P-Series (10 Gigabit Ethernet IP Services Interface)
Overview
P-Series Overview
High Performance Traffic Inspection, Monitoring, and Capture at 10 Gbps
The Force10 P-Series 10 Gigabit Ethernet (10 GbE) IP services interface is the first to deliver comprehensive deep packet inspection for line-rate 10 GbE applications. Based on patented Dynamic Parallel Inspection (DPI) technology, the P-Series NIC uses an innovative, new processing architecture to simultaneously apply thousands of rules to each packet. Through the use of an FPGA-based rule engine, the P-Series NIC features dynamically reprogrammable hardware rules to deliver predictable performance and total signature flexibility under all traffic conditions.
Using an open development framework, the P-Series NIC supports Open Source and customizable network monitoring applications, enabling users to specify capture and filtering policies from public domain signatures, standard network monitoring libraries, or user-defined custom rule bases.
Key P-Series Applications
- Pre-processing and stateful filtering capabilities scale existing solutions to 10 GbE
- Open application program interface for creating custom line-rate monitoring, packet capture, and network security applications
- IP routing, gateway, and IPv4/IPv6 forwarding services
- 10 Gigabit packet rewrite functionality
Key P-Series Features
- Line-rate 10 GbE deep packet inspection with support for jumbo frames and LAN or WAN PHY
- Ethernet Frame Decapsulation (EFD) removes 802.1Q or MPLS headers and passes the raw Ethernet frame with a correct CRC through to devices that cannot understand the encapsulated frame
- Up to 16 Virtual Network Interfaces (VNIs) support independent Layer 3–7 rules for parallel filtering or analysis applications running simultaneously
- Modify, add or remove rules in hardware dynamically and in real-time based on application detection of malicious traffic, without affecting performance or loss of traffic inspection
- Support for both active inline or passive monitor/capture deployments
- Copy matched packets to internal applications via DMA or external analyzers via Gigabit Ethernet ports
- Extensive counters for VLAN, subnet and zone-based rules
- Support for both active inline or passive monitor/capture deployments
Flexible Inspection Capabilities
The P-Series NIC runs at line-rate for 10 GbE network links with full deep-packet inspection and stateful signatures/policies enabled. Anchored content constructs allow flexible custom rules to be written that match the Layer 7 payload at a specific offset from the packet header, or offset from a pattern in the packet.
Line-rate and Low Latency Performance
As a pure hardware-based inspection system, the P-Series NIC is inherently 100% predictable in how operations are performed and always compiles a rule base that runs at line-rate. This leads to identical performance, throughput, and latency under any traffic load, and with any number of rules applied.
Management
Text-based rule management screen that enables users to:
- Start and stop the interface; turn each rule on and off
- Manage runtime parameters such as flow length and timeout
- Set capture/ignore and block/ forward policies for each rule
Web-based Node Manager with support for:
- Rule and image management
- Traffic and counter monitoring
- System status and health monitoring
Integration with Sguil, an Open Source network security monitoring and reporting system that provides the ability to:
- Collect, monitor, and correlate security events/alerts in the network
- Analyze security events based on context
- Categorize and escalate events for intrusion response decisions
Monitoring statistics with the P-Series Node Manager
P-Series Specifications
Go
- Copyright 1999-2010 Force10 Networks, Inc. All Rights Reserved.