Base SSG configuration for MIRROR scheme [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    Both sides previous revisionPrevious revision
    Next revision    		Previous revision
    en:dpi:dpi_brief:install_point_ssg:instruction_instal_mirror [2023/08/30 12:03] elena.krasnobryzhen:dpi:dpi_brief:install_point_ssg:instruction_instal_mirror [2025/05/23 14:02] (current) – ↷ Page moved from en:dpi:dpi_brief:network_preparation:install_point_ssg:instruction_instal_mirror to en:dpi:dpi_brief:install_point_ssg:instruction_instal_mirror elena.krasnobryzh
    Line 1: Line 1:
    -====== instruction_instal_mirror ======+====== Base SSG configuration for MIRROR scheme ====== 
     +{{indexmenu_n>4}} 
     + 
     +  - Prepare the server according to the [[en:dpi:dpi_brief:dpi_requirements|installation requirements]]. 
     +  - Install and configure the [[en:veos:first_install:ipsetincenos|VEOS OS]] 
     +  - Set an [[en:veos:first_install:ipsetincenos|IP address]]. 
     +  - Apply for license installation and fastDPI to [[en:dpi:techsupport_info|Service Desk]]. 
     +  - After installing them, the following settings must be made in **''etc/dpi/fastdpi.conf''**:   
     + 
     +Suppose the SSG is connected as follows: 
     +  * ''01-00.0, 01-00.1, 01-00.2'' – receive the mirror traffic 
     +  * ''01-00.3'' – connected to a router that receives and forwards responses to subscribers and to the internet. 
     + 
     +To set the DPI in mirroring mode, you have to specify the following in the configuration: 
     + 
     +In the configuration for the inbound ports ''in_dev'' set the ports that accept mirror traffic: 
     +<code bash> 
     +in_dev=01-00.0:01-00.1:01-00.2 
     +</code> 
     + 
     +In the configuration for outgoing ports ''tap_dev'' set the port to which the forwarding response is sent: 
     +<code bash> 
     +tap_dev=01-00.3 
     +</code> 
     + 
     +Specify the mode – asymmetric 
     +<code bash> 
     +asym_mode=1 
     +</code> 
     + 
     +Specify the direction of ''tap_dev'' responses: 
     +<code bash> 
     +emit_direction=2 
     +tap_mode=2 
     +</code> 
     + 
     +<note important>To send responses in mirroring mode it is correct to use an additional 1GbE card such as intel i350 (+ DNA license), configure a separate port in the system to send **tap_dev** forwarding, and use 10GbE ports for **in_dev** mirrored traffic flows.</note> 
     + 
     +Specify that VLAN should be reset: 
     +<code bash> 
     +strip_tap_tags=1 
     +</code> 
     + 
     +Set MAC change: 
     +<code bash> 
     +replace_source_mac=00:25:90:E9:43:59 #- MAC address of card out_dev - dna0 
     +replace_destination_mac=78:19:F7:0E:B1:F4 #- MAC address of the router, or the routing switch 
     +</code> 
     + 
     +Set the number of retries if there are network losses: 
     +<code bash> 
     +emit_duplication=3  
     +#here, 3 is the number of repetitions (duplicates) of a packet with redirect or blocking. 
     +</code> 
     + 
     +===== Implementation scheme and description of operation ===== 
     +{{ en:dpi:dpi_brief:install_point_ssg:mirror_en.png?nolink&900 |}} 
     + 
     +<note important>When a request for a restricted resource is detected, the SSG sends an HTTP redirect to a placeholder page to the subscriber (IP1).\\ A TCP RST packet is sent to the restricted resource (IP2) to drop the connection. Blocking (HTTPS) and redirecting (HTTP) occurs because the SSG responds to the request from IP1 faster than IP2.</note> 
     + 
     +===== Header of the IP response packet ===== 
     +  - **Destination MAC** – MAC address of the router port where the response link is connected. 
     +  - **Source MAC** – MAC address of the ''out_dev'' card. 
     +  - **Source IP** – IP address of the restricted resource IP2. 
     +  - **Destination IP** – IP address of user IP1. 
     + 
     +===== Router configuration example ===== 
     +The port on the router where the reply link from the SSG is included should be configured as a normal L3 port. The task is to receive a packet from the SSG and forward it to the subscriber based on the common routing tables. 
     + 
     +Configuration example: 
     +''eth1'' is connected to the Juniper MX side 
     + 
     +<code bash> 
     +#Settings on tha MX side: 
     +description from_SSG_redirect; 
     +unit 0 { 
     +  family inet { 
     +  address a.b.c.d/30; 
     +  } 
     +
     +</code> 
     + 
     +===== Statistics collection ===== 
     +<code bash> 
     +#FullNetflow/IPFIX 
     +netflow=8 
     +netflow_full_collector_type=2 
     +netflow_dev=eth3 
     +netflow_timeout=20 
     +netflow_full_collector=172.18.254.124:1500 
     +netflow_rate_limit=30 
     +netflow_passive_timeout=40 
     +netflow_active_timeout=120 
     + 
     +#ClickStream/IPFIX 
     +ipfix_dev=eth3 
     +ipfix_tcp_collectors=172.18.254.124:1501 
     + 
     +#SIP 
     +ipfix_meta_tcp_collectors=172.18.254.124:1511 
     +rlimit_fsize=32000000000 
     +</code> 
     + 
     +Further settings are made depending on which components are to be used. The settings are described in the [[en:dpi:dpi_components|]] section.