Acterna DA-3600 Data Network Analyzer

Advanced IP network troubleshooting and analysis for packet-over-SONET/SDH networks

As a core network service provider, you know how challenging it is to simultaneously stay ahead of your competitors and increase corporate revenues. With the need to provide faster, better networks comes the requirement for a smarter test device that enables you to offer new services to your customers and charge premium rates for these services, resulting in increased profit margins, and better return on investment of your network infrastructure. But, often service providers have no control over how other service providers design their networks, which can directly affect the end-toend connectivity and performance. Acterna DA-3600 Data Network Analyzer is a monitoring and troubleshooting tool for testing next generation packet-over-SONET/SDH networks. Developed with power and expert technology for principal network engineers, traffic engineering and field support operations, the DA-3600 provides unprecedented visibility into network performance. It is the industrys easiest-to-use solution for deploying and maintaining high-speed networks and monitoring quality of service (QoS) all within a browserdesigned application. Highlights Provides fast, timely information on network performance Enables providers to make more informed decisions concerning the performance of their peering links, independent of current router tools Provides faster, more accurate information on network utilization in order to plan for new applications Proactively monitors and identifies potential intrusion detection and denial of service attacks to maintain superior service delivery Increases rate of network problem detection, reducing costs and maintaining customer satisfaction Provides advanced MPLS verification techniques within interoperability and conformance test lab environments

The DA-3600 control of your network The DA-3600 Data Network Analyzer is a member of Acternas suite of hardware-based data analysis solutions. The DA-3600 performs IP data analysis, troubleshooting, equipment interoperability testing, and traffic engineering of packet-over-SONET networks both in labs and operational environments. It provides unprecedented visibility in IP traffic flows, with a performance up to OC-48c/STM-16 line rate that outruns the competition. The DA-3600s proprietary flow classification hardware enables the realtime tracking of 160,000 flows provided in a portable form factor. This performance, coupled with the DA-3600s advanced application-specific features, provides visibility into IP/MPLS-based networks, private and transit peering links, and routing and signaling protocol interaction. The DA-3600 combines remote features with a realtime customizable flow classification engine to test and monitor at wire speeds within carrierscale IP networks.

gure 1 View and analyze physical and link layer alarms quickly

It also provides a revolutionary approach to in-service flow monitoring and troubleshooting, allowing engineers to significantly reduce the mean time to understand (MTTU) the root cause of problems and subsequently reduce the mean time to repair (MTTR). The DA-3600 provides a number of special features: Wire-speed troubleshooting performance Support of monitoring 160,000 flows, providing visibility of heavy traffic networks Sophisticated masked-based flow classification, allowing for quick problem detection and isolation Realtime protocol monitoring and decode of BGP, OSPF, IS-IS, and RSVP Extensive MPLS capabilities, including IP-to-MPLS mapping

Remote capability of accessing and controlling geographically dispersed test devices Full line rate transmit up to OC-48c Advanced feature set including CLI, TCPDUMP, NTP support, and data trending In addition, the DA-3600 supports the network timing protocol (NTP) for the purpose of synchronizing multiple test devices timestamp synchronization (see figure 2). Once the test devices have been configured as NTP clients, a precapture buffer filter can be set up to save data pertaining to the particular flow being measured. With data collected, the capture files can be saved on both test devices. Acternas Examine decode utility can then be used to merge the files, mark the frames and compare delta times, providing an accurate one-way latency measurement.

Private peer NTP server

AS

Transit peer

gure 2 The DA-3600 supports the network timing protocol (NTP) for the purpose of synchronizing multiple test devices (timestamp synchronization)

Gain IP visibility into peering links through proactive IP network traffic engineering One key challenge for backbone carriers today is monitoring traffic entering and exiting their peering links. For the transit carrier this could mean loss of significant revenue when transit traffic crosses a private peering route. For the end-ISP this means a degradation in performance seen first-hand by their customers experiencing a slow network. They will invariably be forced to incur upgrade and additional bandwidth charges. The DA-3600 provides visibility into all IP flows occurring on any packet-overSONET peering link. With this visibility, carriers can truly see what traffic is entering and exiting their peering links by monitoring IP traffic flows based on autonomous systems (AS).

The DA-3600 provides the following options when monitoring network peering activity: Monitor traffic flows based on the AS path attribute (AS number) Import BGP route data from router information base (RIB) (Cisco and Juniper formats supported) Set up predefined flow definitions and run flow statistics based on imported routes to characterize the traffic flow activity Autonomous system traffic mapping (per AS)

Verify routing and signaling protocol conformance and interoperability The DA-3600 with its protocol monitoring feature provides visibility into the interaction of control plane protocols. This capability allows network engineers to decode a multitude of control plane protocols simultaneously in realtime (figure 3). Control plane protocols supported include BGP-4, OSPF, IS-IS, RSVP, MPLSCP, LCP/NCP, and TDP. The DA-3600 also has an event log that provides realtime control plane protocol monitoring of each event, without requiring cumbersome line by line packet summary analysis by the network engineer. These realtime decode features allow the engineer to troubleshoot network equipment interoperability, validate RFC compliance, verify MPLS LSP setups and validate IP to MPLS label mapping.

ISO POP

Traffic

Peer

Peer BGP routing Traffic load balance Peer Standard route New route

gure 3 IP, BGP, MPLS conformance and interoperability testing

Identify intrusion detection Todays IDS tools for intrusion detection include running shareware and off-theshelf software programs like SNORT and Dragon. These current IDS tools work well at 100BaseT but drop packets at the higher speeds. With the DA-3600, you can connect to higher speed networks (GigE to OC-48 POS) and output frames to an IDS in standard TCPdump format. In addition, the DA-3600 hardware filters can be set to limit the input to the IDS. Simply put, the DA-3600 rescues current IDS solutions that have not kept pace with the ever increasing speed of network links.

Identify security denial-of-service attacks and threats Today denial-of-service (DoS) attacks are both more common and more sophisticated. While these attacks may take many forms, one typical attack is the TCP SYN flood. This attack attempts to prevent legitimate users from accessing a web server by having multiple hosts generate TCP SYN packets with no intention of completing the connection. The bandwidth consumed by large-scale attacks may impact portions of the network as well as the victim server.

The DA-3600 can track SYN-flooding attempts by monitoring the TCP flag bits in the TCP header (figure 4). Flows based on the SYN bit, source and destination IP address and application port number can be classified and monitored, enabling early detection of possible TCP SYN attacks as well as source identification.

Ingress

SYN

SYN-ACK

ACK Server

gure 4 The DA-3600 can track SYN-flooding attempts by monitoring the TCP flag bits in the TCP header

Troubleshoot complex packet-overSONET networking problems View and analyze physical and link layer alarms quickly Frequently, abnormalities seen at the upper layers are often the result of problems at the physical layer. With the DA-3600s remote access capability, realtime data capture and analysis and an easy-to-interpret graphical user interface, users can: Immediately validate the SONET/ SDH signal integrity Identify BIP-8 errors Instantly view important line and path parameters such as AIS, LOS and RDI Quickly identify label mismatch conditions Verify layer 1 and layer 2 connectivity and framing error identification Identify and measure QoS (packet jitter and latency)

Whether layer 2 is configured for PPP or Cisco HDLC, link layer statistics are readily available. These statistics provide a total view of packets received, packet rate and utilization of the circuit in test. In addition, CRC framing errors and HDLC shorts are tracked for both RX1 and RX2 directions on the circuit. Identify and measure quality of service (QoS) There are many variables that affect the quality of service for data delivery. Packet latency, for example, can be introduced by routers, the number of hops between routers, packet prioritization and network congestion. Excessive jitter is also a common quality-affecting problem in timesensitive applications that require a certain level of QoS.

The DA-3600 isolates and identifies packet latency by monitoring packet jitter using one or multiple test devices in the network (figure 5). This is especially useful in tracking the difference in arrival time of packets either entering or exiting the network in such CBR-oriented applications as voice/streaming audio. Interpacket gap (packet jitter) distribution, the MEAN packet jitter and variance values are also calculated (figure 6).

Audio/Video service

Customer Monitoring packet jitter

Provider

gure 5 The DA-3600 isolates and identifies packet latency by monitoring packet jitter using one or multiple test devices in the network

gure 6 Interpacket gap distribution (packet jitter) displayed on a per flow basis MEAN and variance values calculated

Features Customizable flow classification The DA-3600 enables the creation of custom flow definitions that determine the type of flows to monitor. This process is known as flow classification. Flow classification tailors the DA-3600s flow engine to collect and display statistics based on the flow definition parameters set (figure 7). These parameters include MPLS labels, IP source and destination addresses, TCP/UDP port numbers, IP next protocol, and TCP flag bits. Realtime flow statistics The DA-3600 monitors flows in two directions and can track up to 80,000 flows per receiver (RX1 & RX2). Statistics on all incoming flows are LEARNED, matching the parameters set in the FlowClassifier. Statistics include utilization, byte rate, packet rate, peak rates, jitter mean, and jitter variance. These statistics are displayed on a per receiver format and various top 10 graphs are available to display the data (figure 8).

Realtime routing and signaling protocol monitoring The DA-3600 monitors routing protocol activity for OSPF, IS-IS, and BGP-4. In addition, signaling protocols and their respective messages are tracked for RSVP, CR-LDP, and TDP. Counts of all protocol messages are displayed, enabling you to quickly see the current status of all the protocols traversing the network under test. Actual events, pertaining to specific routing or signaling protocols, are displayed and in-depth decode information can be viewed at any time by highlighting and clicking the event in question. Command-line interface (CLI) Integrated TCL scripting language support allows engineers complete control for the DA-3600 from a command line interface. From the command line, the DA-3600 operations such as flow definition, filter creation and packetcapture can be controlled allowing users to develop custom scripts to match their unique network analysis needs.

gure 7 Configuring the FlowClassifier by setting flow definition parameters

TCPdump A TCPdump utility is implemented on the DA-3600 hardware that enables traffic to be captured above 100 Mbps where current software networking tools utilizing the wellknown TCPdump functionality lack the performance to analyze every frame. The DA-3600s implementation of TCPdump proves to be a powerful tool in enhancing current security solutions and web hosting performance monitoring. BGP route data import (Cisco and Juniper formats supported) Through scripting the DA-3600 connects to a router to obtain the BGP route table. The route tables are then converted to predefined flows which enables stats collection to occur based on CIDR addressing. These userdefined flows are then loaded into each receiver and the FlowTracker application is then started. After a preset time, the data is dumped to a CSV file then merged with the AS number to create an AS traffic mapping table.

A provider OSS system then has the option of retrieving this AS file into its database which provides a map of all traffic entering or exiting peering links. This enables service providers to make more informed peering decisions and police current connections. Both Juniper and Cisco route table data formats are supported. Packet jitter measurements Excessive jitter is a common qualityaffecting problem in voice or video over IP applications today. The interarrival time of packets (packet jitter) can be tracked on a per flow basis at multiple points in the network and detailed distribution charts can be graphed. MEAN and variance values can also be calculated to characterize the delay of the network. Network timing protocol support Test device synchronization using NTP is supported on each DA-3600 test device. When the NTP client is enabled it allows multiple test devices located throughout the network to be synchronized in time. This allows network latency to be measured.

gure 8 Shows the flow statistics and top-10 organized by byte-rate

TCP flag flow classification SYN flooding or SYN attacks are a sophisticated form of denial of service. The DA-3600 classifies flows based on the SYN flag bits within the TCP header. These flows can be learned at the ingress point in the network to identify high occurrences of the SYN-bit being set correlating to a destination IP address. Based on this information, routes to the destination can be filtered on the router and the source IP address can be saved for future forensics. Transmit Line rate transmit functionality is available up to OC-48c/STM-16. Using the DA-3600s packet wizard you can create various packet types including (PPP, IP, TCP, MPLS multicast and unicast) for transmission where both header and individual payload types can be specified. The number of packets transmitted is limited by the 64 Mb transmit buffer.

Trending The DA-3600 provides trending functionality on all flows and their associated byte rate, packet rate and total packet count. Statistics are tracked and saved to a local database (HDD) based on user-defined data and user-defined time intervals. Trending data is made available in a comma delimited file format or can be displayed using the built-in flow trending graphs. Packet filter, trigger, capture and decode analysis In the event that off-line data analysis is required, packet filtering and trigger functions can be set that give complete control over data written to the 128Mx2 capture buffer. Capture file analysis is accomplished using the Examine decode engine, which currently supports over 450 protocol decodes, and enables users to step through each individual packet supporting all layers in the OSI model.

Remote connectivity Multiple DA-3600 test devices may be accessed remotely over the local area network, through firewalls (enabled by opening specified TCP ports), and over the WAN. The client/controlling software is supported on a variety of platforms (Windows 98SE, NT4, Solaris) and autodiscovers test devices connected to the network.

The benefits of the DA-3600 Within operational network traffic engineering, troubleshooting and security groups, the DA-3600 extensively reduces: Expenses due to unnecessary router upgrades and circuit charges. It does this by evaluating the DA-3600 data to make smart load-balancing decisions and identify and isolate oversubscribed or underutilized peering links to reevaluate peer arrangements based on factual performance data Revenue loss due to customer dissatisfaction from poor service delivery and network downtime by reducing the time it takes to identify and isolate intermittent networking problems Network downtime by proactively monitoring for intrusion detection and attempted denial of service SYN attacks at full line rate OC-48

Within the interoperability and conformance lab groups, the DA-3600 provides: Verification of routing protocol interaction (BGP, OSPF, IS-IS) with a focus on realtime monitoring of control messages for performing equipment interoperability testing Realtime MPLS/RSVP/CR-LDP LSP operation verification in trial networks prior to making purchasing recommendations IP to MPLS label mapping verification to ensure routing element adherence to specifications and configurations.

Technical specifications
Physical characteristics
Line interface slots Overall dimensions (w x l x h) Rack mounting height Weight 1 11 x 13 x 2.6 in 27 x 32 x 6.5 cm 2U 6.12 lb, 2.8 kg

Interface modules Data rate Oc-48c/STM-16 SM OC-12c/STM-4/OC-3c/STM-1 SM POS OC-12c/STM-4/OC-3c/STM-1 MM POS OC-48c Single-Mode Physical Interface
Optical power out Maximum 3 dBm Minimum 18 dBm 2.48832 GHz 15 ppm 1266-1360 nm 2.48832 GHz 50 ppm 8.2 dB minimum ITU G.957 mask pattern Maximum 3 dBm Minimum 18 dBm GR-253-CORE, Issue 2, December 1995, Section 5.6.2.2

Connector LC SC SC

RX/TX ports 2 2 2

Environment Temperature range Ambient temperature range Storage and transport Laser safety
Singlemode and multimode FDA 21, CFR 1040.10/11, IEC-825, EN60825 UL 3111-1, CAN/CSA, C.22.2 No. 1010.1, IEC-1010-1, EN61010-1 Use +5 to +40C 20 to +60C Transmit carrier frequency (internal timing) Transmit optical wavelength Receive frequency range Optical extinction ratio Optical eye pattern Optical receive sensitivity Receive jitter tolerance

Safety

OC-3c/12c Single-Mode Physical Interface

Optical power out Maximum 8 dBm Minimum 28 dBm OC-3c 155.52 MHz 15 ppm OC-12c 622.08 MHz 15 ppm 1274-1356 nm OC-3c 155.52 MHz 50 ppm OC-12c 622.08 MHz 50 ppm 8.2 dB minimum ITU G.957 mask pattern Maximum 8 dBm Minimum 28 dBm GR-253-CORE, Issue 2, December 1995, section 5.6.2.2

Electrical
Power supply Power consumption 100-240 VAC, 50/60 Hz 130 W Transmit carrier frequency (internal timing) Transmit optical wavelength Receive frequency range 1 RJ-45 10/100 Ethernet Power, link, error Test device setup Setup keypad, Ethernet crossover switch DB-9 (GPS) GPS (CLK), GPS (PPS), GPS (CLK-O, PPS-O), Trigger (T-in, T-out) Interface module Dual cardbus On/off power rocker switch Optical extinction ratio Optical eye pattern Optical receive sensitivity Receive jitter tolerance

Panels
Line interface slots Front panel connectors Front panel indicators Front panel LCD Front panel controls Rear panel connectors

OC-3c/12c Multi-Mode Physical Interface

Optical power out Transmit carrier frequency (internal timing) Transmit optical wavelength Receive frequency range Maximum 14 dBm Minimum 26 dBm OC-3c 155.52 MHz 15 ppm OC-12c 622.08 MHz 15 ppm 1270-13806 nm OC-3c 155.52 MHz 50 ppm OC-12c 622.08 MHz 50 ppm 10 dB minimum ITU G.957 mask pattern Maximum 14 dBm Minimum 26 dBm GR-253-CORE, Issue 2, December 1995, section 5.6.2.2

Rear panel slots Side panel

Mainframe hardware
Hard drive Capture buffer Transmit buffer 4.3 Gig 128 M per receiver 64 M

Optical extinction ratio Optical eye pattern Optical receive sensitivity Receive jitter tolerance

System requirements
Windows 98SE, Windows 2000, Windows NT (SP4, SP5), Solaris, Internet Explorer 5.0 333 MHz processor (min) 128 Mb RAM (min) (256 Mb recommended) 200 Mb HDD (min)

10

Ordering information
Mainframe
The DA-3600-C2 The DA-3600-C3 CycloneCore 2.4G mainframe (32k flow version) CycloneCore 2.4G mainframe (160 k flow version)

Accessories
RM-18006 AD-15473 19/23-in rack-mount kit Power adapter cord (US)

Software enhancement agreement

The DA-3600-SWS-1 Provides one year of maintenance and enhancement upgrades

Interface modules
CPHY-2.4G-SM CPHY-622/155-SM CPHY-622/155-MM OC-48c/STM-16 SM POS OC-12c/STM-4/OC-3c/ STM-1 SM POS OC-12c/STM-4/OC-3c/ STM-1MM POS

Software licenses
The DA-3600-UL Additional client SW licenses available on a per-seat basis

Warranty
The DA-3600 and all interface modules are warranted for a period of three years from the initial date of purchase. Upon receiving the defective component, Acterna will ship a permanent replacement. Note: Specifications, terms, and conditions are subject to change without notice.

Cables
CB-014937 CB-015895 CB-12264 CB-012679 CB-012680 CB-016506 CB-016507 CB-016508 RJ to RJ-45 (5 in) FO LC to SC (SM 3 m) FO LC to SC adapter (SM 6 in) FO SC to SC (SM 3 m) FO SC to SC (MM 3 m) Custom analyzer-to-splitter cable, SC, multimode Custom analyzer-to-splitter cable, SC, singlemode Custom analyzer-to-splitter cable, SC/LC, singlemode

Acterna Advantage Adding value with global services and solutions From basic instrument support for your field technicians to management of complex, company-wide initiatives, Acternas service professionals are committed to partnering with you to help maximize your return on investment. Whatever your needs education services, consulting and OSS business planning, system management, or product support we offer programs that will give you every available advantage. This is the foundation of Acterna Advantage. Acterna is the worlds largest provider of test and management solutions for optical transport, access and cable networks, and the second largest communications test company overall. Focused entirely on providing equipment, software, systems and services, Acterna helps customers develop, install, manufacture and maintain optical transport, access, cable, data/IP and wireless networks.

SM

Optional optical splitters and cables.

CB-016502 CB-016504 Fiber optic splitter, SC, singlemode, 80/20 Fiber optic splitter, SC, multimode, 80/20

11

Worldwide Headquarters 20400 Observation Drive Germantown, Maryland 20876-4023 USA Acterna is present in more than 80 countries. To find your local sales office go to: www.acterna.com

Regional Sales Headquarters North America 20400 Observation Drive Germantown, Maryland 20876-4023 USA Toll Free: +1 866 ACTERNA Toll Free: +1 866 228 3762 Tel: +1 301 353 1560 x 2850 Fax: +1 301 353 9216 Latin America Av. Eng. Luis Carlos Berrini 936/8 e 9 andares 04571-000 So Paulo SP-Brazil Tel: +55 11 5503 3800 Fax:+55 11 5505 1598 Asia Pacific 42 Clarendon Street PO Box 141 South Melbourne Victoria 3205 Australia Tel: +61 3 9690 6700 Fax:+61 3 9690 6750 Western Europe Arbachtalstrasse 6 72800 Eningen u.A. Germany Tel: +49 7121 86 2222 Fax:+49 7121 86 1222 Eastern Europe, Middle East & Africa Elisabethstrasse 36 2500 Baden Austria Tel: +43 2252 85 521 0 Fax:+43 2252 80 727 1st Neopalimovskiy Per. 15/7 (4th floor) RF 119121 Moscow Russia Tel: +7 095 248 2508 Fax:+7 095 248 4189
DA-3600/IP/DS/DAT/05-02/AE/ACT00121

Copyright 2002 Acterna, LLC. All rights reserved. Acterna, The Keepers of Communications, and its logo are trademarks of Acterna, LLC. All other trademarks and registered trademarks are the property of their respective owners. Major Acterna operations sites are IS0 9001 registered.

Note: Specifications, terms and conditions are subject to change without notice.