Network Packet Broker Product

Overview

A Network Packet Broker (NPB) is a specialized appliance that taps network traffic, filters it, and distributes copies to security monitoring tools (intrusion detection, SIEM, packet analyzer) without impacting primary network flow. Unlike traditional TAP (Test Access Point) that provides passive signal splitting, an NPB actively selects and transforms packets based on policy, reducing tool load and cost.

Network security teams must monitor all traffic entering/leaving the data center to detect breaches. Monitoring all 1.2 Tbps of traffic to every tool is expensive and generates overwhelming alert volume. An NPB sits at the network edge, receives full traffic from SPAN (Switch Port Analyzer) or optical taps, filters down to relevant flows (intrusion candidates, policy violations), and sends only those subsets to tools. This reduces traffic to each tool by 10–100x while improving detection accuracy.

How it works

The Packet Input Stage connects to the core network via 12 QSFP28 ports (100 Gbps each). These ports accept QSFP28 optical transceiver modules carrying either live traffic tapped from production switches via SPAN, or traffic from optical test-taps physically copying signals from dark fiber.

The Multi-Lane SerDes ASIC deserializes incoming high-speed serial signals into parallel packet data. Each QSFP28 signal carries 100 Gbps (four lanes at 25.78 Gbps per lane); the SerDes recovers data and clock, outputs a packet stream. To handle traffic bursts, the 64 GB Input Buffer DRAM (64 GB DRAM) smooths arrival rate spikes.

Once packetized, traffic enters the Filtering and Flow Selection. The filter ASIC performs deep packet inspection, examining fields up to Layer 7. For example, a rule might state: "forward HTTP packets (TCP port 80) where the User-Agent header contains 'curl' to the SIEM tool." The filter engine uses a ternary CAM (Content-Addressable Memory), a specialized hardware structure for fast pattern matching: each rule is 80 bits (IPv4 source/dest, protocol, port, wildcard bits), and matching happens in parallel across all 1 million rules in one ASIC cycle (~5 ns).

Matched packets are assigned a "flow identifier" and metadata (ingress port, VLAN, flow color). The Metadata Coprocessor optionally adds a VLAN tag or GRE header (ERSPAN protocol) so that receiving tools can identify which production switch port the traffic came from. A nanosecond-precision timestamp is also appended.

The enriched packet then enters the Switching Fabric, a non-blocking crossbar. A non-blocking fabric means any input port can simultaneously send to any output port without head-of-line blocking—critical for maintaining low latency when multiple flows target the same tool. The fabric has 1.2 Tbps internal capacity, exceeding the sum of all input and output ports.

The Packet Output Stage adapts the internal 100 Gbps stream to tool interface speeds. Some tools accept 100 Gbps (high-end IDS), but most accept only 25 Gbps (mid-range) or 10 Gbps (cost-optimized). The Egress SerDes ASIC rate-adapts and the 32 GB Egress Buffer queues packets waiting for slower tools.

An optional Deduplication Engine removes duplicate packets. If two taps on the same network link see the same packet, the NPB deduplicates based on a hash of IP 5-tuple and VLAN, sending only one copy to tools. This is common in multi-gigabit Ethernet deployments where redundancy and LACP (Link Aggregation) mean the same traffic is seen on multiple ports.

The Payload Trimmer IC truncates packets to header-only (128 bytes) for cost reduction. Security tools typically analyze only headers (IP source/dest, ports, protocol); the payload (web page content, email text) is rarely examined and consumes storage. Trimming reduces tool storage cost by 10x.

Policy Engine and Rule Examples

Rules are configured via REST API or GUI web interface on the ARM Cortex-A72 Processor. Example rules:

• Forward all traffic to/from subnet 10.1.0.0/16 to SIEM.
• Forward DNS queries (UDP 53) to DNS analyzer tool.
• Forward HTTP 301 redirects (TCP 80, status 301) to threat investigation tool.
• Load-balance HTTPS traffic (TCP 443) across two IDS instances via ECMP.
• Drop all traffic from internal development VLAN (to reduce noise).

Rules are compiled into ASIC match-action instruction set and loaded into the filter ASIC's SRAM. Updates happen in real-time without packet loss; the ASIC supports graceful rule swap with atomic replacement.

Deduplication and Cost Reduction

Data centers with redundant switches may have multiple paths through the network. When an upstream switch is spanned to the NPB, both paths are often tapped. A single packet might arrive on both NPB input ports. The deduplication engine hashes the packet and maintains a recent-packet cache (Bloom filter or SRAM counter). Duplicate packets are detected and suppressed, reducing tool ingestion by 2x in typical deployments.

Payload trimming combined with deduplication reduces data exfiltration to tools by 50–100x. A single 1.2 Tbps span might generate 500 TB/hour of full payload traffic; trimmed and deduplicated, it becomes 5–10 TB/hour, manageable by mid-size analytics databases.

Time Synchronization and Forensics

For threat investigation, security teams must correlate events across tools. An alert in the IDS ("malware attempt detected at 15:32:47.123 UTC") must match logs in the firewall, SIEM, and DNS resolver. The NPB adds precision timestamps (nanosecond resolution) to every packet, synchronized to PTP (Precision Time Protocol) via the management network. Tools then use NPB timestamps for perfect correlation.

Elastic Networks and Software-Defined Policies

Modern NPBs integrate with cloud orchestration platforms (Kubernetes, VMware NSX). When a security incident is detected, automated playbooks can reconfigure NPB rules without manual intervention: "if suspicious activity from IP X is detected, forward all traffic to/from X to the forensic SIEM for 1 hour." This is critical for rapid response.

Some deployments use NPBs as gatekeepers for tool licensing. A tool with a 100 Gbps license receives only 100 Gbps traffic; excess traffic is sent to a secondary cheaper tool. As traffic patterns shift throughout the day, the NPB dynamically rebalances load.

High Availability and Redundancy

Critical deployments use two NPBs in active-active mode, each receiving a copy of production traffic (via optical splitter). Both NPBs apply identical rules and send output to tools. If one NPB fails, the other continues uninterrupted. Configuration is synchronized via the management network.