centers. This also represents the future direction of packet broker development.

Network Packet Broker Powered by SONiC Supported Function Set

Below is a detailed description of the key features supported by the NPB, categorized into standard and advanced functions.

Network Packet Broker Powered by SONiC Standard Features

• Hardware Implementation: Switch ASIC, or as an extension of switch capabilities
• Software: Standard switch Enterprise SONiC AsterNOS + PB-APP extension

The Open Packet Broker Powered by SONiC PB-APP provides the following standard features:

• Packet Filter: Filters and forwards data packets based on five-tuple, seven-tuple, IP fields, etc.
• Traffic Aggregation: Merges traffic from multiple interfaces into a single flow for centralized processing.
• Load Balance: Distributes traffic evenly across multiple analysis devices to optimize resource usage.
• Traffic Replication: Duplicates traffic and sends it to multiple security analysis devices for parallel processing.
• Packet Modification: Modifies packet content as needed, supporting VLAN add/remove/edit, MAC address modification, etc.
• Packet Truncation: Truncates packets to retain only the specified portion of the data. Supports packet truncation in mirror mode, fixed truncation of 128 bytes.
• Traffic Tagging: Supports adding VLAN tags to packets entering or leaving the NPB, facilitating identification and classification.
• Tunnel Termination: Terminates tunnel encapsulation and restores the original packet for further processing. Supports GRE/ERSPAN/VXLAN termination.
• Tunnel Strip: Removes tunnel encapsulation information and restores the original packet format for backend security tools. Supports CFP, ERSPAN, GRE, GTP-U, IPinIP, MPLS, PPPoE, VXLAN stripping.

Network Packet Broker Powered by SONiC Advanced Features

• Hardware Implementation: Marvell Octeon DPU with 100G capability
• Software: FusionNOS for Advanced Network Packet Broker Features

The following advanced features are provided by the Network Packet Broker powered by SONiC:

• Packet Deduplication: Removes duplicate packets based on the payload to ensure each packet is processed only once. Allows configuration to ignore certain fields and set a deduplication time window. Supports ignoring fields like IP, MAC, FCS, TTL, etc., during deduplication. The deduplication time window can be configured with a minimum support of 100ms.
• IP Fragment Reassembly: Reassembles fragmented IP packets into complete packets for further processing.
• TCP Out-of-Order Reassembly: Reorders TCP packets that arrive out of order, restoring the correct data flow sequence.
• NetFlow/sFlow Output: Generates metadata flow records using NetFlow or sFlow for network traffic monitoring and analysis. Supports optional load balancing and replication modes, and V5/V9 versions.
• Advanced Traffic Statistics: Provides detailed statistics on NPB advanced functions, including TCP out-of-order statistics, IP fragment statistics, deduplication statistics, packet type statistics, and core send/receive counts, enabling in-depth analysis.
• Packet Desensitization: Removes sensitive information from packets using anonymization techniques. Supports fixed-position offset encryption, transcoding, and keyword-based data masking.
• Header-Only Forwarding: Forward only the header of packets, going beyond the 128-byte fixed truncation limit of Packet Truncation. The truncation byte length can be customized for flexible packet processing.
• Packet Timestamping: Adds timestamps to packets for troubleshooting and analysis.
• Payload Signature Matching: Matches signatures in the packet payload based on fixed offsets to detect potential attacks or abnormal traffic.
• 4G/5G Associated Tagging: Parses LTE core network signaling (such as S1-MME/S1-U) to associate user-plane traffic with user identifiers and tag the data in real-time. Supports decoding of GTPv1, GTPv2 (S11), 4G S1, 5G N2/N11/N12, and 5G N4, as well as filtering and sampling of 4G/5G NE IP, IMSI/MSISDN/IMEI for precise traffic analysis and user behavior monitoring.

Note: For the complete list of NPB features, contact us at bd@cloudswit.ch.

Scenario-Based Features of Network Packet Broker Powered by SONiC

In the previous sections describing the standard and advanced features of the NPB, we mentioned fine-tuning certain functionalities, such as tunnel stripping, load balancing, and filtering. This also highlights our chip programming capabilities. Additionally, there are some scenario-based foundational features, which are introduced here.

Tunnel Processing and Hash

Regarding tunnel features, the NPB supports tunnel stripping and termination decapsulation, as well as tunnel encapsulation. Therefore, deployment scenarios can include Telco WAN, 4G/5G Core, Data Center, DCI, enterprise networks, and more.

• Tunnel Stripping Feature Extensions: CFP, ERSPAN, GRE, GTP-U, IPinIP, MPLS, PPPoE, VXLAN stripping
• Tunnel Termination: GRE/VXLAN termination
• Tunnel Encapsulation: GRE/VXLAN encapsulation
• Tunnel Hashing: Supports outer-layer hashing for all tunnels, as well as inner-layer hashing.

In real-world customer deployment scenarios, for MPLS tunnel traffic where MPLS tunnel encryption/decryption is not enabled to prevent key information from being encrypted, load balancing is performed based on the outer MPLS key. This can result in traffic on some links being several times higher than others, leading to an unbalanced hashing scenario. When the inner MPLS key hash is enabled on our devices, traffic is evenly distributed across the links, ensuring balanced traffic flow, which is then sent to backend analysis devices.

This is why we support both outer-layer and inner-layer dual hashing for tunnels.

Enhanced Hash

Hashing is a critical component for load balancing in NPB devices. The hashing capabilities we support are as follows:

• Global Hash & Port-group Hash
• Symmetric Hash & Asymmetric Hash
• Hash Seed: Customized modification to change the hash pattern, allowing traffic to migrate from one link to another rather than always flowing through the same link, preventing hash polarization and ensuring balanced traffic across the network.
• Hash Key: Customized key combinations, such as:
  • (src: ip + port, dst: ip + port)
  • (src: ip, dst: ip) / (src: mac, dst: mac)
  • (src: mac + ip + port, dst: mac + ip + port)

Default Hashing Method: Global hash, symmetric hash, based on source and destination IP + port.

Notably, through this flexible port-based hashing method, the hash method can be customized for specific ports. For example, a port can use asymmetric hashing based on source and destination IP + MAC.

The following diagram shows how the hash method for a port can be selected via the web UI interface:

Refined Load Balancing

In addition to optimizing load balancing through hash methods, we also support the following four load balancing strategies:

• Static: Distributes traffic based on fixed physical sharing rules or a polling mechanism. It is not only simple to implement with minimal performance overhead but also provides high determinism and predictability in scenarios with stable traffic models.
• Weighted: Distributes traffic based on preset weight ratios according to link bandwidth or node processing capability. This mode effectively solves the problem of heterogeneous devices/links coexisting, ensuring that high-performance links carry more traffic and fully utilizes existing hardware resources.
• Resilient/Flexible: When a link fails or is added, only the affected traffic is remapped while the rest of the traffic paths remain unchanged. This significantly reduces the business disruption caused by network topology changes (such as connection interruptions or retransmissions), making it ideal for long-connection services.
• Standby: Uses a “primary link active, backup link silent” mechanism. It ensures high business continuity. By modifying link priorities, traffic can quickly switch to the backup link in case of a primary path failure, designed specifically for core, critical business services with zero-tolerance for interruptions.

These four complementary load balancing methods provide the core benefit of achieving “deep alignment between business scenarios and forwarding logic”:

• Full-Scenario Coverage: Whether aiming for the performance of static allocation or the stability of elastic algorithms, the best solution is provided.
• Maximized Resource Utilization: The weighted mechanism addresses the “bottleneck effect” caused by hardware specification discrepancies, ensuring that every megabit of bandwidth is fully utilized.
• High Reliability and Flexibility: By combining the anti-jitter capabilities of Resilient and the redundancy capabilities of Standby, the network is self-healing when faced with failures.

Fine-grained ACL Filtering Strategy

As previously mentioned, the Network Packet Broker powered by SONiC-PB APP solution also offers detailed filtering capabilities by supporting more fields, as follows:

• Supports filtering of packet types such as VLAN, MPLS, GRE, VXLAN, SSL/TLS, IPIP, IPIP6, IP6IP, IP6IP6, Teredo, IPsec_AH, IPsec_ESP, FTP, POP3, SMTP, DNS, RADIUS, COAP, PPTP, L2TP, HTTPS, ICMP, BGP, OSPF, ISIS, GTP, SCTP.
• Supports URL rules.
• Supports TCP Flag rules, including “FIN,” “SYN,” “RST,” “PSH,” “ACK,” “URG,” “ECN,” “CWR,” “NONCE.”

The ability to support such refined ACL filtering strategies allows the NPB device to not only meet complex traffic management requirements but also help enterprises improve network security, performance, and controllability through efficient, flexible configurations. This ensures that network traffic is reasonably and effectively managed and protected.

Features Based on SONiC and Ethernet Switch

After discussing the standard features, advanced features, and scenario-based refined strategies of the Network Packet Broker powered by SONiC-PB APP solution, we have expanded the following capabilities based on SONiC

DevOps Ansible with Template to Accelerate 10K Rules Re-policy

Traditional NPBs typically use Web UI/CLI for bulk policy configuration, but the Network Packet Broker powered by SONiC – PB APP solution enables DevOps for NPB by providing full support for the cliconf plugin and the asternos_command module, which can be directly invoked in Ansible Playbooks.

To make this process even more convenient, we provide Ansible playbook templates to improve the deployment efficiency of your packet broker.

With Ansible Playbooks, the operations team can automate and centralize the deployment and management of thousands of policies on the NPB, enabling “one-click operations” and solving the issue of complex and inefficient policy management.

In summary, the PB-APP solution for packet brokers provides the following operational features:

• Provides Ansible Templates to accelerate deployment and migration.
• Full support for the cliconf plugin and asternos_command module to be directly invoked in Ansible Playbooks.
• Retains the traditional Web UI/CLI methods.

Packet Broker Data Visualization – Prometheus and Grafana Template

Through the AsterNOS Prometheus Exporter and Grafana integration, we provide powerful real-time monitoring and visualization capabilities. This makes it easy to monitor CPU usage, traffic rates, packet drops, etc., addressing the lack of a unified monitoring view in traditional packet brokers.

We provide:

• Prometheus exporter on Enterprise SONiC – AsterNOS: Exports all telemetry from AsterNOS to Prometheus.
• Grafana dashboard template: In JSON format, helping the NPB be integrated into cloud environments.
• Classic SNMP management and RESTful API methods are still supported.

Securing Sensitive Traffic at Line-Rate by MACsec

MACsec (Media Access Control Security) is a technology for encrypting and authenticating data frames at the data link layer in Ethernet. It securely encapsulates the original data frames.

To prevent the risk of traffic being eavesdropped over long-distance transmission, such as in ISP dark fiber scenarios, we leverage the native hardware capabilities of SONiC switches to bring MACsec functionality into the network packet broker devices. This provides protection at the data link layer within the NPB network.

Benefits:

• Use of SONiC switch’s native hardware encryption capabilities without extra cost.
• Line-rate encryption with minimal resource consumption.
• Encryption in long-distance transmission scenarios.

Flowlet to Eliminate Micro Burst by Elephant Flow

In addition to the four load balancing strategies (Static, Weighted, Resilient, Standby) for refined load balancing, we have introduced ARS Flowlet technology within the NPB Fabric for dynamic load balancing detection.

In data center environments, there are often bursty large traffic flows, referred to as “elephant flows.” Traditional load balancing can easily lead to link congestion and packet loss.

In this solution, ARS Flowlet dynamically senses the link status, splits elephant flows into smaller flowlets, and intelligently distributes them across multiple paths within the LAG. This ensures that packets arrive sequentially at the destination, enabling refined load scheduling.

As shown in the diagram, in the LAG on Leaf1:

• Before Using Flowlet: The entire elephant flow is hashed and assigned to a single link in the LAG. When that link becomes busy, it causes overload, while other links remain idle, potentially leading to link congestion and packet loss.
• After Enabling Flowlet: The elephant flow is split into multiple flowlets, and Network Packet Broker powered by SONiC/PB-APP intelligently schedules the flowlets based on the link status. Each flowlet can be assigned to different links within the LAG, enabling multiple links to share the forwarding load.
  • This not only fully utilizes the LAG bandwidth but also reduces congestion, increases link utilization, and ensures the integrity and continuity of monitoring data.

In the NPB network, what does introducing Flowlet bring you?

• ARS Flowlet ensures even traffic distribution across NPB Fabric links, reducing latency.
• Solves bursty elephant flow issues within the NPB network.
• Guarantees complete and continuous data flow capture by backend monitoring tools.
• Improves network link utilization in NPB Fabric.

After covering the features and extensions above, let’s now look at how SONiC switch hardware and packet brokers can work together more effectively.

This will be explained from three aspects:

1. Integrated Packet Broker with Basic + Advanced Features for SMB
2. Industry’s Fastest 800G Packet Broker and High-Density Devices
3. Inline Deployment Mode of Packet Broker Enabled by SONiC Switch Characteristics

Integrated SMB Solution with Optional DPU

The core requirement for SMB (Small-Medium Business) users is “simplicity, low cost, and one-stop solutions.” Therefore, for SMB or edge networks, choosing an integrated device helps reduce costs.

In the integrated device, we provide the following capabilities:

• Hardware: 2T-level switch + 2 optional Marvell Octeon DPUs, each with 100G capability.
• Software:
  • Switch: AsterNOS + PB-APP for fundamental features
  • DPU: NOS with packet broker advanced features or other open-source software

With the Enterprise SONiC AsterNOS operating system running on the NPB Switch and the advanced NOS running on the DPU, this solution covers all the needs of SMBs.

This solution is designed after balancing cost and performance, making it suitable for small to medium-sized enterprises or edge network clients. For further cost reduction, DPU may be optional, or advanced packet broker features can be selectively enabled.

For SMBs, this solution represents a “smart investment,” solving the three major issues of network transmission, traffic collection, and traffic analysis with one device. This reduces the initial hardware investment and operational costs.

Industry-Leading 800G and 512 High-Density Port Packet Broker

Network Packet Broker powered by SONiC switches has inherent advantages in terms of port count and rate. At this point, it’s important to highlight our 64 x 800G NPB device, which is currently the only 800G-supporting NPB device in the industry. It easily handles the massive traffic peaks from AI large model training and ultra-large-scale cloud data centers, filling the market gap for 800G visibility.

Additionally, there’s a surprise! While the 800G NPB leads the industry in speed, the breakout cable converts it into a 512 x 100G high-density port device. This means you can connect a vast number of analysis tools and traffic sources with extremely low per-port costs. In summary, the packet broker based on SONiC and general-purpose switch ASIC represents not only a high-speed switch but also a future-proof high-speed packet broker. It is a high-density packet broker for complex multi-traffic, multi-tool scenarios, ensuring your infrastructure remains ahead as it evolves in the future.

The Shift from Passive to Active Inline Deployment

Here’s a surprising benefit: using our packet broker inline deployment mode can save on the costly ZR modules.

As shown in the diagram above, traditional packet brokers are integrated into the production network using a bypass method, where 4 costly ZR modules are required between the DC side and the packet broker device. When using inline mode, the packet broker is deployed in a DC room below the second-layer data link layer. Between the DCI and NPB, only 400G VR/SR modules are needed, saving 2 x 400G ZR modules and reducing deployment costs.

Furthermore, due to the inline mode, the traffic tagging capabilities can be used for traffic orchestration and security service chaining. This eliminates the serial dependency of all security analysis devices in the outbound network, such as firewalls, IPS, buffers, and ADCs. With the NPB’s traffic tagging, health checks can be performed, and the status of analysis tools can be monitored in real-time. If a device fails, traffic can be rerouted to other load-balanced devices, ensuring continuous visibility and uninterrupted connections.

As shown in the diagram below, firewall load balancing allows another firewall to continue securing traffic if one firewall goes down, by virtue of the health check functionality.

In summary, based on the content above, deploying a network packet broker powered by SONiC in an inline mode within the network brings the following benefits:

1. As mentioned, it reduces the need for redundant 400G ZR optical modules in wide-area network (WAN) and data center interconnect (DCI) scenarios.
2. With inline deployment, traffic orchestration and security service chaining can be implemented on the packet broker, providing ideal infrastructure support for large-scale deployments of firewalls, intrusion prevention systems (IPS), and next-gen firewalls (NGFWs).
3. Simplifies the topology by eliminating the reliance on traditional passive splitters and serial optical bypass devices.
4. The packet broker is no longer passively monitored; with the battle-tested Enterprise SONiC – AsterNOS , it can securely enable serial deployment.

Conclusion: Key Benefits

After reading the above content, you should now understand the advantages of the Network Packet Broker powered by SONiC – PB APP solution, and why customers choose us. In summary, the key advantages of our solution are as follows:

1. Standard Ethernet Switch Hardware: Built on standard Ethernet switch hardware, with switch ASIC providing hardware support. The product evolves alongside the switch, ensuring no separate product line end-of-life (EOL).
2. Open Network Architecture: Based on SONiC’s open ecosystem, with a standardized, containerized NOS that can be flexibly deployed. Software deployment is flexible, similar to installing apps on a mobile phone, allowing easy extension of packet broker functionality on top of the NOS.
3. Flexible Hardware Deployment: Packet broker functionality can be deployed flexibly. Standard features can be deployed on SONiC switches, or advanced features can be deployed through optional Marvell Octeon DPU.
4. Feature Variety: Includes standard functions like traffic aggregation, filtering, replication, load balancing, as well as advanced features like Packet Deduplication, IP Fragment Reassembly, TCP Out-of-Order Reassembly, and more refined policies for filtering, load balancing, and tunnel encapsulation/decapsulation.
5. Operational Capability: DevOps-focused support with Ansible template integration, combined with Web UI deployment methods, and packet broker traffic visualization via Prometheus and Grafana templates.
6. Enhanced Network Security: Strengthened security at the data link layer with MACsec capability, leveraging switch ASIC line-speed encryption.
7. Industry-Leading High-Speed 800G Packet Broker: Based on SONiC switches, our solution includes the world’s leading 800G packet broker and 512 x 100G high-density packet brokers, enabling effective traffic monitoring and analysis in data center networks.
8. Cost Reduction: Lower costs due to the use of standard switch ASICs, open-source SONiC software, and the flexible deployment model that reduces the need for ZR optical modules. Additionally, the integrated packet broker and switch solution for SMBs provides significant cost savings.
9. Full Range of Switch Support: Complete hardware support for campus and data center switches, covering a range from 1G to 800G.

We always look forward to your feedback and insights, and how our solution can further empower your business!

Therefore, considering aspects such as coverage, standardization, foresight, scalability, flexibility, efficiency, and cost, the Network Packet Broker Powered by SONiC/PB-APP Solution is undoubtedly the future direction of packet broker development. This solution, built from practical experience with AsterNOS on SONiC switches, is also the reason why so many customers choose us.

Contact US !

• To request a proposal, send an E-Mail to bd@cloudswit.ch
• To receive timely and relevant information from Asterfusion, sign up at AsterNOS Community Portal
• To submit a case, visit Support Portal
• To find user manuals for a specific command or scenario, access AsterNOS Documentation
• To find a product or product family, visit Asterfusion-cloudswit.ch