StoneWork Logo 1

Network Functions as StoneWork Modules.

StoneWork’s modular architecture dynamically integrates all network functions from our portfolio.

Customers are given the choice of their own StoneWork module configuration. No matter how many network functions you choose, you will always have a feature-rich control plane capabilities by preserving a single, high-performance data plane.



The BGP (Border Gateway Protocol) network function provides routing & reachability functionality. Based on GoBGP and Ligato control/management plane.


VPP based NAT64 network function that allows IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP using Network Address Translation defined in RFC6146.


VPP based NAT464 network function provides a limited IPv4 connectivity across an IPv6-only network using a combination of stateful & stateless address translation – 464XLATe

transit tunnel

Transit Tunnel uses VPP data plane to forward traffic to/from a remote GRE/VXLAN tunnel endpoint (another network function/external router).

rate limiter

Rate Limiter uses the VPP dataplane with an additional plugin to rate-limit traffic, passing between two interfaces of the network function


Router provides L3 routing between multiple network function interfaces, based on dynamic routing protocols.


Our Switch as a network function, provides L2 forwarding between multiple network function interfaces inside VPP data plane. Some provided features are: Static FIB / MAC learning, proxy ARP, ARP termination, VLAN support.



ACL-based (Access Control List) Firewall between network function interfaces with VPP data plane and Ligato management plane.


Snort-based IDS (Intrusion Prevention/Detection System) network function with Ligato management plane. Allows to detect/prevent latest threats in communication between interfaces.


A VPN (Virtual Private Network) provides a convenient and secure way to access protected services from your private network, from anywhere in the world.

Advanced Tip: We also offer a standalone VPN called EntGuard, aimed at enterprise deployments.


Our IPSec network function forwards traffic to/from a remote IPSec peer (another network function / IPsec client / external router) to the desired destination.

Used in most VPNs. Have you read about EntGuard, our enterprise VPN solution?



A must-have in network functions. A DHCP Server (Dynamic Host Configuration Protocol) as a network function. Automatically assigns IP addresses and other specifics to devices in the network.

This solution is based on ISC Kea DHCP server and Ligato management plane.

A VPP-based DHCP-Proxy network function that forwards DHCP (Dynamic Host Configuration Protocol) requests – received on a network function interface – to a remote DHCP server and proxies the DHCP replies to clients.

Supports multiple backend DHCP servers and allows configuring multiple VRFs (L3 partitioning).


DNS Server (Domain Name System) network function. An elementary part of your network, which helps recognize network destinations. This solution is based on BIND 9 and Ligato management plane.


RADIUS as a network function (Remote Authentication Dial-In User Service) provides Authentication, Authorization & Accounting (AAA) user management, when connecting and using a network service.


IPFIX (IP Flow Information  Export) exports information about network flows passing between two interfaces of the network function, to pre-configured IPFIX collectors. Used to collect & analyze flow data.

port mirror

Port Mirror uses the SPAN (Switched Port Analyzer) feature of VPP dataplane to mirror traffic passing between two network function interfaces, into a third interface, which is typically connected to a Traffic Analyzer.

traffic analyzer

Traffic Analyzer integrates ntopng with Ligato to provide an analysis and web-based visualization of all traffic coming to the network function (e.g. mirrored by the Port Mirror network function), network flows exported by networking devices or Network Flow Exporter.

More About StoneWork @