studium przypadków dla dostawców usługstatic.veracomp.pl/cdn/files/bj9j65-3sh/full.pdf ·...
TRANSCRIPT
© F5 Networks, Inc 2
1. Introduction to F5 architectures in Core Networks and Datacenters
2. Traffic monetization: content injection, header enrichment
3. Network Quality: TCP-acceleration, SPDY proxy
4. VAS: Parental Control, Security-as-a-Service
5. Network Cost reduction: Intelligent Traffic Steering, Gi-LAN consolidation,
6. Security
7. Virtualization: NFV+SDN use cases
Agenda / subjects
© F5 Networks, Inc 7
Complex architectures in the S/Gi network
Internet RTR FW DPI/TDF L2 Switch RTR
Mobile Devices
Video optimization Transparent caching URL filtering
Value-added services (VAS)
Control Plane
DNS PCRF IMS AAA HSS OCS DRA
Challenges
• Complex architecture, hard to scale
• Resulting high CapEx and OpEx
• Difficulty adding new services
LDNS
Static port80 based steering into VAS complex
Multiple point product solutions inline in the data path
CGNAT
LDNS
PGW/
GGSN
© F5 Networks, Inc 9
A Changing Environment
SSL / SPDY INCREASE
• In many countries, SSL traffic (HTTPS and SPDY) on mobile networks is currently reaching around 50% of total Internet traffic
• Top web sites such as Google, Facebook, and Twitter use SPDY
• HTTP 2.0 being standardized in IETF with browsers requiring TLS encryption when setting up HTTP 2.0 connections
RISE OF ADAPTIVE BIT RATE VIDEO STREAMING
• Top video sites such as YouTube, Netflix, Hulu, and BBC iPlayer have all embraced ABR video technology
• Video is encoded at different bit rates, client dynamically chooses or changes appropriate bit rate based on network conditions
© F5 Networks, Inc 10
A Changing Environment
NFV & SDN
• Industry moving ahead on virtualization and NFV (Telco Cloud)
• The EPC and Gi LAN architecture are prime targets for NFV
• Service chaining POCs happening in many places
IPV6 ADOPTION
• IPv6 adoption is rising rapidly : over 4% of all users access Google via IPv6 (USA : 9.6%, Germany : 11.1%, France: 5.4%, Japan : 5.6%) (*)
• Still, apart from some exceptions, the IPv6 adoption rate in mobile networks remains low
(*) Source : https://www.google.com/intl/en/ipv6/statistics.html
© F5 Networks, Inc 11
The new Gi LAN should focus on …
Monetize Secure Optimize
Quality of Experience mgmt
Easy opt-in/opt-out modules
OTT partnerships & flexible
charging
Intelligent steering to VAS
Consolidate L4-L7 functions
TCP Optimization
Migrate to NFV-based solution
Network Security (Gi FW)
Dynamic subscriber security
IPv4/IPv6 Transition
© F5 Networks, Inc 13
F5 in the S/Gi network – A Consolidated Approach Simplifying the delivery of network services
BEFORE F5
WITH F5
PGW/
GGSN
Firewall PGW/ GGS
N
Policy Enforcement
CGNAT Internet
Internet
LDNS URL Filtering
RTR
VAS layer
Static port 80 steering
Dynamic & intelligent steering
VAS layer
VIPRION
© F5 Networks, Inc 14
Key F5 network services – Optimize, Monetize, Secure
A unified platform and single management framework
Intelligent traffic management
CGNAT and IPv6 migration
ICSA certified network firewall
Policy enforcement
TCP optimization
Header Enrichment
Content Injection
URL filtering
(HTTP URI / HTTPS SNI)
© F5 Networks, Inc 16
Optimize the Gi LAN – Increase VAS Efficiency
INTELLIGENT STEERING
PGW/ GGSN
Internet
VIPRION
RTR
Data Center
Video
Optimization
Transparent
Caching
Parental
Controls
WAP
Gateway
Context-aware & policy-driven steering & intelligent service chaining CONTEXT
SUBSCRIBER DEVICE-TYPE RAT-TYPE CONTENT (VIDEO, URI, ... ) CONGESTION
PCRF
Diameter Gx
© F5 Networks, Inc 17
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 20
DHCPv4 and DHCPv6 subscriber discovery
• In addition to Radius, use DHCP to discover subscribers
• Relay mode (L2 model)
• Forward mode (L3 model)
• Lightweight BNG funtionality to cover
• Wireline market (DSL, FFTX)
• Wifi market (L2 Aps)
One new modules
DHCP module : providing DHCP
relay/proxy for IPv4 and IPv6
BIG-IP
DHCP MODULE
PEM LISTENER
SUBSCRIBER INTERNET
DHCP SERVER
POOL
Sub Mgmt Msgs
© F5 Networks, Inc 21
DHCPv4 and DHCPv6 subscriber discovery
DHCP OPTIONS 82
CODE
LENGHT
DATA
SUBOPTION CODE
SUBOPTION CODE
SUBOPTION LENGHT
SUBOPTION DATA
SUBOPTION LENGHT
SUBOPTION DATA
SUBOPTION CODE
SUBOPTION LENGHT
SUBOPTION DATA
© F5 Networks, Inc 23
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 25
• While using DHCP to discover subscribers, allows
• Authenticate the subscriber
• Generate accounting records
DHCP subscriber discovery With Authentication
BIG-IP
DHCP MODULE
PEM LISTENER
SUBSCRIBER INTERNET
DHCP SERVER POOL
RADIUS AUTH. MODULE
Sub Mgmt Msgs
Auth Msgs
RADIUS SERVER POOL
© F5 Networks, Inc 27
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 28
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
Flow
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 30
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
Flow
URL categorization
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 32
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
Flow
URL categorization
Classification - DPI
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 34
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
Flow
URL categorization
Classification – DPI
iRule anything else you need
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 36
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
4. Treatment:
• Steering
Customers’ traffic recognition in 3 steps
Monetize the Gi LAN – Opt-in / Opt-out Services
INTELLIGENT STEERING & SERVICE CHAINING
PGW/ GGSN
Internet
VIPRION
RTR
Data Center
Cloud
Storage
Security
Services
Parental
Controls
Streaming
Services
Subscriber-aware (PCRF controlled)
Traffic steering & Service chaining
PCRF
Diameter Gx
• PCRF controls steering and service chaining on a per subscriber basis (dependent on subscription)
• Any combination of services is possible
© F5 Networks, Inc 39
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
4. Treatment:
• Steering
• Bandwidth enforcement
Customers’ traffic recognition in 3 steps
Monetize the Gi LAN – Bandwidth and QoE management
Even if subscriber is entitled for more by
subscriber bandwidth policy his P2P traffic
gets reduced to configured value (512kbps)
Gold Subscriber (20 Mbps)
Silver Subscriber (10 Mbps)
Bronze Subscriber (5 Mbps)
PER-SUBSCRIBER BANDWIDTH CONTROL
PER-SUBSCRIBER PER APPLICATION BANDWIDTH CONTROL
PGW/GGSN VIPRION
PGW/GGSN VIPRION
Gold Subscr total (20 Mbps)
Gold Subscr p2p (512 kbps)
PCRF
© F5 Networks, Inc 41
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
4. Treatment:
• Steering
• Bandwidth enforcement
• Real-time billing
Customers’ traffic recognition in 3 steps
OTT MONETIZATION & FLEXIBLE CHARGING
Monetize the Gi LAN – OTT & Special Svc Monetization
PGW/GGSN VIPRION
Gold Subscr total (acct only)
OTT Service (acct + DSCP mark) PCRF
• Subscription models / bundles for OTT or specialized service
• Bundled into subscription for a lower fee
• OTT traffic excluded from volume bundle
• OTT traffic marked/tagged for differential treatment at radio layer
SPECIALIZED SERVICE
(MNO BRAND)
© F5 Networks, Inc 44
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
4. Treatment:
• Steering
• Bandwidth enforcement
• Real-time billing
• Enrichment
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 46
• HTTP header enrichment for subscriber identification
• Content insertion (javascript) into HTTP payload to enable
• In-browser notifications
• Toolbar insertion
• Ad insertion
Monetize the Gi LAN – Content Insertion
BNG/BRAS
Internet
2. Javascript insertion about quota max
1. Content being sent back to
subscriber; data maxed out
3. Subscriber realizes they have
maxed out data
CONTENT INJECTION / AD INSERTION
© F5 Networks, Inc 50
Add Server usually receives from F5:
• Customer ID
• Customer’s tariff plan.
• Last known location
• Original URN
• Destination IP and destination Geo Location
• Local time
Content injection – commercial deployment
© F5 Networks, Inc 51
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
4. Treatment:
• Steering
• Bandwidth enforcement
• Real-time billing
• Enrichment
• Policing
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 52
1. Pass DNS, but anti DNS tunneling iRule
2. Filter HTTP by built-in URL reputation + custom URL db
a) Dest IP anti spoofing, to block /etc/hosts tricks.
b) Built in DNS resolver/cache
c) Block http tunelling
3. Filter HTTPS by built-in URL reputation + custom URL db
a) Option 1: SNI checks
b) SSL forward proxy with banking whitelist
4. SMTP, POP3, IMAP steered via external mail filter
5. Additional white list for known good IP/ports
6. BLOCK
Parental control example
© F5 Networks, Inc 53
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
4. Treatment:
• Steering
• Bandwidth enforcement
• Real-time billing
• Enrichment
• Policing
• CGNAT
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 54
LSN modes:
• Network Address Port Translation
• Deterministic NAT
• Port-Block Allocation
Carrier Grade NAT integration
© F5 Networks, Inc 55
1. Recognize subscriber
2. Ask for a policy
3. Recognize traffic
4. Treatment:
• Steering
• Bandwidth enforcement
• Real-time billing
• Enrichment
• Policing
• CGNAT
• iRules
Customers’ traffic recognition in 3 steps
© F5 Networks, Inc 57
Key F5 network services – Optimize, Monetize, Secure
A unified platform and single management framework
Intelligent traffic management
CGNAT and IPv6 migration
ICSA certified network firewall
Policy enforcement
TCP optimization
Header Enrichment
Content Injection
URL filtering
(HTTP URI / HTTPS SNI)
© F5 Networks, Inc 58
Optimize the Gi LAN – Consolidate Network Functions
L2 switching MPLS L2 PE
L3 routing MPLS L3 PE
BRAS/BNG
Full Proxy (TCP opt,
HHE)
Firewall
L3/L4 Steering
Policy Enforcement
CGNAT
TCP OPTIM
DPI/PCEF
L7 STEERING
FW/CGN
HTTP HE
2010–2014 2005–2010 L2–L3 L4–L7
IP ROUTING
MPLS L2 PE
MPLS L3 PE
BRAS/BNG
Multi-service router
Dedicated platforms, different vendors
Single platform, L2–L3 consolidation
Dedicated platforms, different vendors
Unified platform, L4–L7 consolidation
© F5 Networks, Inc 60
Optimize the Gi LAN – TCP Optimization
Minimal Buffer
Bloat
Flow Fairness High Goodput
VIPRION
Origin
Server
INTERNET
PGW/ GGSN
RTR
2G/3G
LTE
Mobile
Client
TCP EXPRESS
Cell-optimized TCP stack WAN-optimized TCP stack
© F5 Networks, Inc 61
TCP Optimization Helps Avoid Bufferbloat
RTT graphs are based on two file downloads under good 3G coverage
NON-OPTIMIZED (11 Mbps)
(up to 2.5 seconds latency)
OPTIMIZED (11 Mbps)
(constant 200 ms latency)
LATENCY MAY NOT DESTROY THROUGHPUT, BUT WILL DEGRADE BROWSING EXPERIENCE
© F5 Networks, Inc 62
HTTP Performance Tests – Location Variances (3G)
Business center
Shopping mall
Residential area
Business center
Shopping mall
Residential area
Business center
Shopping mall
Residential area
Business center
Shopping mall
Residential area
Case 1 – 100 * 64KB images Case 2 – 1 * 10MB image
Case 3 – Regular website 1 Case 4 – Regular website 2
Optimized (sec)
As-is (sec)
Improvement (%)
© F5 Networks, Inc 64
Ref test: duckduckgo.com (25 samples on 4G)
HTTPS/SPDY Performance Tests
TCP OPTIMIZATION PROVIDES ADDITIONAL BENEFITS ON TOP OF SPDY BENEFITS
0%
5%
10%
15%
20%
25%
30%
35%
Non-SPDY SPDY Non-SPDY-OPT
SPDY-OPT
Serie1 0% 11% 23% 31%
Gain
in D
ow
nlo
ad T
ime %
Impact SPDY/Optimizer
0
0,2
0,4
0,6
0,8
1
1,2
1,4
1,6
1,8
Non-SPDY SPDY Non-SPDY-OPT
SPDY-OPT
Serie1 1,64 1,46 1,27 1,16
Page D
ow
nlo
ad T
ime S
econds
Impact SPDY/Optimizer
© F5 Networks, Inc 65
• HTTP inefficient and outdated
• HTTP protocol inefficiencies have a negative impact on mobile web browsing experience
• Due to higher latencies in mobile networks
• SPDY: New app layer protocol developed by Google
• Overcomes inherent inefficiencies with HTTP
• Improved performance (~ 20-50%)
• Good for low bandwidth / high latency mobile networks
• Forms the basis for HTTP 2.0 in IETF
SPDY – Load Web Pages Faster
© F5 Networks, Inc 66
F5’s HTTP - to - SPDY Gateway (Data Center / Reverse Proxy)
1
2
1) Client connects to BIG-IP via HTTP
2) BIG-IP sends “Alternate-Protocol: 443:npn-spdy/2” header
3) Client sends GET request via SPDY
4) BIG-IP converts SPDY request to HTTP and sends to server
5) Server sends HTTP response, BIG-IP converts to SPDY and sends to client
3 4
5
SPDY 2
SPDY 3
SPDY 3.1
HTTP 2.0 (experimental)
© F5 Networks, Inc 68
A Normal SSL Transaction
TCP Connection
SSL Client Hello
Server Hello (plus
Certificate)
Server Certificate Validation
HTTP/S Requests and
Responses
Client/Browser Web Service
Internet
Or WAN
Trusted CA
Certificates
Server
Certificate
© F5 Networks, Inc 69
SSL Transaction with F5 SSL Forward Proxy
TCP Connection
SSL Client Hello
Server Hello (plus
Certificate)
Server Certificate Validation
HTTP Requests and
Responses
Client/Browser Web Service
Internet
Or WAN
Trusted CA
Certificates
Server
Certificate
BIG-IP
Proxied! Proxied! Intercepted!
New Server
Certificate
Service Provider
CA Cert
Spoofed! Optimizable!
© F5 Networks, Inc 70
Original Server Certificate Forged Server Certificate
Original server certificate vs forged certificate
3/11/2015 70
© F5 Networks, Inc 73
Protecting the Radio Resources
Service Delivery Controller
(LTM)
After
Before Cleans only 2-3%
of bad traffic Paging 1000s of Handset can
Cause CPU to Spike and Cause RNC out of Service
SYN ACK And Port Scan
attack
SYN ACK And Port Scan
attack
• Protection of the Radio Area Network
• Reduced CapEx Spend on expansion of RNC
• Maintained good network User Experience
• Simplified Traffic Plane – Consolidated Gi Firewall, IDS/IPS, Traffic Steering,
Analytics
VS VS
SYN
SYN ACK
ACK SYN
F5 Full Proxy
Architecture
3 Way TCP
Handshake
By adding a VS on the internet facing side , all the SYN ACK traffic was dropped. Further adding a Source IP Counter/Time, Port Scans were detected and dropped. 98% attacks dropped.
© F5 Networks, Inc 74
IPV6 CENTRIC NAT64 / 464XLAT
IPV4 CENTRIC NAT44
GI FIREWALL (IPV4/V6) & NETWORK DDOS
Secure the Gi LAN
NAT 44
Migration to IPv6 only
architecture using
NAT64/DNS64 and/or
464XLAT
Solving the IPv4 address
exhaustion problem with
NAT44 (with CGN acting
as FW)
Protect network
infrastructure and radio
resources against
outside threats
© F5 Networks, Inc 75
NAT44
Secure the Gi LAN – IPv4 centric / NAT44
Public IPv4 address space Private IPv4 address space
VIPRION PGW/ GGSN
RTR Internet
NAT44
• Dynamic NAPT, Deterministic NAPT, Port Block Allocation
• Extensive ALG, hairpinning and EIF/EIM support
• Unprecedented scale & performance (Gbps, cps, max conns)
• High-Speed logging with flexible log field inclusion/exclusion
© F5 Networks, Inc 76
Secure the Gi LAN – IPv6 centric / NAT64 & 464XLAT
NAT64/DNS64 & 464XLAT
Public IPv4 address space
Public IPv6 address space
VIPRION PGW/ GGSN
RTR Internet
NAT64
• NAT64/DNS64 and 464XLAT support for IPv4-only destinations
• Gi firewall for native IPv6 traffic
• Unprecedented scale & performance (Gbps, cps, max conns) for both NAT and Gi firewall
464XLAT
IPV6 FW Public IPv6 address space
Public IPv4 address space
DNS64
© F5 Networks, Inc 77
Secure the Gi LAN – Gi Firewall & DDOS Mitigation
GI FIREWALL & DDOS MITIGATION
Public IPv4 address space
Public IPv6 address space
VIPRION PGW/ GGSN
RTR Internet
IPV4 FW
• Unprecedented scale & performance (Gbps, cps, max conns) for Gi firewall
• BIG-IQ for Centralized management of security policies & DDOS profiles
• Protection against device vulnerabilities (battery drain attacks, malware) and network vulnerabilities (RAN resource exhaustion, revenue leakage, policy violations)
IPV6 FW Public IPv6 address space
Public IPv4 address space
BIG-IQ
© F5 Networks, Inc 78
Network Capacity
Throughput Connections per second
Sessions Footprint
F5
(VIPRION 4480)
Juniper
(SRX 5800)
Cisco
(ASA 5585-X)
Check Point
(61000)
F5
(VIPRION 4480)
Juniper
(SRX 5800)
Cisco
(ASA 5585-X)
Check Point
(61000)
0
50
100
150
200
250
300
350
GB
PS
0
100
200
Millio
ns
0
1
2
3
4
5
6
7
Millio
ns
R
ack u
nit
s
0
100
200
2x 14x
22x 10x
F5
(VIPRION 4480)
Juniper
(SRX 5800)
Cisco
(ASA 5585-X)
Check Point
(61000)
F5
(VIPRION 4480)
Juniper
(SRX 5800)
Cisco
(ASA 5585-X)
Check Point
(61000)
© F5 Networks, Inc 79
Application-Oriented Policies and Reports
Firewall policies and reports oriented around the application
© F5 Networks, Inc 81
Optimize the Gi LAN – NFV-Ready A stepwise approach : From VAS bursting to full NFV solution
PGW/ GGSN
Internet RTR
Video
Optimization
VM Management
and Orchestration
Transparent
Caching
URL Filtering Parental
Controls
Hypervisor
VNF VNF VNF
Hypervisor
VNF VNF VNF
Hypervisor
VNF VNF VNF
Hypervisor
VNF VNF VNF
Gi VAS
ADC Firewall DNS
VIPRION
CGNAT TCP
Optimization Policy
Enforcement
© F5 Networks, Inc 82
Control
Plane
Data
Plane Soft
ware
-Defined N
etw
ork
SDN Controller
Layer 2-3 Fabric
VXLAN Virtual and Overlay Networks NVGRE
F5 & SDN
Orchestrator iApps
Open
REST
APIs
L4-7 Stateful Fabric
Monetize the Gi LAN From flat fee to value based pricing models
OPT-IN / OPT-OUT VALUE ADDED SERVICES
OTT MONETIZATION & FLEXIBLE CHARGING
Intelligent and context-
aware traffic steering to
value added service
platforms based on a
subscriber opt-in/opt-out
model
Monetizing OTT services
by flexible charging
mechanisms and OTT
partnerships for service
differentiation
BANDWIDTH CONTROL & QOE MANAGEMENT
Bandwidth controls,
TCP optimization and
context-aware traffic
management
HEADER ENRICHMENT & CONTENT INSERTION
Content insertion for
toobar injection or ad
insertion. HTTP header
enrichment for
identification purposes
© F5 Networks, Inc 85
CONSOLIDATE NETWORK FUNCTIONS
INCREASE VAS LAYER EFFICIENCY
Consolidation of L4-L7
functions into a single
platform (steering, DPI,
firewall, CGNAT, ... )
Context-aware and
policy-enabled traffic
steering to offload VAS
& optimization services
complex
TCP OPTIMIZATION
Increase throughput
and web page load
times on the radio
network
Optimize the Gi LAN
NFV-READY (VAS BURSTING)
As traffic increases,
scale to meet demand
with VAS service
bursting and improve
end user experience
and application
performance
VAS
© F5 Networks, Inc 86
Advantages of S/Gi network consolidation with F5
$1.1 million Projected 5-year cost savings for 20M subscribers
36-46% lower TCO
$- $2 $4
F5 Networks
Alternative Point Products
Miliony
S/Gi Network Simplification: 5-Year Cumulative TCO
CapEx OpEx
36%
Lower
Cost
© F5 Networks, Inc 87
Consolidating mobile policy and security Use case
Protection for networks
and applications
Fewer devices translates to lower
latency for subscribers
Consolidation of firewall,
application security, and traffic
management
BEFORE F5
WITH F5
Load
Balancer
Firewall
DNS Security
Network DDoS
Load Balancer & SSL
Application DDoS
Web Application Firewall
Web Access Management
Chain is as strong as its weakest link
© F5 Networks, Inc 88
Consolidating mobile policy and security Use case
Protection for networks
and applications
Fewer devices translates to lower
latency for subscribers
Consolidation of firewall,
application security, and traffic
management
BEFORE F5
WITH F5
Load
Balancer
Firewall
DNS Security
Network DDoS
Load Balancer & SSL
Application DDoS
Web Application Firewall
Web Access Management
© F5 Networks, Inc 89
Take a phased approach to this architecture …
Improve VAS
Security at scale
Address IPv4
depletion CGNAT
1
S/Gi FW
2
PEM
3
NFV
4
HE
5
S/Gi FW
1
CGNAT
2
ITM
3
PEM
4
ITM
1
S/Gi FW
2
NFV
3
CGNAT
4
Immediate
pain point Implementation phase
Target S/Gi network
• Different approaches for
different needs and priorities
• Flexibility and extensibility to
future-proof your network
NFV
5
PEM
5
F5 Consolidated Gi LAN solution
If I can be of further assistance please contact me:
[email protected] | +48 609 790 124
Monetize Secure Optimize
Quality of Experience mgmt
Easy opt-in/opt-out modules
OTT partnerships & flexible
charging
Intelligent steering to VAS
Consolidate L4-L7 functions
TCP Optimization
Migrate to NFV-based solution
Network Security (Gi FW)
Dynamic subscriber security
IPv4/IPv6 Transition
© F5 Networks, Inc 92
F5 for L4-L7 Consolidation Context-aware full-proxy architecture
Network
Session
Application
Web application
Physical
Client / Server
TCP optimization
DPI analysis
Context-aware Steering
Service Chaining
Bandwidth control
Accounting/Charging
HTTP hdr inspect – filter
HTTPS / SSL SNI check
URL classification
Network
Session
Application
Web application
Physical
Client / Server
Gi Firewall, CGNAT
DPI analysis
HTTP hdr enrich
HTTP hdr inspect - filter
Context
Subscriber-id, Device-type,
Application, RAT-Type,
Congestion level, ...
L4
L7