Page 1
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 182
SIGNALING DELIVERY CONTROLLER
Product Description
1
wwwtraffixsystemscom
F5 Traffix Signaling Delivery Controller
Product Description
CONTACT INFOTRAFFIXSYSTEMSCOM
Document Information
Software Version 40
Document Version 1
Publication Date February 2013
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 282
SIGNALING DELIVERY CONTROLLER
Product Description
2
wwwtraffixsystemscom
1 LEGAL NOTICE 5
2 ABOUT THIS DOCUMENT 6
21 DOCUMENT OBJECTIVES 6
22 CONVENTIONS 6
23 GLOSSARY OF TERMS AND ABBREVIATIONS 7
3 INTRODUCTION TO SDC 9
4 MAIN FEATURES INTRODUCED IN RELEASE 40 12
41 ELEMENT MANAGEMENT SYSTEM 12
42 SS7-DIAMETER SUPPORT 12
43 INSTALLATION UTILITY 12
5 DEPLOYMENT ARCHITECTURES 13
51 CORE NETWORK DEPLOYMENT 14
52 EDGE DEPLOYMENT 16
53 DUAL MODE DEPLOYMENT 16
54 MULTI-SITE DEPLOYMENT 17
6 DIAMETER AND LEGACY PROTOCOLS SUPPORT 19
61 DIAMETER AND 3GPP REFERENCE POINTS SUPPORT 19
62 LEGACY PROTOCOLS SUPPORT 19
63 NETWORK AND TRANSPORT SUPPORT 20
7 SDC PLATFORM ARCHITECTURE 21
71 CONFIGURATION MANAGER 21
72 WEB UI AND SOAP 22
73 CONTROL PLANE FUNCTION (CPF) 22
74 FRONT-END PROXY (FEP) 22
8 THE SDC PIPELINE 24
81 SECURITY ENFORCEMENT 25
82 INCOMING MESSAGE TRANSFORMATION 25
83 ROUTING 26
84 LOAD BALANCING 36
85 OUTGOING MESSAGE TRANSFORMATION 41
9 OVERLOAD AND CONGESTION CONTROL 43
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 382
SIGNALING DELIVERY CONTROLLER
Product Description
3
wwwtraffixsystemscom
91 THROTTLING AND RATE LIMITING 44
92 PRIORITIZATION 46
93 OVERLOAD CONTROL MECHANISM 47
94 HEALTH MONITORING 48
95 IN SESSION MONITORING 48
96 EXTERNAL MONITORING 49
97 CONNECTIVITY MONITORING 49
10 OAM SUPPORT 50
101 ALARMS 51
102 TRACING AND LOGGING 51
103 MONITORING 52
104 PERFORMANCE MANAGEMENT 52
105 SECURITY MANAGEMENT 52
106 LICENSING MANAGEMENT 52
107 LIFECYCLE MANAGEMENT 52
108 SOAP API 53
109 SNMP AGENT 53
1010 CLUSTER MANAGEMENT 53
1011 AUDITING 53
1012 BACKUP amp RESTORE 53
11 HIGH AVAILABILITY AND SCALABILITY 54
111 SCALABILITY 54
112 LOCAL REDUNDANCY AND SCALABILITY 56
113 GEOGRAPHICAL REDUNDANCY 64
114 DIAMETER TOPOLOGY HIDING 67
115 DIAMETER CONNECTION SECURITY 67
116 DIAMETER MESSAGE SECURITY 67
117 OSSYSTEM SECURITY 68
118 NETWORK LEVEL SECURITY 68
12 NETWORKING 69
121 NETWORK REDUNDANCY 69
122 PHYSICAL INTERFACES 70
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 482
SIGNALING DELIVERY CONTROLLER
Product Description
4
wwwtraffixsystemscom
123 ADDRESSING SCHEME 72
13 HW ARCHITECTURE AND PERFORMANCE 73
131 SUPPORTED HW 73
14 APPENDIX A ndash OAM SNAPSHOTS 74
15 APPENDIX B ndash ACCESS LEVEL SECURITY 79
16 APPENDIX C ndash LOW LEVEL SDC PIPELINE 81
ABOUT TRAFFIX 82
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 582
SIGNALING DELIVERY CONTROLLER
Product Description
5
wwwtraffixsystemscom
1 Legal Notice
copy 2005-2013 F5 Networks Inc All rights reserved
F5 Networks Inc (F5) believes the information it furnishes to be accurate and reliable
However F5 assumes no responsibility for the use of this information nor any
infringement of patents or other rights of third parties which may result from its use No
license is granted by implication or otherwise under any patent copyright or other
intellectual property right of F5 except as specifically described by applicable user licenses
F5 reserves the right to change specifications at any time without notice
F5 Networks F5 Traffix Systems Traffix Systems (design) F5 (design) OpenBloX
OpenBloX (design) Rosetta Diameter Gateway Traffix Diameter Load Balancer
Signaling Delivery Controller and SDC are trademarks or service marks of F5 Networks
Inc in the US and other countries All other product and company names herein may be
trademarks of their respective owners
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 682
SIGNALING DELIVERY CONTROLLER
Product Description
6
wwwtraffixsystemscom
2 About this Document
21
Document Objectives
This document provides an overview and a high level functionality description of F5rsquos
Traffix Signaling Deliver Controller (SDC)
The target audience of this document includes Network and Solution Architects and
Program and Product Managers
22 Conventions
The style conventions used in this document are detailed in Table 1
Table 1 Conventions
Convention Use
Times New Roman Regular text
Times New Roman
Bold
Names of menus commands buttons and other elements of the
user interface
Times New Roman
Italic
Quotes and special terms the first time they appear
Cour i er New Language scr i pt s
Notes which offer an additional explanation or a hint on how to
overcome a common problem
Warnings which indicate potentially damaging User operations
and explain how to avoid them
An example
For simplicity throughout this document the Traffix Signaling Delivery Controller will be
referred to as the SDC
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 782
SIGNALING DELIVERY CONTROLLER
Product Description
7
wwwtraffixsystemscom
23 Glossary of Terms and Abbreviations
Table 2 Glossary of Terms and Abbreviations
Term Definition
AAA Authentication Authorization and Accounting
AF Application Function
Cluster Group of nodes used to provide services as a single unit
Cluster Node A node in the Cluster
CPF Control Plane Function
Data Dictionary Defines the format of a protocolrsquos message and its validation
parameters structure number of fields data format etc
DRA Diameter Routing Agent
EMS Element Management System
FEP Front End Proxy
HTTP Hypertext Transfer Protocol
HSS Home Subscriber Server
IMS IP Multimedia Subsystem
JMS Java Message Service
LDAP Lightweight Directory Access Protocol
Link The connection joint between the Cluster and Remote Nodes
LTE Long Term Evolution
MME Mobile Management Entity
NGN Next Generation Networking
Node Physical or virtual addressable entity
PCEF Policy and Charging Enforcement Function
PCRF Policy and Charging Rules Function acts as decision point and
enforces policy usage for a subscribers
Peer Physical or virtual addressable entity A Client or Server Peer in the
NGN network that provides or consumes AAA services
Pool A group of server remote nodes
RADIUS Remote Authentication Dial In User Service
Remote Node A client or server node in the network that provides or consumes
AAA services
Scenario Logical policies of translation flow
SDC Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 882
SIGNALING DELIVERY CONTROLLER
Product Description
8
wwwtraffixsystemscom
Term Definition
SNMP Simple Network Management Protocol
SS7 Signaling System No 7
TCP Transmission Control Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
URI Universal Resource Identification
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 982
SIGNALING DELIVERY CONTROLLER
Product Description
9
wwwtraffixsystemscom
3 Introduction to SDC
F5rsquos Traffix Signaling Delivery Controller (SDC) is a uniform modular signaling platform
that provides a flexible and robust solution for the emerging control plane connectivity
challenges The SDC is shown in Figure 1
The SDC was designed to meet the demanding requirements posed by the growing volume
of signaling traffic and the complexity of connectivity and signaling in LTE and IMS
networks with advanced Diameter Gateway Diameter Load Balancer and Diameter Router
solutions consolidated on a single unified platform
The SDC enables service providers to scale and manage services and applications in LTE
and IMS networks supporting millions of concurrent sessions and hundreds of millions of
subscribers The SDC solution centralizes signaling and Diameter routing traffic
management and load balancing tasks to scale and grow IMS and LTE networks
incrementally and cost effectively while increasing resiliency and reliability to support
subscribers ever increasing service and broadband demands
Figure 1 Traffix Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1082
SIGNALING DELIVERY CONTROLLER
Product Description
10
wwwtraffixsystemscom
The core functionality of SDC is based on a powerful contextual routing engine which
allows definition and execution of different routing policies that simplify the control plane
network management The routing engine together with the advanced load balancing
algorithms fast failback detection failover mechanisms and congestion control provide
unprecedented scalability and high-availability of Diameter and other nodes
When deploying SDC between LTE IMS and legacy network elements service providers
gain multiple added-value benefits such as
Simple and transparent Diameter network configuration administration and
maintenance Easy installation procedures with a user friendly GUI makes SDC fast
to deploy and easy to maintain Its capabilities are extremely powerful yet simple to
configure and modify Automatic cluster detection and a secure configuration
replication among parallel cluster nodes reduce the administratorrsquos efforts to
minimum
Comprehensive network management using Diameter contextual routing engine
that reduces and centralizes the routing logic and reliefs Diameter nodes from
handling this logic
Congestion control for Diameter servers using advanced in-band health
monitoring overload detection and throttling mechanisms Using the health
monitoring mechanisms SDC manages back-end failures and reduces the risk of
unintentionally sending traffic to overloaded or unavailable servers
Scalability and scalability of Diameter server nodes (such as PCRF HSS OCS)
using Layer 4-7 load balancing algorithms and fast failover detection and failback
mechanisms Combined with congestion control mechanisms SDC assures that
signaling traffic is sent to healthy servers and that after unhealthy server recovery it
is automatically and gradually reintroduced to the network
SDC provides flexibility scripting and customization SDC provides full user
control for definition for routing and transformation script rules using the Java-
based Groovy scripting language Using this flexible scripting SDC can detect
errors in messages or perform interaction with external systems while executing
routing decision When interaction with external systems is required SDC can beintegrated with 3rd party Java-based libraries
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 2
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 282
SIGNALING DELIVERY CONTROLLER
Product Description
2
wwwtraffixsystemscom
1 LEGAL NOTICE 5
2 ABOUT THIS DOCUMENT 6
21 DOCUMENT OBJECTIVES 6
22 CONVENTIONS 6
23 GLOSSARY OF TERMS AND ABBREVIATIONS 7
3 INTRODUCTION TO SDC 9
4 MAIN FEATURES INTRODUCED IN RELEASE 40 12
41 ELEMENT MANAGEMENT SYSTEM 12
42 SS7-DIAMETER SUPPORT 12
43 INSTALLATION UTILITY 12
5 DEPLOYMENT ARCHITECTURES 13
51 CORE NETWORK DEPLOYMENT 14
52 EDGE DEPLOYMENT 16
53 DUAL MODE DEPLOYMENT 16
54 MULTI-SITE DEPLOYMENT 17
6 DIAMETER AND LEGACY PROTOCOLS SUPPORT 19
61 DIAMETER AND 3GPP REFERENCE POINTS SUPPORT 19
62 LEGACY PROTOCOLS SUPPORT 19
63 NETWORK AND TRANSPORT SUPPORT 20
7 SDC PLATFORM ARCHITECTURE 21
71 CONFIGURATION MANAGER 21
72 WEB UI AND SOAP 22
73 CONTROL PLANE FUNCTION (CPF) 22
74 FRONT-END PROXY (FEP) 22
8 THE SDC PIPELINE 24
81 SECURITY ENFORCEMENT 25
82 INCOMING MESSAGE TRANSFORMATION 25
83 ROUTING 26
84 LOAD BALANCING 36
85 OUTGOING MESSAGE TRANSFORMATION 41
9 OVERLOAD AND CONGESTION CONTROL 43
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 382
SIGNALING DELIVERY CONTROLLER
Product Description
3
wwwtraffixsystemscom
91 THROTTLING AND RATE LIMITING 44
92 PRIORITIZATION 46
93 OVERLOAD CONTROL MECHANISM 47
94 HEALTH MONITORING 48
95 IN SESSION MONITORING 48
96 EXTERNAL MONITORING 49
97 CONNECTIVITY MONITORING 49
10 OAM SUPPORT 50
101 ALARMS 51
102 TRACING AND LOGGING 51
103 MONITORING 52
104 PERFORMANCE MANAGEMENT 52
105 SECURITY MANAGEMENT 52
106 LICENSING MANAGEMENT 52
107 LIFECYCLE MANAGEMENT 52
108 SOAP API 53
109 SNMP AGENT 53
1010 CLUSTER MANAGEMENT 53
1011 AUDITING 53
1012 BACKUP amp RESTORE 53
11 HIGH AVAILABILITY AND SCALABILITY 54
111 SCALABILITY 54
112 LOCAL REDUNDANCY AND SCALABILITY 56
113 GEOGRAPHICAL REDUNDANCY 64
114 DIAMETER TOPOLOGY HIDING 67
115 DIAMETER CONNECTION SECURITY 67
116 DIAMETER MESSAGE SECURITY 67
117 OSSYSTEM SECURITY 68
118 NETWORK LEVEL SECURITY 68
12 NETWORKING 69
121 NETWORK REDUNDANCY 69
122 PHYSICAL INTERFACES 70
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 482
SIGNALING DELIVERY CONTROLLER
Product Description
4
wwwtraffixsystemscom
123 ADDRESSING SCHEME 72
13 HW ARCHITECTURE AND PERFORMANCE 73
131 SUPPORTED HW 73
14 APPENDIX A ndash OAM SNAPSHOTS 74
15 APPENDIX B ndash ACCESS LEVEL SECURITY 79
16 APPENDIX C ndash LOW LEVEL SDC PIPELINE 81
ABOUT TRAFFIX 82
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 582
SIGNALING DELIVERY CONTROLLER
Product Description
5
wwwtraffixsystemscom
1 Legal Notice
copy 2005-2013 F5 Networks Inc All rights reserved
F5 Networks Inc (F5) believes the information it furnishes to be accurate and reliable
However F5 assumes no responsibility for the use of this information nor any
infringement of patents or other rights of third parties which may result from its use No
license is granted by implication or otherwise under any patent copyright or other
intellectual property right of F5 except as specifically described by applicable user licenses
F5 reserves the right to change specifications at any time without notice
F5 Networks F5 Traffix Systems Traffix Systems (design) F5 (design) OpenBloX
OpenBloX (design) Rosetta Diameter Gateway Traffix Diameter Load Balancer
Signaling Delivery Controller and SDC are trademarks or service marks of F5 Networks
Inc in the US and other countries All other product and company names herein may be
trademarks of their respective owners
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 682
SIGNALING DELIVERY CONTROLLER
Product Description
6
wwwtraffixsystemscom
2 About this Document
21
Document Objectives
This document provides an overview and a high level functionality description of F5rsquos
Traffix Signaling Deliver Controller (SDC)
The target audience of this document includes Network and Solution Architects and
Program and Product Managers
22 Conventions
The style conventions used in this document are detailed in Table 1
Table 1 Conventions
Convention Use
Times New Roman Regular text
Times New Roman
Bold
Names of menus commands buttons and other elements of the
user interface
Times New Roman
Italic
Quotes and special terms the first time they appear
Cour i er New Language scr i pt s
Notes which offer an additional explanation or a hint on how to
overcome a common problem
Warnings which indicate potentially damaging User operations
and explain how to avoid them
An example
For simplicity throughout this document the Traffix Signaling Delivery Controller will be
referred to as the SDC
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 782
SIGNALING DELIVERY CONTROLLER
Product Description
7
wwwtraffixsystemscom
23 Glossary of Terms and Abbreviations
Table 2 Glossary of Terms and Abbreviations
Term Definition
AAA Authentication Authorization and Accounting
AF Application Function
Cluster Group of nodes used to provide services as a single unit
Cluster Node A node in the Cluster
CPF Control Plane Function
Data Dictionary Defines the format of a protocolrsquos message and its validation
parameters structure number of fields data format etc
DRA Diameter Routing Agent
EMS Element Management System
FEP Front End Proxy
HTTP Hypertext Transfer Protocol
HSS Home Subscriber Server
IMS IP Multimedia Subsystem
JMS Java Message Service
LDAP Lightweight Directory Access Protocol
Link The connection joint between the Cluster and Remote Nodes
LTE Long Term Evolution
MME Mobile Management Entity
NGN Next Generation Networking
Node Physical or virtual addressable entity
PCEF Policy and Charging Enforcement Function
PCRF Policy and Charging Rules Function acts as decision point and
enforces policy usage for a subscribers
Peer Physical or virtual addressable entity A Client or Server Peer in the
NGN network that provides or consumes AAA services
Pool A group of server remote nodes
RADIUS Remote Authentication Dial In User Service
Remote Node A client or server node in the network that provides or consumes
AAA services
Scenario Logical policies of translation flow
SDC Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 882
SIGNALING DELIVERY CONTROLLER
Product Description
8
wwwtraffixsystemscom
Term Definition
SNMP Simple Network Management Protocol
SS7 Signaling System No 7
TCP Transmission Control Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
URI Universal Resource Identification
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 982
SIGNALING DELIVERY CONTROLLER
Product Description
9
wwwtraffixsystemscom
3 Introduction to SDC
F5rsquos Traffix Signaling Delivery Controller (SDC) is a uniform modular signaling platform
that provides a flexible and robust solution for the emerging control plane connectivity
challenges The SDC is shown in Figure 1
The SDC was designed to meet the demanding requirements posed by the growing volume
of signaling traffic and the complexity of connectivity and signaling in LTE and IMS
networks with advanced Diameter Gateway Diameter Load Balancer and Diameter Router
solutions consolidated on a single unified platform
The SDC enables service providers to scale and manage services and applications in LTE
and IMS networks supporting millions of concurrent sessions and hundreds of millions of
subscribers The SDC solution centralizes signaling and Diameter routing traffic
management and load balancing tasks to scale and grow IMS and LTE networks
incrementally and cost effectively while increasing resiliency and reliability to support
subscribers ever increasing service and broadband demands
Figure 1 Traffix Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1082
SIGNALING DELIVERY CONTROLLER
Product Description
10
wwwtraffixsystemscom
The core functionality of SDC is based on a powerful contextual routing engine which
allows definition and execution of different routing policies that simplify the control plane
network management The routing engine together with the advanced load balancing
algorithms fast failback detection failover mechanisms and congestion control provide
unprecedented scalability and high-availability of Diameter and other nodes
When deploying SDC between LTE IMS and legacy network elements service providers
gain multiple added-value benefits such as
Simple and transparent Diameter network configuration administration and
maintenance Easy installation procedures with a user friendly GUI makes SDC fast
to deploy and easy to maintain Its capabilities are extremely powerful yet simple to
configure and modify Automatic cluster detection and a secure configuration
replication among parallel cluster nodes reduce the administratorrsquos efforts to
minimum
Comprehensive network management using Diameter contextual routing engine
that reduces and centralizes the routing logic and reliefs Diameter nodes from
handling this logic
Congestion control for Diameter servers using advanced in-band health
monitoring overload detection and throttling mechanisms Using the health
monitoring mechanisms SDC manages back-end failures and reduces the risk of
unintentionally sending traffic to overloaded or unavailable servers
Scalability and scalability of Diameter server nodes (such as PCRF HSS OCS)
using Layer 4-7 load balancing algorithms and fast failover detection and failback
mechanisms Combined with congestion control mechanisms SDC assures that
signaling traffic is sent to healthy servers and that after unhealthy server recovery it
is automatically and gradually reintroduced to the network
SDC provides flexibility scripting and customization SDC provides full user
control for definition for routing and transformation script rules using the Java-
based Groovy scripting language Using this flexible scripting SDC can detect
errors in messages or perform interaction with external systems while executing
routing decision When interaction with external systems is required SDC can beintegrated with 3rd party Java-based libraries
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 3
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 382
SIGNALING DELIVERY CONTROLLER
Product Description
3
wwwtraffixsystemscom
91 THROTTLING AND RATE LIMITING 44
92 PRIORITIZATION 46
93 OVERLOAD CONTROL MECHANISM 47
94 HEALTH MONITORING 48
95 IN SESSION MONITORING 48
96 EXTERNAL MONITORING 49
97 CONNECTIVITY MONITORING 49
10 OAM SUPPORT 50
101 ALARMS 51
102 TRACING AND LOGGING 51
103 MONITORING 52
104 PERFORMANCE MANAGEMENT 52
105 SECURITY MANAGEMENT 52
106 LICENSING MANAGEMENT 52
107 LIFECYCLE MANAGEMENT 52
108 SOAP API 53
109 SNMP AGENT 53
1010 CLUSTER MANAGEMENT 53
1011 AUDITING 53
1012 BACKUP amp RESTORE 53
11 HIGH AVAILABILITY AND SCALABILITY 54
111 SCALABILITY 54
112 LOCAL REDUNDANCY AND SCALABILITY 56
113 GEOGRAPHICAL REDUNDANCY 64
114 DIAMETER TOPOLOGY HIDING 67
115 DIAMETER CONNECTION SECURITY 67
116 DIAMETER MESSAGE SECURITY 67
117 OSSYSTEM SECURITY 68
118 NETWORK LEVEL SECURITY 68
12 NETWORKING 69
121 NETWORK REDUNDANCY 69
122 PHYSICAL INTERFACES 70
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 482
SIGNALING DELIVERY CONTROLLER
Product Description
4
wwwtraffixsystemscom
123 ADDRESSING SCHEME 72
13 HW ARCHITECTURE AND PERFORMANCE 73
131 SUPPORTED HW 73
14 APPENDIX A ndash OAM SNAPSHOTS 74
15 APPENDIX B ndash ACCESS LEVEL SECURITY 79
16 APPENDIX C ndash LOW LEVEL SDC PIPELINE 81
ABOUT TRAFFIX 82
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 582
SIGNALING DELIVERY CONTROLLER
Product Description
5
wwwtraffixsystemscom
1 Legal Notice
copy 2005-2013 F5 Networks Inc All rights reserved
F5 Networks Inc (F5) believes the information it furnishes to be accurate and reliable
However F5 assumes no responsibility for the use of this information nor any
infringement of patents or other rights of third parties which may result from its use No
license is granted by implication or otherwise under any patent copyright or other
intellectual property right of F5 except as specifically described by applicable user licenses
F5 reserves the right to change specifications at any time without notice
F5 Networks F5 Traffix Systems Traffix Systems (design) F5 (design) OpenBloX
OpenBloX (design) Rosetta Diameter Gateway Traffix Diameter Load Balancer
Signaling Delivery Controller and SDC are trademarks or service marks of F5 Networks
Inc in the US and other countries All other product and company names herein may be
trademarks of their respective owners
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 682
SIGNALING DELIVERY CONTROLLER
Product Description
6
wwwtraffixsystemscom
2 About this Document
21
Document Objectives
This document provides an overview and a high level functionality description of F5rsquos
Traffix Signaling Deliver Controller (SDC)
The target audience of this document includes Network and Solution Architects and
Program and Product Managers
22 Conventions
The style conventions used in this document are detailed in Table 1
Table 1 Conventions
Convention Use
Times New Roman Regular text
Times New Roman
Bold
Names of menus commands buttons and other elements of the
user interface
Times New Roman
Italic
Quotes and special terms the first time they appear
Cour i er New Language scr i pt s
Notes which offer an additional explanation or a hint on how to
overcome a common problem
Warnings which indicate potentially damaging User operations
and explain how to avoid them
An example
For simplicity throughout this document the Traffix Signaling Delivery Controller will be
referred to as the SDC
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 782
SIGNALING DELIVERY CONTROLLER
Product Description
7
wwwtraffixsystemscom
23 Glossary of Terms and Abbreviations
Table 2 Glossary of Terms and Abbreviations
Term Definition
AAA Authentication Authorization and Accounting
AF Application Function
Cluster Group of nodes used to provide services as a single unit
Cluster Node A node in the Cluster
CPF Control Plane Function
Data Dictionary Defines the format of a protocolrsquos message and its validation
parameters structure number of fields data format etc
DRA Diameter Routing Agent
EMS Element Management System
FEP Front End Proxy
HTTP Hypertext Transfer Protocol
HSS Home Subscriber Server
IMS IP Multimedia Subsystem
JMS Java Message Service
LDAP Lightweight Directory Access Protocol
Link The connection joint between the Cluster and Remote Nodes
LTE Long Term Evolution
MME Mobile Management Entity
NGN Next Generation Networking
Node Physical or virtual addressable entity
PCEF Policy and Charging Enforcement Function
PCRF Policy and Charging Rules Function acts as decision point and
enforces policy usage for a subscribers
Peer Physical or virtual addressable entity A Client or Server Peer in the
NGN network that provides or consumes AAA services
Pool A group of server remote nodes
RADIUS Remote Authentication Dial In User Service
Remote Node A client or server node in the network that provides or consumes
AAA services
Scenario Logical policies of translation flow
SDC Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 882
SIGNALING DELIVERY CONTROLLER
Product Description
8
wwwtraffixsystemscom
Term Definition
SNMP Simple Network Management Protocol
SS7 Signaling System No 7
TCP Transmission Control Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
URI Universal Resource Identification
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 982
SIGNALING DELIVERY CONTROLLER
Product Description
9
wwwtraffixsystemscom
3 Introduction to SDC
F5rsquos Traffix Signaling Delivery Controller (SDC) is a uniform modular signaling platform
that provides a flexible and robust solution for the emerging control plane connectivity
challenges The SDC is shown in Figure 1
The SDC was designed to meet the demanding requirements posed by the growing volume
of signaling traffic and the complexity of connectivity and signaling in LTE and IMS
networks with advanced Diameter Gateway Diameter Load Balancer and Diameter Router
solutions consolidated on a single unified platform
The SDC enables service providers to scale and manage services and applications in LTE
and IMS networks supporting millions of concurrent sessions and hundreds of millions of
subscribers The SDC solution centralizes signaling and Diameter routing traffic
management and load balancing tasks to scale and grow IMS and LTE networks
incrementally and cost effectively while increasing resiliency and reliability to support
subscribers ever increasing service and broadband demands
Figure 1 Traffix Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1082
SIGNALING DELIVERY CONTROLLER
Product Description
10
wwwtraffixsystemscom
The core functionality of SDC is based on a powerful contextual routing engine which
allows definition and execution of different routing policies that simplify the control plane
network management The routing engine together with the advanced load balancing
algorithms fast failback detection failover mechanisms and congestion control provide
unprecedented scalability and high-availability of Diameter and other nodes
When deploying SDC between LTE IMS and legacy network elements service providers
gain multiple added-value benefits such as
Simple and transparent Diameter network configuration administration and
maintenance Easy installation procedures with a user friendly GUI makes SDC fast
to deploy and easy to maintain Its capabilities are extremely powerful yet simple to
configure and modify Automatic cluster detection and a secure configuration
replication among parallel cluster nodes reduce the administratorrsquos efforts to
minimum
Comprehensive network management using Diameter contextual routing engine
that reduces and centralizes the routing logic and reliefs Diameter nodes from
handling this logic
Congestion control for Diameter servers using advanced in-band health
monitoring overload detection and throttling mechanisms Using the health
monitoring mechanisms SDC manages back-end failures and reduces the risk of
unintentionally sending traffic to overloaded or unavailable servers
Scalability and scalability of Diameter server nodes (such as PCRF HSS OCS)
using Layer 4-7 load balancing algorithms and fast failover detection and failback
mechanisms Combined with congestion control mechanisms SDC assures that
signaling traffic is sent to healthy servers and that after unhealthy server recovery it
is automatically and gradually reintroduced to the network
SDC provides flexibility scripting and customization SDC provides full user
control for definition for routing and transformation script rules using the Java-
based Groovy scripting language Using this flexible scripting SDC can detect
errors in messages or perform interaction with external systems while executing
routing decision When interaction with external systems is required SDC can beintegrated with 3rd party Java-based libraries
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 4
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 482
SIGNALING DELIVERY CONTROLLER
Product Description
4
wwwtraffixsystemscom
123 ADDRESSING SCHEME 72
13 HW ARCHITECTURE AND PERFORMANCE 73
131 SUPPORTED HW 73
14 APPENDIX A ndash OAM SNAPSHOTS 74
15 APPENDIX B ndash ACCESS LEVEL SECURITY 79
16 APPENDIX C ndash LOW LEVEL SDC PIPELINE 81
ABOUT TRAFFIX 82
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 582
SIGNALING DELIVERY CONTROLLER
Product Description
5
wwwtraffixsystemscom
1 Legal Notice
copy 2005-2013 F5 Networks Inc All rights reserved
F5 Networks Inc (F5) believes the information it furnishes to be accurate and reliable
However F5 assumes no responsibility for the use of this information nor any
infringement of patents or other rights of third parties which may result from its use No
license is granted by implication or otherwise under any patent copyright or other
intellectual property right of F5 except as specifically described by applicable user licenses
F5 reserves the right to change specifications at any time without notice
F5 Networks F5 Traffix Systems Traffix Systems (design) F5 (design) OpenBloX
OpenBloX (design) Rosetta Diameter Gateway Traffix Diameter Load Balancer
Signaling Delivery Controller and SDC are trademarks or service marks of F5 Networks
Inc in the US and other countries All other product and company names herein may be
trademarks of their respective owners
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 682
SIGNALING DELIVERY CONTROLLER
Product Description
6
wwwtraffixsystemscom
2 About this Document
21
Document Objectives
This document provides an overview and a high level functionality description of F5rsquos
Traffix Signaling Deliver Controller (SDC)
The target audience of this document includes Network and Solution Architects and
Program and Product Managers
22 Conventions
The style conventions used in this document are detailed in Table 1
Table 1 Conventions
Convention Use
Times New Roman Regular text
Times New Roman
Bold
Names of menus commands buttons and other elements of the
user interface
Times New Roman
Italic
Quotes and special terms the first time they appear
Cour i er New Language scr i pt s
Notes which offer an additional explanation or a hint on how to
overcome a common problem
Warnings which indicate potentially damaging User operations
and explain how to avoid them
An example
For simplicity throughout this document the Traffix Signaling Delivery Controller will be
referred to as the SDC
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 782
SIGNALING DELIVERY CONTROLLER
Product Description
7
wwwtraffixsystemscom
23 Glossary of Terms and Abbreviations
Table 2 Glossary of Terms and Abbreviations
Term Definition
AAA Authentication Authorization and Accounting
AF Application Function
Cluster Group of nodes used to provide services as a single unit
Cluster Node A node in the Cluster
CPF Control Plane Function
Data Dictionary Defines the format of a protocolrsquos message and its validation
parameters structure number of fields data format etc
DRA Diameter Routing Agent
EMS Element Management System
FEP Front End Proxy
HTTP Hypertext Transfer Protocol
HSS Home Subscriber Server
IMS IP Multimedia Subsystem
JMS Java Message Service
LDAP Lightweight Directory Access Protocol
Link The connection joint between the Cluster and Remote Nodes
LTE Long Term Evolution
MME Mobile Management Entity
NGN Next Generation Networking
Node Physical or virtual addressable entity
PCEF Policy and Charging Enforcement Function
PCRF Policy and Charging Rules Function acts as decision point and
enforces policy usage for a subscribers
Peer Physical or virtual addressable entity A Client or Server Peer in the
NGN network that provides or consumes AAA services
Pool A group of server remote nodes
RADIUS Remote Authentication Dial In User Service
Remote Node A client or server node in the network that provides or consumes
AAA services
Scenario Logical policies of translation flow
SDC Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 882
SIGNALING DELIVERY CONTROLLER
Product Description
8
wwwtraffixsystemscom
Term Definition
SNMP Simple Network Management Protocol
SS7 Signaling System No 7
TCP Transmission Control Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
URI Universal Resource Identification
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 982
SIGNALING DELIVERY CONTROLLER
Product Description
9
wwwtraffixsystemscom
3 Introduction to SDC
F5rsquos Traffix Signaling Delivery Controller (SDC) is a uniform modular signaling platform
that provides a flexible and robust solution for the emerging control plane connectivity
challenges The SDC is shown in Figure 1
The SDC was designed to meet the demanding requirements posed by the growing volume
of signaling traffic and the complexity of connectivity and signaling in LTE and IMS
networks with advanced Diameter Gateway Diameter Load Balancer and Diameter Router
solutions consolidated on a single unified platform
The SDC enables service providers to scale and manage services and applications in LTE
and IMS networks supporting millions of concurrent sessions and hundreds of millions of
subscribers The SDC solution centralizes signaling and Diameter routing traffic
management and load balancing tasks to scale and grow IMS and LTE networks
incrementally and cost effectively while increasing resiliency and reliability to support
subscribers ever increasing service and broadband demands
Figure 1 Traffix Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1082
SIGNALING DELIVERY CONTROLLER
Product Description
10
wwwtraffixsystemscom
The core functionality of SDC is based on a powerful contextual routing engine which
allows definition and execution of different routing policies that simplify the control plane
network management The routing engine together with the advanced load balancing
algorithms fast failback detection failover mechanisms and congestion control provide
unprecedented scalability and high-availability of Diameter and other nodes
When deploying SDC between LTE IMS and legacy network elements service providers
gain multiple added-value benefits such as
Simple and transparent Diameter network configuration administration and
maintenance Easy installation procedures with a user friendly GUI makes SDC fast
to deploy and easy to maintain Its capabilities are extremely powerful yet simple to
configure and modify Automatic cluster detection and a secure configuration
replication among parallel cluster nodes reduce the administratorrsquos efforts to
minimum
Comprehensive network management using Diameter contextual routing engine
that reduces and centralizes the routing logic and reliefs Diameter nodes from
handling this logic
Congestion control for Diameter servers using advanced in-band health
monitoring overload detection and throttling mechanisms Using the health
monitoring mechanisms SDC manages back-end failures and reduces the risk of
unintentionally sending traffic to overloaded or unavailable servers
Scalability and scalability of Diameter server nodes (such as PCRF HSS OCS)
using Layer 4-7 load balancing algorithms and fast failover detection and failback
mechanisms Combined with congestion control mechanisms SDC assures that
signaling traffic is sent to healthy servers and that after unhealthy server recovery it
is automatically and gradually reintroduced to the network
SDC provides flexibility scripting and customization SDC provides full user
control for definition for routing and transformation script rules using the Java-
based Groovy scripting language Using this flexible scripting SDC can detect
errors in messages or perform interaction with external systems while executing
routing decision When interaction with external systems is required SDC can beintegrated with 3rd party Java-based libraries
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 5
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 582
SIGNALING DELIVERY CONTROLLER
Product Description
5
wwwtraffixsystemscom
1 Legal Notice
copy 2005-2013 F5 Networks Inc All rights reserved
F5 Networks Inc (F5) believes the information it furnishes to be accurate and reliable
However F5 assumes no responsibility for the use of this information nor any
infringement of patents or other rights of third parties which may result from its use No
license is granted by implication or otherwise under any patent copyright or other
intellectual property right of F5 except as specifically described by applicable user licenses
F5 reserves the right to change specifications at any time without notice
F5 Networks F5 Traffix Systems Traffix Systems (design) F5 (design) OpenBloX
OpenBloX (design) Rosetta Diameter Gateway Traffix Diameter Load Balancer
Signaling Delivery Controller and SDC are trademarks or service marks of F5 Networks
Inc in the US and other countries All other product and company names herein may be
trademarks of their respective owners
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 682
SIGNALING DELIVERY CONTROLLER
Product Description
6
wwwtraffixsystemscom
2 About this Document
21
Document Objectives
This document provides an overview and a high level functionality description of F5rsquos
Traffix Signaling Deliver Controller (SDC)
The target audience of this document includes Network and Solution Architects and
Program and Product Managers
22 Conventions
The style conventions used in this document are detailed in Table 1
Table 1 Conventions
Convention Use
Times New Roman Regular text
Times New Roman
Bold
Names of menus commands buttons and other elements of the
user interface
Times New Roman
Italic
Quotes and special terms the first time they appear
Cour i er New Language scr i pt s
Notes which offer an additional explanation or a hint on how to
overcome a common problem
Warnings which indicate potentially damaging User operations
and explain how to avoid them
An example
For simplicity throughout this document the Traffix Signaling Delivery Controller will be
referred to as the SDC
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 782
SIGNALING DELIVERY CONTROLLER
Product Description
7
wwwtraffixsystemscom
23 Glossary of Terms and Abbreviations
Table 2 Glossary of Terms and Abbreviations
Term Definition
AAA Authentication Authorization and Accounting
AF Application Function
Cluster Group of nodes used to provide services as a single unit
Cluster Node A node in the Cluster
CPF Control Plane Function
Data Dictionary Defines the format of a protocolrsquos message and its validation
parameters structure number of fields data format etc
DRA Diameter Routing Agent
EMS Element Management System
FEP Front End Proxy
HTTP Hypertext Transfer Protocol
HSS Home Subscriber Server
IMS IP Multimedia Subsystem
JMS Java Message Service
LDAP Lightweight Directory Access Protocol
Link The connection joint between the Cluster and Remote Nodes
LTE Long Term Evolution
MME Mobile Management Entity
NGN Next Generation Networking
Node Physical or virtual addressable entity
PCEF Policy and Charging Enforcement Function
PCRF Policy and Charging Rules Function acts as decision point and
enforces policy usage for a subscribers
Peer Physical or virtual addressable entity A Client or Server Peer in the
NGN network that provides or consumes AAA services
Pool A group of server remote nodes
RADIUS Remote Authentication Dial In User Service
Remote Node A client or server node in the network that provides or consumes
AAA services
Scenario Logical policies of translation flow
SDC Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 882
SIGNALING DELIVERY CONTROLLER
Product Description
8
wwwtraffixsystemscom
Term Definition
SNMP Simple Network Management Protocol
SS7 Signaling System No 7
TCP Transmission Control Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
URI Universal Resource Identification
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 982
SIGNALING DELIVERY CONTROLLER
Product Description
9
wwwtraffixsystemscom
3 Introduction to SDC
F5rsquos Traffix Signaling Delivery Controller (SDC) is a uniform modular signaling platform
that provides a flexible and robust solution for the emerging control plane connectivity
challenges The SDC is shown in Figure 1
The SDC was designed to meet the demanding requirements posed by the growing volume
of signaling traffic and the complexity of connectivity and signaling in LTE and IMS
networks with advanced Diameter Gateway Diameter Load Balancer and Diameter Router
solutions consolidated on a single unified platform
The SDC enables service providers to scale and manage services and applications in LTE
and IMS networks supporting millions of concurrent sessions and hundreds of millions of
subscribers The SDC solution centralizes signaling and Diameter routing traffic
management and load balancing tasks to scale and grow IMS and LTE networks
incrementally and cost effectively while increasing resiliency and reliability to support
subscribers ever increasing service and broadband demands
Figure 1 Traffix Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1082
SIGNALING DELIVERY CONTROLLER
Product Description
10
wwwtraffixsystemscom
The core functionality of SDC is based on a powerful contextual routing engine which
allows definition and execution of different routing policies that simplify the control plane
network management The routing engine together with the advanced load balancing
algorithms fast failback detection failover mechanisms and congestion control provide
unprecedented scalability and high-availability of Diameter and other nodes
When deploying SDC between LTE IMS and legacy network elements service providers
gain multiple added-value benefits such as
Simple and transparent Diameter network configuration administration and
maintenance Easy installation procedures with a user friendly GUI makes SDC fast
to deploy and easy to maintain Its capabilities are extremely powerful yet simple to
configure and modify Automatic cluster detection and a secure configuration
replication among parallel cluster nodes reduce the administratorrsquos efforts to
minimum
Comprehensive network management using Diameter contextual routing engine
that reduces and centralizes the routing logic and reliefs Diameter nodes from
handling this logic
Congestion control for Diameter servers using advanced in-band health
monitoring overload detection and throttling mechanisms Using the health
monitoring mechanisms SDC manages back-end failures and reduces the risk of
unintentionally sending traffic to overloaded or unavailable servers
Scalability and scalability of Diameter server nodes (such as PCRF HSS OCS)
using Layer 4-7 load balancing algorithms and fast failover detection and failback
mechanisms Combined with congestion control mechanisms SDC assures that
signaling traffic is sent to healthy servers and that after unhealthy server recovery it
is automatically and gradually reintroduced to the network
SDC provides flexibility scripting and customization SDC provides full user
control for definition for routing and transformation script rules using the Java-
based Groovy scripting language Using this flexible scripting SDC can detect
errors in messages or perform interaction with external systems while executing
routing decision When interaction with external systems is required SDC can beintegrated with 3rd party Java-based libraries
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 6
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 682
SIGNALING DELIVERY CONTROLLER
Product Description
6
wwwtraffixsystemscom
2 About this Document
21
Document Objectives
This document provides an overview and a high level functionality description of F5rsquos
Traffix Signaling Deliver Controller (SDC)
The target audience of this document includes Network and Solution Architects and
Program and Product Managers
22 Conventions
The style conventions used in this document are detailed in Table 1
Table 1 Conventions
Convention Use
Times New Roman Regular text
Times New Roman
Bold
Names of menus commands buttons and other elements of the
user interface
Times New Roman
Italic
Quotes and special terms the first time they appear
Cour i er New Language scr i pt s
Notes which offer an additional explanation or a hint on how to
overcome a common problem
Warnings which indicate potentially damaging User operations
and explain how to avoid them
An example
For simplicity throughout this document the Traffix Signaling Delivery Controller will be
referred to as the SDC
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 782
SIGNALING DELIVERY CONTROLLER
Product Description
7
wwwtraffixsystemscom
23 Glossary of Terms and Abbreviations
Table 2 Glossary of Terms and Abbreviations
Term Definition
AAA Authentication Authorization and Accounting
AF Application Function
Cluster Group of nodes used to provide services as a single unit
Cluster Node A node in the Cluster
CPF Control Plane Function
Data Dictionary Defines the format of a protocolrsquos message and its validation
parameters structure number of fields data format etc
DRA Diameter Routing Agent
EMS Element Management System
FEP Front End Proxy
HTTP Hypertext Transfer Protocol
HSS Home Subscriber Server
IMS IP Multimedia Subsystem
JMS Java Message Service
LDAP Lightweight Directory Access Protocol
Link The connection joint between the Cluster and Remote Nodes
LTE Long Term Evolution
MME Mobile Management Entity
NGN Next Generation Networking
Node Physical or virtual addressable entity
PCEF Policy and Charging Enforcement Function
PCRF Policy and Charging Rules Function acts as decision point and
enforces policy usage for a subscribers
Peer Physical or virtual addressable entity A Client or Server Peer in the
NGN network that provides or consumes AAA services
Pool A group of server remote nodes
RADIUS Remote Authentication Dial In User Service
Remote Node A client or server node in the network that provides or consumes
AAA services
Scenario Logical policies of translation flow
SDC Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 882
SIGNALING DELIVERY CONTROLLER
Product Description
8
wwwtraffixsystemscom
Term Definition
SNMP Simple Network Management Protocol
SS7 Signaling System No 7
TCP Transmission Control Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
URI Universal Resource Identification
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 982
SIGNALING DELIVERY CONTROLLER
Product Description
9
wwwtraffixsystemscom
3 Introduction to SDC
F5rsquos Traffix Signaling Delivery Controller (SDC) is a uniform modular signaling platform
that provides a flexible and robust solution for the emerging control plane connectivity
challenges The SDC is shown in Figure 1
The SDC was designed to meet the demanding requirements posed by the growing volume
of signaling traffic and the complexity of connectivity and signaling in LTE and IMS
networks with advanced Diameter Gateway Diameter Load Balancer and Diameter Router
solutions consolidated on a single unified platform
The SDC enables service providers to scale and manage services and applications in LTE
and IMS networks supporting millions of concurrent sessions and hundreds of millions of
subscribers The SDC solution centralizes signaling and Diameter routing traffic
management and load balancing tasks to scale and grow IMS and LTE networks
incrementally and cost effectively while increasing resiliency and reliability to support
subscribers ever increasing service and broadband demands
Figure 1 Traffix Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1082
SIGNALING DELIVERY CONTROLLER
Product Description
10
wwwtraffixsystemscom
The core functionality of SDC is based on a powerful contextual routing engine which
allows definition and execution of different routing policies that simplify the control plane
network management The routing engine together with the advanced load balancing
algorithms fast failback detection failover mechanisms and congestion control provide
unprecedented scalability and high-availability of Diameter and other nodes
When deploying SDC between LTE IMS and legacy network elements service providers
gain multiple added-value benefits such as
Simple and transparent Diameter network configuration administration and
maintenance Easy installation procedures with a user friendly GUI makes SDC fast
to deploy and easy to maintain Its capabilities are extremely powerful yet simple to
configure and modify Automatic cluster detection and a secure configuration
replication among parallel cluster nodes reduce the administratorrsquos efforts to
minimum
Comprehensive network management using Diameter contextual routing engine
that reduces and centralizes the routing logic and reliefs Diameter nodes from
handling this logic
Congestion control for Diameter servers using advanced in-band health
monitoring overload detection and throttling mechanisms Using the health
monitoring mechanisms SDC manages back-end failures and reduces the risk of
unintentionally sending traffic to overloaded or unavailable servers
Scalability and scalability of Diameter server nodes (such as PCRF HSS OCS)
using Layer 4-7 load balancing algorithms and fast failover detection and failback
mechanisms Combined with congestion control mechanisms SDC assures that
signaling traffic is sent to healthy servers and that after unhealthy server recovery it
is automatically and gradually reintroduced to the network
SDC provides flexibility scripting and customization SDC provides full user
control for definition for routing and transformation script rules using the Java-
based Groovy scripting language Using this flexible scripting SDC can detect
errors in messages or perform interaction with external systems while executing
routing decision When interaction with external systems is required SDC can beintegrated with 3rd party Java-based libraries
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 7
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 782
SIGNALING DELIVERY CONTROLLER
Product Description
7
wwwtraffixsystemscom
23 Glossary of Terms and Abbreviations
Table 2 Glossary of Terms and Abbreviations
Term Definition
AAA Authentication Authorization and Accounting
AF Application Function
Cluster Group of nodes used to provide services as a single unit
Cluster Node A node in the Cluster
CPF Control Plane Function
Data Dictionary Defines the format of a protocolrsquos message and its validation
parameters structure number of fields data format etc
DRA Diameter Routing Agent
EMS Element Management System
FEP Front End Proxy
HTTP Hypertext Transfer Protocol
HSS Home Subscriber Server
IMS IP Multimedia Subsystem
JMS Java Message Service
LDAP Lightweight Directory Access Protocol
Link The connection joint between the Cluster and Remote Nodes
LTE Long Term Evolution
MME Mobile Management Entity
NGN Next Generation Networking
Node Physical or virtual addressable entity
PCEF Policy and Charging Enforcement Function
PCRF Policy and Charging Rules Function acts as decision point and
enforces policy usage for a subscribers
Peer Physical or virtual addressable entity A Client or Server Peer in the
NGN network that provides or consumes AAA services
Pool A group of server remote nodes
RADIUS Remote Authentication Dial In User Service
Remote Node A client or server node in the network that provides or consumes
AAA services
Scenario Logical policies of translation flow
SDC Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 882
SIGNALING DELIVERY CONTROLLER
Product Description
8
wwwtraffixsystemscom
Term Definition
SNMP Simple Network Management Protocol
SS7 Signaling System No 7
TCP Transmission Control Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
URI Universal Resource Identification
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 982
SIGNALING DELIVERY CONTROLLER
Product Description
9
wwwtraffixsystemscom
3 Introduction to SDC
F5rsquos Traffix Signaling Delivery Controller (SDC) is a uniform modular signaling platform
that provides a flexible and robust solution for the emerging control plane connectivity
challenges The SDC is shown in Figure 1
The SDC was designed to meet the demanding requirements posed by the growing volume
of signaling traffic and the complexity of connectivity and signaling in LTE and IMS
networks with advanced Diameter Gateway Diameter Load Balancer and Diameter Router
solutions consolidated on a single unified platform
The SDC enables service providers to scale and manage services and applications in LTE
and IMS networks supporting millions of concurrent sessions and hundreds of millions of
subscribers The SDC solution centralizes signaling and Diameter routing traffic
management and load balancing tasks to scale and grow IMS and LTE networks
incrementally and cost effectively while increasing resiliency and reliability to support
subscribers ever increasing service and broadband demands
Figure 1 Traffix Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1082
SIGNALING DELIVERY CONTROLLER
Product Description
10
wwwtraffixsystemscom
The core functionality of SDC is based on a powerful contextual routing engine which
allows definition and execution of different routing policies that simplify the control plane
network management The routing engine together with the advanced load balancing
algorithms fast failback detection failover mechanisms and congestion control provide
unprecedented scalability and high-availability of Diameter and other nodes
When deploying SDC between LTE IMS and legacy network elements service providers
gain multiple added-value benefits such as
Simple and transparent Diameter network configuration administration and
maintenance Easy installation procedures with a user friendly GUI makes SDC fast
to deploy and easy to maintain Its capabilities are extremely powerful yet simple to
configure and modify Automatic cluster detection and a secure configuration
replication among parallel cluster nodes reduce the administratorrsquos efforts to
minimum
Comprehensive network management using Diameter contextual routing engine
that reduces and centralizes the routing logic and reliefs Diameter nodes from
handling this logic
Congestion control for Diameter servers using advanced in-band health
monitoring overload detection and throttling mechanisms Using the health
monitoring mechanisms SDC manages back-end failures and reduces the risk of
unintentionally sending traffic to overloaded or unavailable servers
Scalability and scalability of Diameter server nodes (such as PCRF HSS OCS)
using Layer 4-7 load balancing algorithms and fast failover detection and failback
mechanisms Combined with congestion control mechanisms SDC assures that
signaling traffic is sent to healthy servers and that after unhealthy server recovery it
is automatically and gradually reintroduced to the network
SDC provides flexibility scripting and customization SDC provides full user
control for definition for routing and transformation script rules using the Java-
based Groovy scripting language Using this flexible scripting SDC can detect
errors in messages or perform interaction with external systems while executing
routing decision When interaction with external systems is required SDC can beintegrated with 3rd party Java-based libraries
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 8
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 882
SIGNALING DELIVERY CONTROLLER
Product Description
8
wwwtraffixsystemscom
Term Definition
SNMP Simple Network Management Protocol
SS7 Signaling System No 7
TCP Transmission Control Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
URI Universal Resource Identification
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 982
SIGNALING DELIVERY CONTROLLER
Product Description
9
wwwtraffixsystemscom
3 Introduction to SDC
F5rsquos Traffix Signaling Delivery Controller (SDC) is a uniform modular signaling platform
that provides a flexible and robust solution for the emerging control plane connectivity
challenges The SDC is shown in Figure 1
The SDC was designed to meet the demanding requirements posed by the growing volume
of signaling traffic and the complexity of connectivity and signaling in LTE and IMS
networks with advanced Diameter Gateway Diameter Load Balancer and Diameter Router
solutions consolidated on a single unified platform
The SDC enables service providers to scale and manage services and applications in LTE
and IMS networks supporting millions of concurrent sessions and hundreds of millions of
subscribers The SDC solution centralizes signaling and Diameter routing traffic
management and load balancing tasks to scale and grow IMS and LTE networks
incrementally and cost effectively while increasing resiliency and reliability to support
subscribers ever increasing service and broadband demands
Figure 1 Traffix Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1082
SIGNALING DELIVERY CONTROLLER
Product Description
10
wwwtraffixsystemscom
The core functionality of SDC is based on a powerful contextual routing engine which
allows definition and execution of different routing policies that simplify the control plane
network management The routing engine together with the advanced load balancing
algorithms fast failback detection failover mechanisms and congestion control provide
unprecedented scalability and high-availability of Diameter and other nodes
When deploying SDC between LTE IMS and legacy network elements service providers
gain multiple added-value benefits such as
Simple and transparent Diameter network configuration administration and
maintenance Easy installation procedures with a user friendly GUI makes SDC fast
to deploy and easy to maintain Its capabilities are extremely powerful yet simple to
configure and modify Automatic cluster detection and a secure configuration
replication among parallel cluster nodes reduce the administratorrsquos efforts to
minimum
Comprehensive network management using Diameter contextual routing engine
that reduces and centralizes the routing logic and reliefs Diameter nodes from
handling this logic
Congestion control for Diameter servers using advanced in-band health
monitoring overload detection and throttling mechanisms Using the health
monitoring mechanisms SDC manages back-end failures and reduces the risk of
unintentionally sending traffic to overloaded or unavailable servers
Scalability and scalability of Diameter server nodes (such as PCRF HSS OCS)
using Layer 4-7 load balancing algorithms and fast failover detection and failback
mechanisms Combined with congestion control mechanisms SDC assures that
signaling traffic is sent to healthy servers and that after unhealthy server recovery it
is automatically and gradually reintroduced to the network
SDC provides flexibility scripting and customization SDC provides full user
control for definition for routing and transformation script rules using the Java-
based Groovy scripting language Using this flexible scripting SDC can detect
errors in messages or perform interaction with external systems while executing
routing decision When interaction with external systems is required SDC can beintegrated with 3rd party Java-based libraries
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 9
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 982
SIGNALING DELIVERY CONTROLLER
Product Description
9
wwwtraffixsystemscom
3 Introduction to SDC
F5rsquos Traffix Signaling Delivery Controller (SDC) is a uniform modular signaling platform
that provides a flexible and robust solution for the emerging control plane connectivity
challenges The SDC is shown in Figure 1
The SDC was designed to meet the demanding requirements posed by the growing volume
of signaling traffic and the complexity of connectivity and signaling in LTE and IMS
networks with advanced Diameter Gateway Diameter Load Balancer and Diameter Router
solutions consolidated on a single unified platform
The SDC enables service providers to scale and manage services and applications in LTE
and IMS networks supporting millions of concurrent sessions and hundreds of millions of
subscribers The SDC solution centralizes signaling and Diameter routing traffic
management and load balancing tasks to scale and grow IMS and LTE networks
incrementally and cost effectively while increasing resiliency and reliability to support
subscribers ever increasing service and broadband demands
Figure 1 Traffix Signaling Delivery Controller
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1082
SIGNALING DELIVERY CONTROLLER
Product Description
10
wwwtraffixsystemscom
The core functionality of SDC is based on a powerful contextual routing engine which
allows definition and execution of different routing policies that simplify the control plane
network management The routing engine together with the advanced load balancing
algorithms fast failback detection failover mechanisms and congestion control provide
unprecedented scalability and high-availability of Diameter and other nodes
When deploying SDC between LTE IMS and legacy network elements service providers
gain multiple added-value benefits such as
Simple and transparent Diameter network configuration administration and
maintenance Easy installation procedures with a user friendly GUI makes SDC fast
to deploy and easy to maintain Its capabilities are extremely powerful yet simple to
configure and modify Automatic cluster detection and a secure configuration
replication among parallel cluster nodes reduce the administratorrsquos efforts to
minimum
Comprehensive network management using Diameter contextual routing engine
that reduces and centralizes the routing logic and reliefs Diameter nodes from
handling this logic
Congestion control for Diameter servers using advanced in-band health
monitoring overload detection and throttling mechanisms Using the health
monitoring mechanisms SDC manages back-end failures and reduces the risk of
unintentionally sending traffic to overloaded or unavailable servers
Scalability and scalability of Diameter server nodes (such as PCRF HSS OCS)
using Layer 4-7 load balancing algorithms and fast failover detection and failback
mechanisms Combined with congestion control mechanisms SDC assures that
signaling traffic is sent to healthy servers and that after unhealthy server recovery it
is automatically and gradually reintroduced to the network
SDC provides flexibility scripting and customization SDC provides full user
control for definition for routing and transformation script rules using the Java-
based Groovy scripting language Using this flexible scripting SDC can detect
errors in messages or perform interaction with external systems while executing
routing decision When interaction with external systems is required SDC can beintegrated with 3rd party Java-based libraries
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 10
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1082
SIGNALING DELIVERY CONTROLLER
Product Description
10
wwwtraffixsystemscom
The core functionality of SDC is based on a powerful contextual routing engine which
allows definition and execution of different routing policies that simplify the control plane
network management The routing engine together with the advanced load balancing
algorithms fast failback detection failover mechanisms and congestion control provide
unprecedented scalability and high-availability of Diameter and other nodes
When deploying SDC between LTE IMS and legacy network elements service providers
gain multiple added-value benefits such as
Simple and transparent Diameter network configuration administration and
maintenance Easy installation procedures with a user friendly GUI makes SDC fast
to deploy and easy to maintain Its capabilities are extremely powerful yet simple to
configure and modify Automatic cluster detection and a secure configuration
replication among parallel cluster nodes reduce the administratorrsquos efforts to
minimum
Comprehensive network management using Diameter contextual routing engine
that reduces and centralizes the routing logic and reliefs Diameter nodes from
handling this logic
Congestion control for Diameter servers using advanced in-band health
monitoring overload detection and throttling mechanisms Using the health
monitoring mechanisms SDC manages back-end failures and reduces the risk of
unintentionally sending traffic to overloaded or unavailable servers
Scalability and scalability of Diameter server nodes (such as PCRF HSS OCS)
using Layer 4-7 load balancing algorithms and fast failover detection and failback
mechanisms Combined with congestion control mechanisms SDC assures that
signaling traffic is sent to healthy servers and that after unhealthy server recovery it
is automatically and gradually reintroduced to the network
SDC provides flexibility scripting and customization SDC provides full user
control for definition for routing and transformation script rules using the Java-
based Groovy scripting language Using this flexible scripting SDC can detect
errors in messages or perform interaction with external systems while executing
routing decision When interaction with external systems is required SDC can beintegrated with 3rd party Java-based libraries
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 11
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1182
SIGNALING DELIVERY CONTROLLER
Product Description
11
wwwtraffixsystemscom
LTE to legacy interoperability interconnectivity between new Diameter-based
functionalities and legacy infrastructure using legacy signaling protocols
Service level security and authorization for Diameter To avoid Denial of Service
and Distributed Denial of Service attacks SDC runs different heuristics to protect
the system from overrun attempts and invalid requests It also controls and fine-
tunes Denial of Service protection through ACLs
Visibility into Diameter level performance The management console allows real
time performance visualization and monitoring of SDC internals and back-end
servers The performance counters are also available through multiple methods that
allow import to external monitoring systems
Carrier grade product using off the shelf hardware SDC supports front-end
failover using multiple Virtual IPs Using multi-threading and internal load
balancing the SDC performance scales linearly with the number of coresprocessors
and the number of SDC blades The scale out ability protects SDC and the signaling
network from multiple compound failures
Centralized Management In multi-site deployments the Element Management
System (EMS) receives data (counters states alarms) from each SDC site and
enables global configuration of many aspects of the SDC sites in the deployment
SDC provides Diameter protocol routing mediation and interworking functions allowing
service providers to manage legacy to LTE and LTE to LTE roaming seamlessly By
avoiding the need of complex integration and customization projects SDC provides a
simple reliable and easy to deploy solution to the most challenging control plane
connectivity issues
SDC is the markets only fully native Diameter solution and can be deployed as an IETF
Diameter Agent (relay proxy redirect and translation) 3GPP Diameter Routing Agent
(DRA) GSMA Diameter Edge Agent (DEA) and 3GPP Interworking Function (IWF)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 12
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1282
SIGNALING DELIVERY CONTROLLER
Product Description
12
wwwtraffixsystemscom
4 Main Features Introduced in Release 40
Release 40 introduces the following main features The Element Management System
(EMS) SS7-Diameter Support and the Installation Utility
41 Element Management System
The Traffix Element Management System (EMS) provides systems management personnel
with a centralized point of control for multi-site deployments The EMS provides
performance indicators and business intelligence that improve visibility help to identify
problems and plan for system expansion
42 SS7-Diameter Support
The SDC supports message translation between SS7 and Diameter nodes This support is
implemented through installing the SDC as an interworking function (IWF) which enables
any-to-any connectivity between Diameter-based and legacy nodes and is also
implemented over TCAP which enables message translation between Diameter and
CAMEL
43 Installation Utility
The Traffix installation utility ndash a wizard tool that guides you through the steps needed to
create the site configuration file customize the site deployment to your specific needs and
perform the site installation
The Installer UI centralizes the three main installation procedures Creating new site
configuration files editing existing site configuration files and performing installationsAfter selecting the desired procedure you are directed through the steps necessary to
complete your task
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 13
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1382
SIGNALING DELIVERY CONTROLLER
Product Description
13
wwwtraffixsystemscom
5 Deployment Architectures
SDCrsquos deployment modes are depicted in Figure 2
SDC
IPX-A IPX-B
PLMN-B
PLMN-A
HSS
MME
SGSN
AF
PCRF
GGSN
Gy Ro
Proxy
OCS
DRA
S6ad
Sh
Proxy
DEA DEA DEA DEA
MVNO-B-A
DEA
MVNO-B-B
DEA
PLMN-C
DEA
Figure 2 End to end Diameter Architecture
Multiple types of service and network providers can benefit from SDC capabilities The
actual deployment mode depends on the providerrsquos needs
Deployment modes
Core Network SDC is deployed in the PLMN and enables management and
scaling of the internal network Figure 2 depicts an internal network deployment for
PLMN-A In this deployment SDC is used (1) S6ad and Sh Proxy for HSS (2)
GyRo Proxy for OCS (3) GxRx DRA between GGSNAF and PCRF
SDC in PLMN-A provides the routing and load-balancing functionalities for
Diameter nodes and gatewaymediation functionalities with non-Diameter nodes
The functionality split is logical and all the functionalities are served by a single
SDC deployment
Edge SDC is deployed at the edge of administrative domains eg PLMN or IPX
and enables secure and interoperable roaming and single point of attachment
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 14
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1482
SIGNALING DELIVERY CONTROLLER
Product Description
14
wwwtraffixsystemscom
between the partners In Figure 2 edge network deployment is shown In this
deployment SDC is used (1) between PLMN and IPX (2) IPX to IPX (3) PLMN to
PLMN (4) PLMN to MVNOISPOTT service provider
SDC provides the security enforcement and border control functionalities between
the domains It hides the internal PLMN topology of Diameter nodes
and provides interworking function with non-Diameter nodes
In this mode SDC incorporates an IWF function as defined by 3GPP and supports
DEA (Diameter Edge Agent) guidelines recommended by GSMA
IPX SDC is deployed in IPX provider and performs traffic steering between
domains based on the supported roaming agreements When deployed in IPX
carrierwholesale carrierroaming hubs it provides a secure platform to protect the
network and properly route Diameter traffic at ingress and egress points
51 Core network deployment
SDC can be deployed in the core network of the service provider When deployed in the
core network it reduces the operational burden posed by the peer-to-peer connectivity
architecture defined between the different Diameter based network elements In core
network deployment SDC provides
Centralized management of Diameter signaling routing and flexibility in network
configuration
Native means for scaling up of the Diameter based servers by using Diameter based
message oriented load-balancing mechanisms
Native methods for overload and failover management by using Diameter based
message oriented congestion control mechanisms
Mechanisms for message normalization and adaptation between Diameter variants
and between Diameter and legacy protocols
In core network deployment SDC can serve as Proxy (Figure 3) or Redirect (Figure 4)
routing agent
In proxy mode all Diameter transactions between two Diameter nodes are
transferred through SDC
In redirect mode SDC participates in session establishment between two Diameternodes but it does not handle the Diameter transactions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 15
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1582
SIGNALING DELIVERY CONTROLLER
Product Description
15
wwwtraffixsystemscom
To leverage the benefit of Diameter message normalization or modification SDC should be
deployed in proxy mode
Figure 3 SDC deployment as proxy in local mode
Figure 4 SDC deployment in local mode using redirect
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1682
SIGNALING DELIVERY CONTROLLER
Product Description
16
wwwtraffixsystemscom
52 Edge deployment
SDC can be deployed at the border of the service provider or IPX network When deployed
at the edge of the network SDC serves as single point of attachment for roaming partners
other service providers or IPX network Edge deployment of SDC is shown in Figure 5 In
this deployment SDC
hides the Diameter network topology and performs Diameter traffic steering and
routing based on predefined rules and roaming policies
Enforces Diameter security policies incoming Diameter connection and applies
message normalization and adaptation
Does message normalization and adaptation between Diameter variants and between Diameter and legacy protocols
SDC serves as an IWF function defined by 3GPP standards (29805 and 29305)
In edge deployment SDC works as Diameter Proxy agent
Figure 5 SDC roaming deployment
53 Dual mode deployment
In dual mode deployment SDC serves as an internal network router and load-balancer
Dual mode deployment of SDC is shown in Figure 6 SDC routes traffic between different
Diameter-enabled network nodes within the operators network and provides roaming
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1782
SIGNALING DELIVERY CONTROLLER
Product Description
17
wwwtraffixsystemscom
connectivity with partner service provider networks and MVNOISP networks using
Diameter SS7 and other protocols
The SDC can work in dual mode Proxy for roaming connection and Relay for the local
PLMN
Figure 6 SDC dual mode
54 Multi-site deployment
Release 40 introduces the SDC Element Management System (EMS) which supports
multi-site deployments by providing a centralized point of control When using EMS each
site is installed with an EMS agent used to collect key performance indicators from the site
and communicate with the EMS manager in the EMS to relay and receive global
configuration parameters
There are two types of EMS multi-site deployments
1 Centralized ndash each site is installed with an EMS agent and Splunk Forwarder
component These components respectively forward information to and receive
information from the EMS manager and Splunk components in the management site
to create an overview of the deploymentrsquos performance and support shared
configuration across multiple sites
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1882
SIGNALING DELIVERY CONTROLLER
Product Description
18
wwwtraffixsystemscom
2 Distributed ndash in addition to the EMS agent and Splunk Forwarder components each
site is installed with their own Splunk component The Splunk component for each
site communicates directly with the Splunk component in the management site
For more information about the Element Management System see the Traffix SDC
Element Management System Product Description
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 19
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 1982
SIGNALING DELIVERY CONTROLLER
Product Description
19
wwwtraffixsystemscom
6 Diameter and Legacy Protocols Support
61
Diameter and 3GPP reference points support
SDC provides native Diameter support for IETF RFC 3588 and related IETF RFC and for
all reference points defined by 3GPP eg Gx Gxx Rx S6a S6d S9 S13 Sh Ro Rf Gy
SWx SDC also complies with GSMA and MSF guidelines
SDC provides flexible and simple mechanisms for adding support for new Diameter
interfaces It is achieved by uploading of Diameter data dictionaries Upload of new data
dictionaries is done in runtime and does not require software upgrade or maintenance
downtime The dictionary is XML based
The SDC solution provides seamless and transparent support for any vendor specific AVP
Multiple different versions of the same AVP optionally encoded differently are
transparently handled by the system If AVP modification is required the AVPs are added
to the dictionary file with different names allowing user access and modification
62 Legacy protocols support
The solution supports simultaneous usage of multiple dictionaries enabling SDC to
interconnect with multiple Diameter nodes over multiple different reference points
For the roaming or legacy connectivity the SDC supports the following protocols
bull Telecom protocols like RADIUS GTPrsquo SS7 MAP Camel
Support for the SS7 protocols ndash MAP and CAMEL ndash is provided by the
SDC in a few ways The implementation of the SDC as an IWF provides a
variety of support scenarios between Diameter and MAP including the
following
o Mobility management ndash an S6aS6d - Rel8 Gr interworking
scenario
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using S6aS6d
and a MAP based Rel8 HLR using Gr
o Mobility management ndash an S6aS6d - S6aS6d interworking
scenario with two IWFs
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 20
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2082
SIGNALING DELIVERY CONTROLLER
Product Description
20
wwwtraffixsystemscom
In this interworking scenario the Traffic SDC acts as an IWF that
works with an additional 3rd party IWF to connect between a
Diameter based MME or SGSN using S6aS6d a Diameter based
Rel8 HSS-MME or Rel8 HSS-SGSN using S6aS6d and an
SS7MAP based roaming agreement
o IMEI check ndash an S13S13 - Gf interworking scenario with one
IWF
In this interworking scenario the SDC acts as an IWF directly
connecting between a Diameter based MME or SGSN using
S13S13rsquo and a MAP based Pre Rel8 EIR using Gf
bull IT protocols like LDAP HTTP JMS SQL (As shown in Figure 7 )
Figure 7 Protocol Interconnectivity
63 Network and Transport support
At the network layer SDC provides support for IPv6 and IPv4 At the transport layer TCP
UDP and SCTP are supported
SDC supports simultaneous use of SCTP and TCP transport protocols It allowsinterconnecting between two peers that use different transport protocols one peer can use
SCTP while the other is using TCP It also supports interconnecting between two peers
that use different network protocols IPv4 and IPv6 protocols
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 21
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2182
SIGNALING DELIVERY CONTROLLER
Product Description
21
wwwtraffixsystemscom
7 SDC Platform Architecture
SDC is a modular platform that allows easy integration of new services providing
flexible mechanisms for adding new external components As shown in Figure 8
external components can easily be added to the SDC by creating one point of
contact between the component and a FEP or the component and a CPF The
architecture also allows CPFs to be added without affecting other system
components
HA Cluster Config Mgr
Shared Memory CPF CPF CPF CPF
FEP-O
(SCTP)
FEP-O
(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 8 SDC Platform Architecture
71 Configuration Manager
The Configuration Manager serves as the system configuration repository enabling
configuration management and distribution between the nodes This module manages the
configuration information for interconnected peers as well as their status protocol
dictionaries and deployed business rules
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 22
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2282
SIGNALING DELIVERY CONTROLLER
Product Description
22
wwwtraffixsystemscom
The Element Management System (EMS) an optional add-on for multi-site deployments
manages the configuration information for certain components of the installed SDC sites
72 Web UI and SOAP
Provides both a web-based interactive GUI and a SOAP-based programmatic system
configuration and provisioning interface It is responsible for performance statistics
collection and presentation
73
Control Plane Function (CPF)
The Control Plane function is the core component in the SDC architecture providing
Session management Routing Load Balancing and messages manipulation services
CPF provides replication alarms and logging support as well as basic functionalities
required for integrating new services and modules that are not part of the standard
deployment enabling customization of the solution
An example of such customization is adding support for SLF (Service Location Function)
as an external application loaded by the Traffix solution This SLF function is called within
the Traffix solution rules management and on its backplane it communicates with
proprietary interfaces as supported by the Java application
74 Front-End Proxy (FEP)
The Front-End Proxy is a network distribution point in SDC It is built on top of the CPF
framework to take advantage of the CPF management pipeline and other infrastructures
FEP maintains a steady single connection of TCP with the multiple CPF nodes For each
Remote Node it manages the connection and state machine providing statistics and
management capabilities for the connections and the traffic
The FEP and CPF nodes as aforesaid share the same framework Both nodes construct a
transport pipeline with each of its peers The FEP node is responsible for managing the
peersrsquo state machines maintain and configure the connections
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 23
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2382
SIGNALING DELIVERY CONTROLLER
Product Description
23
wwwtraffixsystemscom
As FEP is the connection point and there usually is a single FEP in SDC all Remote
Servers are connecting to a single connection point therefore the requirement to maintain a
complex network with multiple links becomes redundant Each Remote Server is now
connected to the FEP while the FEP is automatically connected to all CPF nodes
Moreover and as a byproduct the topology is transparent to the user
The following image depicts the basic network architecture
Figure 9 FEP Network Architecture
The FEP nodes are bi-directional
bull FEP-I A single network distribution point hides the internal network architecture
from external clients and performs Peer management
bull FEP-O A single network aggregation hides the internal network architecture from
external servers and performs Peer management
All FEP nodes are connected to all CPF nodes When a new CPF node joins the cluster all
FEP nodes connect to it When a new FEP node joins the cluster it automatically connects
to all CPF nodes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2482
SIGNALING DELIVERY CONTROLLER
Product Description
24
wwwtraffixsystemscom
8 The SDC Pipeline
SDC processes Diameter and other protocols by applying a pipeline of functionalities The
pipeline consists of a chain of processing elements arranged so that the output of each
element is the input of the next The SDC pipeline flow is shown in Figure 10
Figure 10 SDC pipeline flow
The pipeline consists of the following processing elements
bull Security Enforcement validates permissions to work with the client peer
Validation is done at the IP and Diameter (Application) levels
bull Routing makes a routing decision based on the message content The Routing
decision results in the selection of a destination pool for the session A pool must
contain at least one server peer
bull Load Balancing chooses the peer from the pool to handle the session
bull Transformation adapts the session messages to match the destinationrsquos format
Selection of the applied processing elements depends on the connection type signaling
protocol and configured rules
It is possible to define multiple processing flows which are selected based on matching
conditions and priorities The Routing and Load Balancing decisions are applied only at
session establishment The decisions are persistent for the entire duration of the stateful
session between the client and server peers
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2582
SIGNALING DELIVERY CONTROLLER
Product Description
25
wwwtraffixsystemscom
81 Security enforcement
SDC enables service providers to apply policy control and different security methods on
the peer nodes This allows control of roaming connections with multiple roaming partners
and protection of the signaling network from unexpected traffic
The security enforcement is done by setting and applying security rules on both the IP and
the application levels
The Security rules at the IP level are defined in ACL format with support for wildcards At
the application level the rules are defined according to fields that are contained in the first
request of a specific protocol eg capabilities exchange in Diameter
Fine-grained policy control can be applied for routing by performing deep inspection of the
messages for specific values
82 Incoming Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
Modification of Client initiated messages
bull Client-gtServer Request (such as CCR)
bull Client-gtServer Answer (such as RAA)
The message transformation process is shown in Figure 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2682
SIGNALING DELIVERY CONTROLLER
Product Description
26
wwwtraffixsystemscom
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 11 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining transformations of
Client Requests and Client Responses
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
SDC also supports transformation of generic Diameter sessions to TCAP dialogues for
example Diameter to CAMEL In the same way SDC supports transformation of generic
Diameter sessions to SS7 dialogues For more information about SS7-Diameter
interworking see the SS7 Diameter Interworking Function Feature Description
83 Routing
SDC implements an advanced routing management engine which provides service
providers with flexibility to implement different routing rules and policies required to
satisfy their business requirements
Routing rules apply different criteria using combinations of Diameter AVPs request
source and other properties to make decisions The routing engine natively works with the
load balancing (Section 74) and the transformation (Section 75) engines to provide a
harmonized solution for the most demanding and highly complex deployments
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 27
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2782
SIGNALING DELIVERY CONTROLLER
Product Description
27
wwwtraffixsystemscom
The SDC routing management also supports routing resolution using external systems or
service location functions such as SLF DNS LDAP or SQL These routing scenarios can
be applied separately or together
Basic Routing
Basic routing decisions result in the selection of a destination pool for the established
Diameter session Pool selection is done using a combination of different AVPs such as
Subscription-Id APN from Called-Station-ID Application-ID Source-Peer etc The
values of the AVPs of the incoming requests are matched with condition sets defined for
SDC routing rules or by resolution against external service location functions
After the basic routing decisions are completed the load balancing algorithm is applied
The supported load balancing algorithms are described in section 74
The flow of actions is shown in Figure 12 After the destination peer is selected all
messages for the appropriate Diameter session are sent to the selected node
For failover scenarios where errors are detected in the remote nodes or they are
disconnected please refer to Chapter 8
Figure 12 Routing flow using defined criteria in SDC
Routing using external location functions
In some deployments routing decisions should be retrieved from an external system
SDC supports several methods of retrieving the routing decisions
1 Using internally provisioned routing rules the routing rules are provisioned
using SOAP API to the SDC internal provisioning database When a new Diameter
session is established SDC fetches the destination from its provisioning database
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 28
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2882
SIGNALING DELIVERY CONTROLLER
Product Description
28
wwwtraffixsystemscom
When provisioning routing entries expiry time can be set for the provisioned
entries or they can be kept on a permanent basis
In addition to provisioning SDC can calculate routing decisions or apply default
decisions if routing decisions can be fetched from the internal database
2 Using the retrieval function which implements LDAP SQL or SOAP After a
new Diameter sessionrsquos establishment SDC will send a request to the location
function The request will include the query parameters and the response will
contain the appropriate pool for the specific request The query parameters are
extracted from the Diameter requestrsquos AVPs or calculated by the routing engine
3 Using a 3rd
party library integrated with SDC The following method
implements the same logic as described above but instead of sending requests to an
external system SDC performs programmatic call to an external library integrated
within it
4 Using DNS NAPTR Realm resolution as described in RFC 3588 and TS 23003
The rules can be broad eg using MCCMNC or fine-grained using IMSI or other
combination of values
SDC provides a caching functionality for the routing policies Caching can be used in
scenarios 2-4 The fetched information is cached for a pre-defined duration If caching is
enabled SDC first checks if a routing entry for a specific set of AVPs is present in the
cache before sending the request to an external location function The use of internal
caching for routing decisions reduces the overall response time for the Diameter
transactions
Routing decision binding between different Diameter reference points
For some Diameter reference points there is a need to bind sessions originating from
different network elements and share common attributes Bound sessions are handled as a
session bundle composed of several sub-sessions One of such scenarios is IP-CAN session
binding as described in 3GPP 29213 IP-CAN session binding is required to associate
between Rx and Gx session for the same UE After PCEF establishes a Gx session with the
selected PCRF for some UE all Rx sessions associated with the same UE should be routed
to the same PCRF The process of IP-CAN session binding is shown in Figure 14 SDC
supports this binding functionality using sets of common AVPs that are available for both
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 29
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 2982
SIGNALING DELIVERY CONTROLLER
Product Description
29
wwwtraffixsystemscom
reference points The functionality is available out-of-the-box For example for Gx and Rx
it can be Framed-IP-Address or a combination of Called-Station-ID and Framed-IP-
Address
Figure 13 GX and RX session binding
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 30
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3082
SIGNALING DELIVERY CONTROLLER
Product Description
30
wwwtraffixsystemscom
Bound sessions are related to as Slave Sessions subject to their Master Sessions The
Master Session is the session for which the routing selection is performed based on the
routing rules Slave Sessions are applied with routing rules inherited from the Master
Session
The session binding is done using one of several session binding methods and based on
binding keys Binding Keys are sets of values extracted from different attributes (eg AVPs
or XML attributes) of the Master Session and used to bind several session identities
Figure 14 Session Binding in SDC Management Console
Multi-Protocol Session Binding
Multiple-protocol session binding is applied by linking Destination Server Peers in
addition to the routine client session binding When two destination servers share a Binding
Name they act as a cluster of servers in which each server handles its corresponding
sessions when handling sessions originating from multiple-protocol Clients
For example when a Slave Session originates from an HTTP Client Peer and the Master
Session originates from a Diameter Client Peer two Destination Server Peers are required
to handle the bound sessions an HTTP Server and a Diameter Server respectively Each
time the Diameter Server is selected to handle a Diameter Master session the Master
Sessionrsquos Slave Sessions are directed to the HTTP Server subjected to the Diameter Server
as depicted in the following image and Table
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 31
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3182
SIGNALING DELIVERY CONTROLLER
Product Description
31
wwwtraffixsystemscom
DiameterServer
HTTP
Server
Diameter 1Client
HTTP 1
Client
SessionBinding
Binding
Name
PCRF1
Figure 15 Multi-Protocol Session Binding
Bi-directional routing
Bi-Directional routing is natively supported by SDC Two scenarios of bi-directional
routing are handled by the system
1 In session routing
In this scenario the Diameter server peer sends the request (eg RAR) to the
Diameter client peer using the same Diameter Session-ID that was previously
established by the Diameter client side SDC routes the request to the client
that established the session as shown in the call flow depicted in Figure 16
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 32
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3282
SIGNALING DELIVERY CONTROLLER
Product Description
32
wwwtraffixsystemscom
Figure 16 In session call flow of server initiated Diameter request
SDC accepts requests from different server peers as long as the requests share
a Session-ID that was established by the client peer as shown in the call flow
depicted in Figure 17
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 33
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3382
SIGNALING DELIVERY CONTROLLER
Product Description
33
wwwtraffixsystemscom
Figure 17 Call flow of Diameter server request where the server peer is changed
2 Out of session routing
In some cases the communication between the Diameter client and server peers
is stateless meaning that SDC does not maintain a reverse path for the Session-
ID To allow proper handling of out of session server initiated Diameter
request SDC implements advanced routing rules that can be used by the user to
define the required behavior In case no rule is set SDC sends the request to a
client based on the requestrsquos Destination-Host AVP This behavior is shown
inFigure 18
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 34
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3482
SIGNALING DELIVERY CONTROLLER
Product Description
34
wwwtraffixsystemscom
Figure 18 Out of Session call flow of server initiated Diameter request
Redirection
The SDC routing engine supports working in redirect mode In this mode SDC acts as a
Diameter DNS and leases routing decisions to the clients for a predefined and configurable
amount of time
Routing example
An example of a complex routing rule that can be implemented in SDC is shown in the
following figures
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 35
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3582
SIGNALING DELIVERY CONTROLLER
Product Description
35
wwwtraffixsystemscom
Figure 19 Routing Rule Attributes
Figure 20 Routing Rule
The routing rule shown in Figure 20 is applied on the Gx Interface The rules selects which
PCRF pool to route a particular session
- The selection is based on IMSI range
- The IMSI value is retrieved from Subscription-ID-Data AVP which is part of
grouped AVP called Subscription-ID and compared to two ranges of IMSIs
o The first range is routed to ldquopcrf-cluster-ardquo
o The second range is routed to ldquopcrf-cluster-brdquo
- If the Subscription-ID-Data AVP is missing or IMSI is not in range the system
routes the traffic to the ldquodefaultrdquo pool
Alternatively the Routing Rule can query an external data source ndash as shown in Figure 21 -
to obtain the routing decision
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 36
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3682
SIGNALING DELIVERY CONTROLLER
Product Description
36
wwwtraffixsystemscom
Figure 21 Sample routing script using external data source
The routing decision is made upon Diameter Session establishment The decision persists
for the duration of the Diameter session
84 Load Balancing
SDC offers several load balancing policies Load balancing policies define the pattern
according to which the system decides how to distribute control plane traffic across the
peer nodes in the pool
This section details the different policies according to which the load balancing mechanism
may operate explains the differences between them and describes the conditions under
which each policy should be used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 37
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3782
SIGNALING DELIVERY CONTROLLER
Product Description
37
wwwtraffixsystemscom
By Precedence
In this policy Diameter messages are sent to the first peer in the pool The messages are
sent until health monitoring and overload detection mechanisms decide that the peer is out-
of-service When the peer is declared as out-of-service Diameter messages are sent to the
next Remote Node in the pool etc When the peer recovers it is brought back to the pool
and Diameter message routing to this peer is resumed Incoming requests distribution is
depicted in Figure 22
Figure 22 By Precedence Policy
Contextual
Contextual load balancing policy maps the messages to a list of available peers in the pool
using a ldquoContext IDrdquo The Context ID is a key that can be defined by a user upon session
creation For example a Context ID can be a set of AVPs that are hashed to a specific key
Using this method messages are sent to a specific Diameter peer according to their Context
ID In addition to the Context ID parameter traffic distribution is also controlled by a
predefined proportion If not set by the user the default Context ID key is set to Diameter
Session ID The weight of each Diameter peer in the pool is set according to its capacity
and ability to handle incoming Diameter messages Incoming requests distribution is
depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 38
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3882
SIGNALING DELIVERY CONTROLLER
Product Description
38
wwwtraffixsystemscom
Remote Peers
SDC
Router
ClientsInternet
Traffic is contextually
distributed according to
session ID
1
1
2
2
2
2 3
3
4
44
5
5
5
5
Figure 23 Contextual Policy
Round Robin
When selecting the Round Robin load balancing policy traffic is evenly distributed across
the poolrsquos available Diameter peers and the Diameter peer to which the new request is
delivered is the next available in row Round Robin is a static algorithm It has no external
parameters taken into account upon request distribution Incoming requests distribution is
depicted in Figure 24
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 39
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 3982
SIGNALING DELIVERY CONTROLLER
Product Description
39
wwwtraffixsystemscom
Figure 24 Round Robin Policy
Weighted Round Robin
When selecting the Weighted Round Robin policy traffic is distributed across the poolrsquos
available Diameter peers according to a predefined proportion defined by a peerrsquos weight
The weight of each Diameter peer in the pool is set according to its capacity and ability to
handle incoming Diameter messages Weighted Round Robin is a static algorithm It has no
external parameters taken into account upon request distribution Using Weighted Round
Robin algorithm new messages are distributed in the Round Robin pattern but instead of
sending the request to the next available Diameter peer in row messages are sent to the
Diameter peer that has not yet reached its quota
Sample request distribution with weight set to 3211 is depicted in Figure 25
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 40
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4082
SIGNALING DELIVERY CONTROLLER
Product Description
40
wwwtraffixsystemscom
Figure 25 Weighted Round Robin Policy
Fastest Response Time
When selecting the Fastest Response Time load balancing policy the incoming Diameter
traffic is distributed across the poolrsquos available Diameter peers according to the respective
response time of the peer The response time is measured for a predefined duration of time
using real time statistics Fastest Response Time is a dynamic algorithm that tries to
achieve equal load distribution between available Diameter peers
When Fastest Response Time policy is used new Diameter sessions are distributed to the
Remote Node which has the fastest average response time measured during last
measurement period Incoming requests distribution is depicted in Figure 26
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 41
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4182
SIGNALING DELIVERY CONTROLLER
Product Description
41
wwwtraffixsystemscom
Figure 26 Fastest Response Time Policy
User Defined Policy
The requestrsquos destination Diameter peer is selected according to a user defined policy
implemented by an external script The external script can be combined with one of the
methods listed and described above
85 Outgoing Message Transformation
The message transformation mechanism implemented by SDC overcomes interoperability
issues between different Diameter vendors and allows the translation from one Diameter
protocol to another signaling protocol and vice versa SDC provides full support for
adding modifying andor removing AVPs based on user configurable rules The rules are
implemented using smart decision grids and Groovy scripting language which provides
configuration flexibility and simple management
The solution enables bi-directional Diameter message modification and provides the ability
to create different rules of message modification according to the direction of the message
flow andor message type for example
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 42
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4282
SIGNALING DELIVERY CONTROLLER
Product Description
42
wwwtraffixsystemscom
Modification of Server initiated messages
bull Server-gtClient Request (such as RAR)
bull Server-gtClient Answer (such as CCA)
The message transformation process is shown in Figure 27
v
Transformation
Engine
Server
Peer Peer
Client
Request Request
ResponseResponse
Request
Response
Request
Response
Clientagrave Server
ClientszligServer
Figure 27 A 4 Way Message Transformation
As seen in the above figure SDC provides the flexibility by defining Server Responses
and Server Requests
SDC supports message transformation between Diameter LDAP RADIUS and HTTP
nodes and between nodes of the same type
A sample modification script is shown in Figure 28
Figure 28 Sample transformation grid
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 43
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4382
SIGNALING DELIVERY CONTROLLER
Product Description
43
wwwtraffixsystemscom
9 Overload and Congestion Control
SDC provides multiple mechanisms for resource management and congestion control that
protect SDC and the connected Peer nodes from overload conditions by controlling and
limiting the resources usage and allocation eg controlling the incomingoutgoing
messagetraffic rate The implemented methods are based on message oriented flow
control traffic shaping algorithms and load shedding algorithms
There are multiple possible reasons for overload like signaling storms caused by faulty
Peers or unexpected memory CPU high usage or other resource utilization that exceeds the
engineered capacity of SDC The implemented overload control mechanisms assure that the
service continues with minimal degradation
The overload control mechanisms
bull Protect Peer nodes (eg PCRF HSS) from overload by controlling and limiting the
resource usage and allocation eg controlling the outgoing messagetraffic rate or
limiting the number of requests pending answers per destination peer or group of
destination peers
bull Protect the SDC node from overload by controlling and limiting resource usage and
allocation eg controlling the incoming messagetraffic rate or by bounding
incoming requests queue write buffer allocations or the number of connections
The diagram below describes the architecture of the rate control and the overload health
monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 44
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4482
SIGNALING DELIVERY CONTROLLER
Product Description
44
wwwtraffixsystemscom
Figure 29 Rate Control and the Overload Health Monitoring Architecture
91 Throttling and Rate Limiting
The throttling and flow control mechanisms implemented in SDC are based on token
bucket algorithm The token bucket algorithm is used to check that data transmissions
conform to defined limits on bandwidth and burstiness0F0F
1
SDC implements two types of throttling
bull Message rate limiter
bull Byte rate limiter
The limiters control the reading rate per channel (between SDC and a Peer) or globally
(between SDC and all Peers)
The message and byte rate limiters operation is similar The only difference is that the
message rate limiter counts and limits the number of incoming messages and the byte rate
limiter calculates traffic estimation and limits it to a total rate in bytes
1 A measure of the unevenness or variations in the traffic flow
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 45
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4582
SIGNALING DELIVERY CONTROLLER
Product Description
45
wwwtraffixsystemscom
Token bucket algorithm
The token bucket algorithm is based on an analogy of a bucket that contains tokens each of
which can represent a unit of bytes or a single packet of predetermined size When a packet
is to be checked for conformance to the defined limits the bucket is inspected to see if it
contains sufficient tokens at that time If so the appropriate number of tokens eg
equivalent to the length of the packet in bytes are removed (cashed in) and the packet is
passed eg for transmission If the number of tokens in the bucket is insufficient the
packet does not conform and the contents of the bucket are not changed
The mechanism controls the volume of traffic being sent in a specified time interval
(bandwidth throttling) or the maximum rate at which the traffic is sent (rate limiting) The
mechanism puts a hard limit and caps the number of messages sent (and pending answers)
to a certain Peer or a group of Peers to avoid flooding Similarly throttling and hard limits
are applied to the received messages The parameters that control throttling are user
configurable
Figure 30 Token Bucket Algorithm
Channel Rate Limiter
Channel Rate Limiter is used to prevent a single client from flooding SDC with a large
amount of traffic The limiter estimates the incoming traffic rate for each Peer (channel)
separately Then the estimated traffic reading rate is compared to the maximum allowed
Peer rate If the actual rate exceeds the allowed rate the limiter stops reading from the Peer
for a user-configurable amount of time In case the rate limiter fails to reduce the rate and
the Peer continues flooding SDC the overload protection mechanism described in
Chapter 83 is activated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 46
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4682
SIGNALING DELIVERY CONTROLLER
Product Description
46
wwwtraffixsystemscom
Global Rate Limiter
Global Limiter is used to prevent all clients from flooding SDC with a large amount of
traffic that might cause denial of service The limiter estimates the total incoming traffic
rate for all Peers (channels) Then the estimated traffic reading rate is compared to the total
allowed rate for all Peers If the actual rate exceeds the allowed rate the limiter stops
reading from all Peers for a user-configurable amount of time In case the rate limiter fails
to reduce the rate and the amount of traffic grows above the global limit the overload
protection mechanism described in Chapter 83 is activated
92 Prioritization
The overload control mechanism is used in conjunction with the prioritization mechanism
SDC supports prioritization of traffic based on interface type message type and content
eg ongoing session over new sessions or answers over requests (CCA over CCR) Gx
over Rx MARMAA over LIRLAA
In the case prioritization is applied SDC performs fair scheduling that assures there is no
starvation
The prioritization settings are user configurable
Prioritization using Diameter message header
An example of a priority table derived from Diameter message header is shown below The
system assigns a priority level to each of the messages based on the combination of fields
in the Diameter header ndash R and T bits command code and application ID If no priority is
set normal priority is used
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 47
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4782
SIGNALING DELIVERY CONTROLLER
Product Description
47
wwwtraffixsystemscom
Is Answer (R bit) Is Retransmit (T
bit)
Command
code
Application ID Priority
yesnodoes
not matter
yesnodoes
not matter
24 bit
integerdoes not
matter
32 bit integer
does not matter
HighNormal
Bit offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 version message length
32 R P E T command code
64 application ID
96 hop-by-hop ID
128 end-to-end ID
160
AVPs
When performing prioritization using attributes available in the AVP(s) (eg CC-Request-
Type) it might have impact of up to 5 on the latency
93 Overload Control Mechanism
The overload conditions are determined using multiple resource monitors described in 0
Under normal conditions all messages are processed When overload conditions are
detected incoming messages are either gracefully rejected or discarded The decision is
user configurable After overload condition is ceased it is possible to assign higher priority
to messages with T (retransmit) bit set
If message rejection is applied SDC replies with user configurable busy Result-Code (eg
DIAMETER_TOO_BUSY) while in case of discard the message is dropped immediately
and no processing will be applied
Resources Monitoring
The solution monitors local resources to protect itself from overload conditions When local
resources are exhausted incoming messages are selectively rejected until resources are
available Local resources mainly include memory consumption and incoming messagequeue size as well as system wide resources like CPU and networking
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 48
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4882
SIGNALING DELIVERY CONTROLLER
Product Description
48
wwwtraffixsystemscom
Rejection
When a message is marked for rejection SDC sends a busy response to the requesting side
The response is sent for each message until the condition changes For example full
answer that includes ldquoDIAMETER_TOO_BUSYrdquo Result-Code can be seen in the
following snapshot
Figure 31 ldquoDIAMETER_TOO_BUSYrdquo Result-Code
94 Health Monitoring
SDC provides built in health monitoring mechanisms that are used to identify overload
condition or other abnormal behavior of the remote Diameter peers and act accordingly
Two health monitoring mechanisms are available In Session Monitoring and External
Health Monitoring When overload or abnormal behavior is detected proper alarms are
sent to the OSS and traffic is routed to an alternative Diameter peer or is gracefully rejected
according to the defined policy The alarms triggered by the system contain sufficient
information to describe the type of overload
95 In Session Monitoring
In Session Monitoring is based on a mechanism that performs health monitoring and
detects overload conditions for remote peers It is based on instantly monitoring error
events in Diameter traffic from Diameter Peer such as
bull Timeouts
bull Response time per peer
bull
Busy answers
bull Other Diameter error codes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 49
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 4982
SIGNALING DELIVERY CONTROLLER
Product Description
49
wwwtraffixsystemscom
If the rate of the errors events exceeds the user configurable threshold the Diameter peer
server is considered ldquoout of servicerdquo for a certain time interval The time interval duration
is user configurable During the ldquoout of servicerdquo period the server does not handle new
Diameter sessions
96 External Monitoring
SDC provides the ability to add custom and proactive service monitoring mechanism that
can perform a wide range of tests from simple tests such as pinging each connected peer
to more sophisticated tests such as assuring that the connected peers are able to serve
specific requests It is possible to have multiple monitors perform any test that is required
in order to assure service availability These health monitoring tests are performed in
addition to the other SDC tests when it attempts to send requests to Remote Nodes and
analyze responses received from them
External Monitoring is based on active script-based custom health monitors that can be
used to augment the statistical information collected by In Session monitoring eg by
probing external counters such as CPU and Server Utilization using protocols such as
SNMP and JMX or using synthetic transactions The External Monitoring is integrated with
a threshold mechanism where the user can use statistics collected by scripts and set the
same thresholds as explained in In Session monitoring
97 Connectivity Monitoring
In addition to the error and traffic rate monitoring SDC uses Diameter DWRDWA
Mechanisms to verify the availability of the remote peers
For Diameter clients SDC replies with a DWA to each DWR sent from the client side
while for Diameter servers the system sends a DWR if no traffic is received during a
predefined time interval The time interval is user configurable If after sending DWR
SDC does not receive a DWA SDC declares the peer as disconnected and tries to re-
establish the Diameter connection by sending a CER to the disconnected peer
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 50
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5082
SIGNALING DELIVERY CONTROLLER
Product Description
50
wwwtraffixsystemscom
10 OAM Support
The SDC provides support for Operation Administration and Maintenance (OAM) using
its Management function The Management function of the platform is comprised of the
modules shown in Figure 32
bull Configuration Manager is the configuration repository and configuration
distribution service that is responsible for the distribution of the configuration to all
SDC nodes within the cluster It also provides auditing backup and restore
functions as well as server for performance statistics collection
bull Management Console is a Web based client GUI that enables configures and
manages SDC Sample snapshots of the GUI are shown in Appendix A
bull Provisioning Interface (SOAP API) provides programmatic interface that enables
automatic configuration and management of SDC
Management
Console
Configuration
Manager
SDC
Core
Web Service
Provisioning Interface
(SOAP)
HTTPS WEB Access
Web Service SOAP XMLSDC
CoreSDC
BladeServer
OAM
SDC Node
SNMPSyslog
Fault and
PerformanceManager
AMM
Security and Administ rat ion
Manager CLI
Figure 32 SDC OAM Function architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 51
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5182
SIGNALING DELIVERY CONTROLLER
Product Description
51
wwwtraffixsystemscom
The Management function provides the following capabilities
bull SDC Cluster node Configuration and management
bull Remote Peer Configuration and management
bull Flow and routing configuration
bull Translation configuration
bull Remote Provisioning
bull Alarm Dilution management
bull Tracing and Logging management
bull Monitoring and Performance management
bull License management
bull Backup and Restore activation
The Element Management System (EMS) introduced in release 40 provides a single
centralized system that helps manage OAM for multi-site deployments In standalone
deployments the configuration management is performed locally In multisite deployments
with the EMS some configuration is performed globally
101
Alarms
The OAM constitutes a collection and aggregation point for all alarms and events issued by
the platform components and the deployed applications Fault management capabilities
such as alarm clearing alarm filtering alarm flood suppression and alarm forwarding are
provided All fault situations are notified with an appropriate alarm Recovery from a fault
situation is also notified with the associated clearance alarm
102
Tracing and Logging
The OAM ensures management of component-based tracing logging and statistics reports
The platform provides OAM with configured traces on per-component basis It also updates
the configured statistic counters in real-time so that SMP can generate the required statistic
reports
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 52
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5282
SIGNALING DELIVERY CONTROLLER
Product Description
52
wwwtraffixsystemscom
103 Monitoring
The OAM ensures monitoring of manageable components providing real-time information
about the status of cluster nodes application service enablers and protocol stacks
Monitoring of resource usage such as memory and CPU is also provided
104 Performance Management
The OAM supports a predefined set of performance counters and allows for definition of
custom performance counters Monitoring and scheduling of performance counter as well
as statistic collection related to performance counters are supported The OAM supports the
compression of performance reports since those may have a very large size
105 Security Management
This includes access rights management communication links protection and management
operation logging
106 Licensing Management
The OAM supports the functions related to licensing and licensing issues notificationLicense keys as well as counter reports related to licensing (ie reports of number of
Sessions per Second during a predefined period) are monitored by OAM which acts
according to the observed state and counter values Hence the OAM can notify the
operator about the need of a new license key or of the extension of the licensed traffic
volume
107 Lifecycle Management
The OAM supports lifecycle management of the platformrsquos components and services It
also supports dynamic configuration of parameters related to the platformrsquos components
and services Graceful Software and Hardware upgrade (ie without service interruption)
are part of the OAM configuration management functions
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 53
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5382
SIGNALING DELIVERY CONTROLLER
Product Description
53
wwwtraffixsystemscom
108 SOAP API
SOAP API is a programmatic interface that allows users to automate commands as well as
integrate OAM with umbrella management systems or Network Management Centers for
functionalities such as automatic provisioning queries lookups and more
109 SNMP Agent
The OAM uses SNMP to deliver traps to Network Managements Centers This is done via
an SNMP Agent that delivers traps to SNMP managers connected to it The OAM supports
SNMP v2c
1010 Cluster management
The Cluster management process is constantly monitoring platform instances and can take
appropriate actions in case of fatal fault situation (for example restart the Diameter Router
instance in case the latter is not responding for a certain period of time)
1011 Auditing
The OAM documents each of the actions taken in the auditing list If needed the auditedactions can be used to restore the documented configuration of the exact point in time in
which the action was performed
1012 Backup amp Restore
The OAM provides support for backup and restore of the configuration backup Using this
feature it is possible to restore the configuration back to a working configuration set
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 54
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5482
SIGNALING DELIVERY CONTROLLER
Product Description
54
wwwtraffixsystemscom
11 High Availability and Scalability
111
Scalability
The SDC solution provides a vertical and horizontal scalability Both options are standard
and provided out-of-the-box
bull For vertical scalability it implements a message driven component optimized for
low latency processing and multi-core architecture eg SPARC It relies heavily on
multithreading and asynchronous network IO processing
bull For horizontal scalability it allows use of multiple servers in two modes ldquohot
standby deploymentrdquo and ldquoscalable deploymentrdquo
Horizontal scalability in SDC is achieved using built-in cluster management software
Typical ldquoscalable deploymentrdquo is shown in Figure 33 and Figure 34 The clustering
software
- Hides the internal structure of the node
- Presents VIP(s) for clients and servers
- Distributes the load between the blades
- Aggregates blade connections to Diameter peers
- Manages the different processes and services
For each of the deployed blades the main software processes are shown in Figure 35
- VIP is the clustering component responsible for load sharing and resources
management in the solution
- SDC core process is responsible for processing of Diameter or other message
oriented protocols eg security routing load balancing and message
transformation
- Config Manager Process is responsible for configuration distribution and
storage
- Distributed Storage is responsible for the management of static and dynamic
routing tables
- The Web Console process provides a WEB interface for interactive system
configuration and communicates with the Config Manager processes
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 55
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5582
SIGNALING DELIVERY CONTROLLER
Product Description
55
wwwtraffixsystemscom
- The EMS agent process communicates with the EMS system and performs
OAM tasks
ldquo Scalable Moderdquo - SDC Node
Server 1 Server M
ServersBackbone
Client1 ClientK
ClientsBackbone
ExternalNetwork
Interconnect
Management Network
Scalable
)12blades(
SDC
Blade 1
VIP(Active)
SDC
Blade 2
VIP(Standby)
SDC
Blade 3
SDCEngine
SDC
Blade 12
SDCEngine
VIP(Standby)
VIP(Standby)
Web
Interface
Web
Interface
Config Mgr Config Mgr
SDCEngine
SDCEngine
Distributed
Storage
Distributed
Storage
Figure 33 Scalable Deployment Physical View
HA Cluster Config Mgr
Shared MemorySDC
EngineSDC
EngineSDC
EngineSDC
Engine
FEP-O(SCTP)
FEP-O(TCP)
FEP-I
(IPSEC)
FEP-I
(TCP)
Web UI
SOAP
ClientClient
ClientClient
ClientServer
ClientServer
Figure 34 Scalable Deployment Logical View
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 56
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5682
SIGNALING DELIVERY CONTROLLER
Product Description
56
wwwtraffixsystemscom
SDC
Blade X
VIP
(Active)
Web
Interface
Config Mgr
SDC
Engine
Distributed
Storage
EMS
Agent
Figure 35 Main Software Processes
112 Local Redundancy and Scalability
The SDC solution supports HotStandby and N+1 redundancy models In both models any
failure on the SDC side is transparent to both client and server peers and does not require
any manual intervention or reconfiguration of the nodes
HotStandby deployment
In HotStandby model shown in Figure 36 SDC is deployed using two servers in a
standard clustering solution The Clustering solution provides Virtual IP (VIP) support All
Diameter Clients connect to a Virtual IP address of the cluster which resides in the active
node All Diameter traffic is handled by the active node and the data required for
maintenance of sessions and state persistence is replicated to the standby node The
components of the local redundancy mode deployment are shown in the figure below
In case of an active node failure the Virtual IP fails over to the Standby Node and from this
point all traffic is handled by the standby node The failover is transparent to both clients
and servers
Once the failed node is restored the traffic remains on the active node while the node
returning to operation acts as a backup node Automatic failback is also supported The
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 57
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5782
SIGNALING DELIVERY CONTROLLER
Product Description
57
wwwtraffixsystemscom
session data required for maintenance of the session persistence is automatically replicated
to the backup node
Node 1
SDC Core
Web UI WS
Node 2
SDC Core
Configuration
Manager
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Client
Peer Server
Peer
Management
Workstation
Configuration
Manager
SessionReplication
Figure 36 Hot-Standby HA architecture
N+K Scalable service deployment
In Scalable Active-Active (N+K) deployment mode as shown in Figure 37 SDC utilizes
one of the following mechanisms to distribute incoming traffic among available SDC
nodes and to provide service redundancy
bull Solaris Cluster ldquoScalable Servicesrdquo
bull Linux IPVS
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 58
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5882
SIGNALING DELIVERY CONTROLLER
Product Description
58
wwwtraffixsystemscom
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
1
3
3
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
22
3
Figure 37 Scalable N+K HA architecture Normal operation
Normal Operation Scalable and Highly-Available Request Processing Flow
1) Incoming Request
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 59
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 5982
SIGNALING DELIVERY CONTROLLER
Product Description
59
wwwtraffixsystemscom
a Incoming client requests are directed to a single floating IP Address
b The floating IP Address is assigned to a ldquoGlobal Interfacerdquo (ldquoGIFrdquo) The
Global Interface and floating IP Address are managed by the Cluster
software The ldquoGlobal Interfacerdquo is held by one system node (server) at onetime
c The request is received by the system node currently holding the ldquoGlobal
Interfacerdquo
2) The request is redirected
a The request is redirected to the least loaded available node using Round-
Robin load-balancing policy
b Weighted Round-Robin and Sticky Round-Robin load-balancing policies are
available for the selection of a suitable node
c If no suitable node is currently available - the original node which received
the incoming request - may also handle the request
3) The request is handled and a Reply is sent to the Client
a The request is handled by the node to which it was redirected and a reply is
sent to the client The source address in the reply packet is set to the floating
IP Address of the Global Interface
In case of a system failure in the server holding the ldquoGlobal Interfacerdquo the interface
automatically relocates to the next available server This is managed by the cluster
software
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 60
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6082
SIGNALING DELIVERY CONTROLLER
Product Description
60
wwwtraffixsystemscom
Operation during Node Failure
Node 1
SDC
Web UI WS
Node 2
SDC
Web UI WS
Diameter VIP
Management VIP
Diameter VIP
Management VIP
Management
Workstation
Node 2
SDC
Diameter VIP
Management VIP
Configuration
Manager
Configuration
Manager
Client1
Session Replicattion
Physical IPPhysical IPPhysical IP
Physical IPPhysical IPPhysical IP
2
1
3
3
Figure 38 Scalable N+K HA architecture Failure operation
For ease of the network integration types the system may be configured to issue outgoing
Diameter connections from the floating address of the Global Interface
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 61
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6182
SIGNALING DELIVERY CONTROLLER
Product Description
61
wwwtraffixsystemscom
In ActiveActive mode the load is distributed among all available system nodes
Virtual IP Failure detection and recovery
In local (non-geographical) redundant configuration SDC exposes the Virtual IP address ndash
VIP - toward Diameter clients Additional VIPs can be configured if required
On the server side the solution maintains peering connection between all cluster nodes of
the solution and the server peers The above architecture provides fast response upon any
failure event that occurs within the system It is also possible to aggregate the connections
to servers having a peer to peer connection from the solution cluster to each of the
Diameter servers
SDC relies on standard commercial availability management mechanisms which enable it
to execute failovers from one functional unit to the other in a very short time measured in
milliseconds
The following table summarizes the different mechanisms used for the solutionscomponents ldquoscalable deploymentrdquo is assumed
Component
Service
HA Model Maximum
Concurrent
Active Instances
Comments
SDC ActiveActive N One instance per node
Configuration
Manager
ActiveActive
with Multi-Master
Replication
2 Installed on two nodes performing
mutual updates on configuration
changes
Distributed Store ActiveActive N One instance per node
Web UI WS
Service and VIP
Failover
(ActiveMultiplestandbys)
1 Runs on one system node failover in
case of node failure
CPF VIP Failover
(ActiveMultiple
standbys)
1 Virtual IP Address will be active on one
node at a time with multiple nodes (1 in
failover architecture) serving as hot
standbys
In the geographic deployment each SDC cluster provides one VIP per-site towards
Diameter clients Additional VIPs can be configured if required
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 62
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6282
SIGNALING DELIVERY CONTROLLER
Product Description
62
wwwtraffixsystemscom
In order to support high availability a system is required to utilize reliable processes and
hardware that is to extend the mean time between failures (MTBF) and shorten the
recovery time (MTTR) Extending MTBF is achieved by duplicating SDC nodes and using
redundant hardware SDC nodes can assume each otherrsquos load These duplicate nodes are
also called redundant components For further analysis on failure detection and recovery
please refer to the following tables
Hardware Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Non-redundant HW (Server
motherboard)
Cluster heartbeat Node failover Traffic shift to
other node
PSU (Power Supply Unit) Built-in Hardware
Monitoring
Failover to Redundant PSU
Network Interface Network Link monitoring
(OS)
Node traffic failover to secondary
NIC
Disk failure Hardware ndash RAID
controller
RAID failover to 2nd disk
Network switch Switch Redundancy
mechanisms
Network Link monitoring
(OS)
Network Switch Failover
Node traffic failover to secondary
NIC
Network Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Network link failure Network Link monitoring (OS) Node traffic failover to secondary
NIC
Upstream network
failure
Solaris IPMP ICMP Probe IP Address
monitoring
Linux Bonding ARP Probe Address
monitoring
(Network Switch Redundancy)
Node traffic failover to secondary
NIC
Node Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Scheduled shutdown
Reboot
Cluster resource mgmt andor Service
Monitor
Node failover
Traffic shift to other node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 63
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6382
SIGNALING DELIVERY CONTROLLER
Product Description
63
wwwtraffixsystemscom
Failure Type Failure Detection Method Automatic Remedy Action
Critical hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
Irreversible hardware
failure
Cluster heartbeat Node failover
Traffic shift to other node
OS Crash Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
Low Memory Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Memory)
Low Free Disk Space Resource Monitor utility or SNMP
Monitor from external system
Send Notification to Operator (Low
Free Disk space)
CPU Overload Resource Monitor utility (in scalable architecture)
Lower percentage of requests
directed to system node
Process Redundancy
Failure Type Failure Detection Method Automatic Remedy Action
Crash Process watchdog
ldquois runningrdquo check
service monitor
Automatic Persistent data store recovery
Process start
Lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Partial lockup Service monitor Process forced termination
Automatic Persistent data store recovery
Process start
Cannot start Cluster resource mgmt andor
Service Monitor
Node failover
Traffic shift to other node
SDC Overload Service monitor (in scalable architecture)
Lower percentage of requests directed to system node
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 64
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6482
SIGNALING DELIVERY CONTROLLER
Product Description
64
wwwtraffixsystemscom
113 Geographical redundancy
SDC supports geographical redundancy by deploying locally redundant SDC clusters (as
described in section 102) in each geographical location site Each of the locally redundant
SDC clusters exposes one or more VIP address(es) as depicted in the following figure
Figure 39 Geographical redundancy Active-Standby deployment mode
The solution supports multiple geo-redundancy deployment configurations such as Active-
Active or Active-Standby Replication of routing and session tables is supported in both
modes Active-Standby and Active-Active deployments are shown in Figure 40 and Figure
41 respectively
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 65
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6582
SIGNALING DELIVERY CONTROLLER
Product Description
65
wwwtraffixsystemscom
Figure 40 Geographical redundancy Active-Standby deployment mode
Figure 41 Geographical redundancy Active-Active deployment mode
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 66
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6682
SIGNALING DELIVERY CONTROLLER
Product Description
66
wwwtraffixsystemscom
Site Replication
Site replication allows geographically distributed SDC clusters to synchronize Diameter
session data amongst sites Diameter session data includes the following
bull Destination Peer
bull Pool name
bull Origin Peer
bull Session Binding data
Session data is distributed by one SDC node (the origin node) to Remote Servers (the target
nodes) configured to receive and handle the replicated data
An SDC node which receives a request may handle the request or proxy the request to a
remote site Proxying the request is performed when the session is unknown to the local site
and the remote site has the required data to handle the incoming request as depicted below
Figure 42 Site Replication
The network used for replication between sites must have sufficient capacity to carry the
replication data traffic Updates are streamed to the receiving system without expecting
acknowledgment In asynchronous mode the replication latency has no impact on the
system latency but it does affect the eventual consistency For example when the
replication latency is 10ms and each site handles 30K TPS where 5K TPS is a new session
and there are up to 100 TPS of routing updates the following calculation is performed
Lost updates= 101000 (5000 + 500) =~ 55 updates Security
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 67
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6782
SIGNALING DELIVERY CONTROLLER
Product Description
67
wwwtraffixsystemscom
Traffix Systems realizes that security is vital to assure availability integrity and
confidentiality of the operatorrsquos signaling network SDC provides multi-level security
features that are described in the following sections
114 Diameter Topology Hiding
The SDC solution supports topology hiding by exposing one or more VIP (Virtual IP) in
the direction of the peers The VIP is used as a single point of attachment for all peers
connected to the SDC node
To prevent DOS attack the solution limit external networksrsquo access to port 3868 and other
agreed ports The solution uses IPTABLES to protect the network from intrusion attempts
115 Diameter connection security
The SDC solution limits the number of incoming clients and network sources The SDC
solution provides Diameter level access control lists (ACLs) to ACCEPT or REJECT peers
by their IP address host namesubnet application-id product-type etc Additionally the
solution provides the user with the ability to implement a custom access policy The user
can inspect any combination of AVPs in a CER message and ACCEPT or REJECT the
connection establishment based on custom policy criteria
SDC ensures idle connection termination after a user configurable timeout period for both
Diameter and management traffic
The solution uses IPSEC TLS and DTLS to implement transport level security
116
Diameter message security
SDC limits and enforces maximal Diameter message length and for Diameter message
screening The SDC solution allows
- removing certain AVP(s) than can unveil the internal structure of the network
- Rewriting AVP(s) using certain anonymization techniques to protect data and
mitigate privacy and security concerns to comply with legal requirements of the
network and to avoid exposing of information contained in the AVP(s) like
Session-Id Origin-Host Origin-Realm etc
- using encryption mechanism for encodingdecoding of payload of AVP(s)
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 68
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6882
SIGNALING DELIVERY CONTROLLER
Product Description
68
wwwtraffixsystemscom
117 OSSystem security
SDC uses commercially available RHEL distribution During system installation unused
modules are removed or disabled and portsrsquo usage is restricted
The deployment of the solution complies with CIS (Center for Internet Security) and NSA
(National Security Agency) recommendation for OS and application hardening as described
in the following documentation
- CIS_RHEL5_Benchmark_v11
- CIS_Apache_Tomcat_Benchmark_v100
- NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5Revision 41 February 28 2011
118 Network Level Security
SDC applies the following network level security
- IPTABLES are used to protect the system eg to block non-Diameter traffic on
Inland interfaces
- signaling and OAM networks are separated as well as internal and external
signaling networks
- SSH daemon and WEB GUI listen only on OAM network
- Idle OAM connections are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 69
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 6982
SIGNALING DELIVERY CONTROLLER
Product Description
69
wwwtraffixsystemscom
12 Networking
121
Network redundancy
SDC applies the networking redundancy scheme for both TCP and SCTP transport
protocols The network redundancy is achieved using redundant pairs of Switch modules
(one pair for Signaling traffic and another pair for OampAM) and NIC bonding for TCP or
multi-homing SCTP
The local redundancy architecture as shown in Figure 43 is achieved in the following
way
- TCP VIP and SCTP VIP can be resident on the same or different SDC blades
- The traffic is distributed to all available SDC nodes within the cluster
- The TCP and SCTP traffic distribution will be done based on Diameter
messages using round-robin or other load balancing algorithm
- TCP and SCTP VIPs will not be dependent on each other
Blade Chassis
SDC WorkerNode
[Virtual Fabric Switch 2] External Ports10 x 10GbE + 1 x 1GB port
SDC WorkerNode
[L23 1GB Copper Switch A]
[L23 1GB Copper Switch B]
EXT-SCTP-A
EXT-SCTP-B
EXT-TCP-A
EXT-TCP
INT-SCTP-A
INT-SCTP-B
INT-TCP
Interswitch
Link
MGMT-A MGMT-B
[Virtual Fabric Switch 1] External Ports10 x 10GbE + 1 x 1GB port
INBAND
Connections to
upstream Routers
Interswitch
Link
SDC WorkerNode
TCP Vs S TCP Vs TCP VsS S S S S
S T S S T S
Virtual IP
For SCTP and TCP (all
VIPs are doubled per
Internal and ExternalNetworks
Figure 43 Local Network redundancy architecture
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 70
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7082
SIGNALING DELIVERY CONTROLLER
Product Description
70
wwwtraffixsystemscom
122 Physical Interfaces
The default physical interfaces and cabling of the SDC for HP and IBM infrastructures are
detailed in the following tables
HP BladeSystem c7000 Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
HP Virtual
Connect Flex-10
Module
10GbE (or
1GbE)
6 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling (Diameter
SIP etc)
2 NA HP VC Flex-10 Stacking
Links (no cables required)
OAM-OS
Management and
Backup Network
Connection
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
HPBNT GbE2c
L23 Switch 1
1GbE 5 Ethernet
Copper RJ45
Connection to Management
andor Backup Networks
OAM-LOM
Chassis
Hardware and
Switch (ldquoLights-
Outrdquo)
Management and
Monitoring
HP Onboard
Administrator
Module 1
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
HP Onboard
Administrator
Module 2
1GbE 1 Ethernet
Copper RJ45
Connection to Management
Network for Chassis
Hardware and Switch
(ldquoLights-Outrdquo) Management
and Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 71
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7182
SIGNALING DELIVERY CONTROLLER
Product Description
71
wwwtraffixsystemscom
IBM BladeSystem HT Chassis
Network Switch Interface
Speed
Port
Count
Connector
type
Description
Data Signaling IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
IBMBNT
Virtual
Fabric
Switch 1
10GbE (or
1GbE)
8 10GbE Fiber
850mns or
1GbE Copper
(RJ45)
Ethernet
Data Signaling
(Diameter SIP etc)
2 Passive DAC
10GbE
IBMBNT Virtual Fabric
Stacking Links (DAC
cables included)
OAM-OS
Management and
Backup Network
Connection
IBMBNT
L23 Switch
1
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
IBMBNT
L23 Switch
2
1GbE 4 Ethernet
Copper RJ45
Connection to
Management andor
Backup Networks
2 Ethernet
Copper RJ45
Management Switch
Interconnect (when
connecting to
VRRPHSRP Routers)
OAM-LOM
Chassis Hardware
and Switch
(ldquoLights-Outrdquo)
Management and
IBM
Advanced
Management
Module 1
100Mbps 1 Ethernet
Copper RJ45
Connection to
Management Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 72
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7282
SIGNALING DELIVERY CONTROLLER
Product Description
72
wwwtraffixsystemscom
Monitoring Monitoring
IBMAdvanced
Management
Module 2
100Mbps 1 EthernetCopper RJ45
Connection toManagement Network
for Chassis Hardware
and Switch (ldquoLights-
Outrdquo) Management and
Monitoring
123 Addressing Scheme
SDC supports the following default scheme of IP addressing Detailed networking design isdone after Site Survey and Customer Workshop
Failure Type Automatic Remedy Action
Data Signaling 4 IP Addresses per Signaling Interface (eg Diameter)
Note
bull Additional addresses per signaling interfaces are
supported
bull Multiple signaling interfaces are supported
bull Multiple Networks andor VLANs supported
bull IPv4 and IPv6 are supported
bull SCTP Multi-Homing Supported
bull If Traffix Solution is required to perform L3 routing 3
addresses per subnet will be required for (for VRRP
Switch Redundancy)
OAM
Management and Backup Network
Connection
One IP Address per hardware blade plus one Management VIP (4
addresses in the baseline chassis configuration)
bull Additional Management VIPs are supported
bull Multiple addresses per blade are supported
bull Multiple Networks andor VLANs supported eg
dedicated Management and Backup Interface
bull Additional addresses will be required for a dedicated
Backup Network connection
OAM-LOM
Chassis Hardware and Switch
(ldquoLights-Outrdquo) Management and
Monitoring
Six (6) IP Addresses
bull 2 for Advanced Management Modules
bull 4 for Switch Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 73
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7382
SIGNALING DELIVERY CONTROLLER
Product Description
73
wwwtraffixsystemscom
13 HW Architecture and Performance
131
Supported HW
SDC runs on standard off-the-shelf HW such as
bull HP Blade System with Bl460c Gen8 Blades
bull HP DL380p Gen8 Rackmount Servers
bull IBM BladeCenter with HS22 Blades
For a scalable deployment it is recommended to use a blade-based solution that provides
chassis-based high capacity HW architecture with inherent manageability reliability and
redundancy
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 74
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7482
SIGNALING DELIVERY CONTROLLER
Product Description
74
wwwtraffixsystemscom
14 Appendix A ndash OAM Snapshots
Figure 44 Internal Cluster node status
Figure 45 Remote Peer Management
Figure 46 Session Management
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 75
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7582
SIGNALING DELIVERY CONTROLLER
Product Description
75
wwwtraffixsystemscom
Figure 47 Routing Management
Figure 48 Logging control
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 76
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7682
SIGNALING DELIVERY CONTROLLER
Product Description
76
wwwtraffixsystemscom
Figure 49 Auditing
Figure 50 Backup and Restore
Figure 51 User Management and Roles
Figure 52 Statistics and Performance reporting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 77
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7782
SIGNALING DELIVERY CONTROLLER
Product Description
77
wwwtraffixsystemscom
Figure 53 Signaling KPI Report
Figure 54 Dashboard
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 78
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7882
SIGNALING DELIVERY CONTROLLER
Product Description
78
wwwtraffixsystemscom
Figure 55 Topology Monitoring
Figure 56 Configured Tracing Rules
Figure 57 System and Site Monitoring
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 79
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 7982
SIGNALING DELIVERY CONTROLLER
Product Description
79
wwwtraffixsystemscom
15 Appendix B ndash Access Level Security
System management is done using secure protocols The access security supported in the
system is summarized in the table below
Solution
Element
Access
Control
Model
Access
MethodRolePermission Permission Description
SDC
Management
Permission-
based model
WebManagement
Console
Web Services
Read-Only User Read-Only Access
Operator Manage Diameter Peers andPools EnableDisable links
to Peers Backup and
Restore Configuration etc
Super-User
(Administrator)
Full Access
Operating
System
Permissionand Group-
based model
SSH SFTP Read-Only User Read-only access to logssystem files and
information
Operator (Configurable) In addition
to User permissions may be enabled to perform
selected administrationtasks (eg capture network
traffic samples)
Super-User
(Administrator)
Full access
ChassisHardware
Management
Role andPermission-
based model
WebManagement
Console
SNMP
SSH
Read-Only User Read-only access
Super-User
(Administrator)
Full access
Custom Role set (Configurable) Custom set
selected from a wide list of
roles with option to restrictaccess to specific sub-
elements
Networking
Hardware
Management
Permission-
based model
SSH Read-Only User Read-only access
Operator Read-Only access and
permission to make
temporary operational
configuration changes to
selected options and reset
ports
Super-User (
Administrator)
Full access
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 80
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8082
SIGNALING DELIVERY CONTROLLER
Product Description
80
wwwtraffixsystemscom
SNMPMonitoring
and
Management
USM (User- based security
model)
SNMP USM user Per-user configuredReadWriteNotify
permissions to specified
SNMP objects(OIDs)
In addition to that SDC records of all user interactions in its auditing logs and all idle
OAM sessions are terminated
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 81
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8182
SIGNALING DELIVERY CONTROLLER
Product Description
81
wwwtraffixsystemscom
16 Appendix C ndash Low Level SDC Pipeline
The detailed message flow through the SDC pipeline is shown in Figure 58 1F1F2
Figure 58 Detailed System Flow
2 More details are available in Pipelinexlsx and PeerFSMxlsx
Thread Pool
Resources Pool (BuffersQueues)
Protocol Dictionary
External Storage + Shared Memory
Idle Detector
Licensing
ACL
Decryption
Segmentation
In Flow Control
Prioritization
Decoder
Peer FSM
Peer Profile
In Transformation
Add Pending
Session
Routing + LB
Network
Encryption
Out Flow Control
Encoder
Peer FSM
Out Transformation
Remove Pending
Session
P2P
Message
Decision Table
Message Flow
Decision Flow
Groovy Scripting
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416
Page 82
7172019 F5 Traffix SDC Product Description v40pdf
httpslidepdfcomreaderfullf5-traffix-sdc-product-description-v40pdf 8282
SIGNALING DELIVERY CONTROLLER
Product Description
About Traffix
Traffix is the Diameter control plane expert since 2005 leading this market with a range of
Diameter products deployed at over 100 operators worldwide Powered by the largest
workforce dedicated to Diameter Traffix supports telecommunications providers building
high capacity high performance data networks cost-effectively The Traffix Signaling
Delivery Controller (SDC) enables full connectivity unlimited scalability and
comprehensive control for operators to be ready for the LTE and 4G world
For more information visit wwwtraffixsystemscom
Office Locations
Traffix Systems UK Traffix Systems IL Traffix Systems USA
Fortis House 5B Hanagar Street 3587 Highway 9N 204
160 London Road Neve Neeman Freehold NJ
Barking Essex IG11 8BB Hod Hasharon 45240 07728UK Israel USA
Phone +44(0)20 8214 1384 Phone +972 (0) 9 788 9222 Phone +1 732 333 3416