Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| en:dpi:dpi_brief:install_point_ssg:instruction_instal_mirror:start [2023/12/27 07:26] – elena.krasnobryzh | en:dpi:dpi_brief:install_point_ssg:instruction_instal_mirror:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== The SSG installation manual using MIRRORING installation scheme ====== | ||
| - | {{indexmenu_n> | ||
| - | - Prepare the server according to the [[en: | ||
| - | - Install and configure the [[en: | ||
| - | - Set an [[en: | ||
| - | - Apply for license installation and fastDPI to [[en: | ||
| - | - After installing them, the following settings must be made in **'' | ||
| - | |||
| - | Suppose the SCAT is connected as follows: | ||
| - | * '' | ||
| - | * '' | ||
| - | |||
| - | To set the DPI in mirroring mode, you have to specify the following in the configuration: | ||
| - | |||
| - | In the configuration for the inbound ports '' | ||
| - | <code bash> | ||
| - | in_dev=01-00.0: | ||
| - | </ | ||
| - | |||
| - | In the configuration for outgoing ports '' | ||
| - | <code bash> | ||
| - | tap_dev=01-00.3 | ||
| - | </ | ||
| - | |||
| - | Specify the mode – asymmetric | ||
| - | <code bash> | ||
| - | asym_mode=1 | ||
| - | </ | ||
| - | |||
| - | Specify the direction of '' | ||
| - | <code bash> | ||
| - | emit_direction=2 | ||
| - | tap_mode=2 | ||
| - | </ | ||
| - | |||
| - | <note important> | ||
| - | |||
| - | Specify that VLAN should be reset: | ||
| - | <code bash> | ||
| - | strip_tap_tags=1 | ||
| - | </ | ||
| - | |||
| - | Set MAC change: | ||
| - | <code bash> | ||
| - | replace_source_mac=00: | ||
| - | replace_destination_mac=78: | ||
| - | </ | ||
| - | |||
| - | Set the number of retries if there are network losses: | ||
| - | <code bash> | ||
| - | emit_duplication=3 | ||
| - | #here, 3 is the number of repetitions (duplicates) of a packet with redirect or blocking. | ||
| - | </ | ||
| - | |||
| - | ===== Implementation scheme and description of operation ===== | ||
| - | {{ en: | ||
| - | |||
| - | <note important> | ||
| - | |||
| - | ===== Header of the IP response packet ===== | ||
| - | - **Destination MAC** – MAC address of the router port where the response link is connected. | ||
| - | - **Source MAC** – MAC address of the '' | ||
| - | - **Source IP** – IP address of the restricted resource IP2. | ||
| - | - **Destination IP** – IP address of user IP1. | ||
| - | |||
| - | ===== Router configuration example ===== | ||
| - | The port on the router where the reply link from the SSG is included should be configured as a normal L3 port. The task is to receive a packet from the SSG and forward it to the subscriber based on the common routing tables. | ||
| - | |||
| - | Configuration example: | ||
| - | '' | ||
| - | |||
| - | <code bash> | ||
| - | #Settings on tha MX side: | ||
| - | description from_SSG_redirect; | ||
| - | unit 0 { | ||
| - | family inet { | ||
| - | address a.b.c.d/30; | ||
| - | } | ||
| - | } | ||
| - | </ | ||
| - | |||
| - | ===== Statistics collection ===== | ||
| - | <code bash> | ||
| - | # | ||
| - | netflow=8 | ||
| - | netflow_full_collector_type=2 | ||
| - | netflow_dev=eth3 | ||
| - | netflow_timeout=20 | ||
| - | netflow_full_collector=172.18.254.124: | ||
| - | netflow_rate_limit=30 | ||
| - | netflow_passive_timeout=40 | ||
| - | netflow_active_timeout=120 | ||
| - | |||
| - | # | ||
| - | ipfix_dev=eth3 | ||
| - | ipfix_tcp_collectors=172.18.254.124: | ||
| - | |||
| - | #SIP | ||
| - | ipfix_meta_tcp_collectors=172.18.254.124: | ||
| - | rlimit_fsize=32000000000 | ||
| - | </ | ||
| - | |||
| - | Further settings are made depending on which components are to be used. The settings are described in the [[en: | ||