Home > News > White Papers > Learn How Ethernet Bypass LAN Modules Play Tough Defense Against Cyberattacks
March 18, 2021

Learn How Ethernet Bypass LAN Modules Play Tough Defense Against Cyberattacks

Learn How Ethernet Bypass LAN Modules Play Tough Defense Against Cyberattacks

The era of fifth generation mobile networks (5G) has ushered in the adoption of technology such as Enhanced Mobile Broadband (eMBB), Ultra-Reliable and Low Latency Communication (URLLC), and Massive Machine Type Communications (mMTC) in network infrastructure. While everyone enjoys all the advantages that innovation brings, including high performance, high throughput, and high-quality communication, cybersecurity has become the foremost concern for 5G deployment. In light of this concern, NEXCOM introduces the NVIDIA® Mellanox® ConnectX®-5-based 100G Ethernet bypass LAN modules (Figure 1), NC 221FMS3 and NC 421FMS3, practical solution for 5G network security requirements.

 

Ethernet bypass is one of the key features of Ethernet network applications, especially for cybersecurity. The main purpose of the bypass feature is to block Ethernet traffic from entering the system or forward Ethernet traffic to another system when a system crashes or encounters a cyberattack. For example, as shown in Figure 2, Ethernet traffic from the Ethernet switch (Equipment 1) normally transfers data via CPU to the HPC server (Equipment 2) for Ethernet packet processing. When the HPC server crashes or encounters a cyberattack, with the 100G bypass LAN module (Figure 3) the HPC server can block Ethernet traffic to protect data or forward the Ethernet traffic to the other HPC server (Equipment 3) to maintain network functionality. Hence Ethernet performance and bypass control mechanisms are the two most critical aspects an Ethernet bypass needs. Luckily, through decades of experience, this happens to be NEXCOM’s expertise.


Figure 1. NVIDIA® Mellanox® ConnectX®-5-based 100G bypass LAN module in NSA 7146

Figure 1. NVIDIA® Mellanox® ConnectX®-5-based 100G bypass LAN module in NSA 7146

 

 

Figure 2. 100G Ethernet traffic flow without bypass mode

Figure 2. 100G Ethernet traffic flow without bypass mode

 

 

Figure 3. 100G Ethernet traffic flow with bypass mode

Figure 3. 100G Ethernet traffic flow with bypass mode

 

 

Our two innovative 100G bypass LAN modules, as shown in Figure 4, support the PCIe Gen3 interface and NVIDIA Mellanox MPO/LC transceiver for SR/LR fiber optics, and can be adopted easily in NEXCOM’s network appliances product lines. The creative optical switch included in the LAN modules supports different types of Ethernet traffic flow, such as direct, bypass, and block modes. With these 100G bypass LAN modules, IT staff can effortlessly optimize hardware solutions to achieve 5G performance requirements at affordable costs.

 

Figure 4. NEXCOM 100G Ethernet bypass block diagram

Figure 4. NEXCOM 100G Ethernet bypass block diagram

 

 

Having a flexible Ethernet bypass mechanism is the other key factor for cybersecurity applications, especially over the high throughput and bandwidth Ethernet. NEXCOM has established a solid bypass control mechanism that covers a wide range of scenarios and events, such as power on, power off, timer expired, and other specific events. Rapid optical switching, high availability and reliability, user friendliness, and easy adoption in NEXCOM’s network appliances all stand out as the main advantages of NEXCOM’s 100G bypass LAN modules. Two types of policy settings are available, one through API (Application Programming Interface) and the other through SYSFS (a pseudo file system which provides an interface for kernel data structures). IT staff can easily manage the desired bypass policy via these two interfaces instead of deep diving into the kernel level to configure the bypass’ hardware functions.

 

The 100G bypass LAN modules, NC 221FMS3 and NC 421FMS3 were tested by NEXCOM’s NSA 7146, based on Intel’s Purley platform, with NEXCOM’s DPDK for performance benchmarking. Figure 5 shows the performance testing topology. Table 1 and Table 2 show the performance results for NEXCOM’s two 100G bypass LAN modules. The figures show impressive 100G Ethernet performance that answers the needs of 5G IT infrastructure.

 

Figure 5. 100G bypass LAN module performance testing topology

Figure 5. 100G bypass LAN module performance testing topology

 

 

TABLE I
PERFORMANCE RESULTS FOR NC 221FMS3, 100G BYPASS
WITH SINGLE ETHERNET CONTROLLER

Frame Size (Bytes)
Frame Rate (Mpps)
Line Rate [100G] (Mpps)
% Line Rate
64
148.81
153.32
97.056
128
84.41
84.55
99.832
256
45.27
45.28
99.974
512
23.49
23.49
99.999
1024
11.97
11.97
100.00
1280
9.61
9.61
100.00
1518
8.12
8.12
100.00

 

 

TABLE II
PERFORMANCE RESULTS FOR NC 421FMS3, 100G BYPASS
WITH DUAL ETHERNET CONTROLLER

Frame Size (Bytes)
Frame Rate (Mpps)
Line Rate [100G] (Mpps)
% Line Rate
64
148.81
153.36
97.031
128
84.41
84.55
99.825
256
45.27
45.28
99.974
512
23.49
23.49
99.999
1024
11.97
11.97
100.00
1280
9.61
9.61
100.00
1518
8.12
8.12
100.00

 

 

In summary, NC 221FMS3 and NC 421FMS3, as NEXCOM’s NVIDIA® Mellanox® ConnectX®-5-based 100G Ethernet bypass LAN modules complete the last mile for 5G cybersecurity and bring an efficient and affordable solution for safeguarding connectivity to the market. NEXCOM, as a leader in Ethernet technology, also has 200G and 400G Ethernet bypasses on its development roadmap in the years to come.

Take a minute and tell us what you think!