Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| en:dpi:dpi_brief:network_preparation:install_point_ssg:instruction_instal_mirror [2024/12/12 07:38] – удалено - внешнее изменение (Дата неизвестна) 127.0.0.1 | en:dpi:dpi_brief:network_preparation:install_point_ssg:instruction_instal_mirror [2024/12/12 07:38] (current) – ↷ Страница перемещена из en:dpi:dpi_brief:install_point_ssg:instruction_instal_mirror в en:dpi:dpi_brief:network_preparation:install_point_ssg:instruction_instal_mirror elena.krasnobryzh | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Base SSG configuration for MIRROR scheme ====== | ||
| + | {{indexmenu_n> | ||
| + | - Prepare the server according to the [[en: | ||
| + | - Install and configure the [[en: | ||
| + | - Set an [[en: | ||
| + | - Apply for license installation and fastDPI to [[en: | ||
| + | - After installing them, the following settings must be made in **'' | ||
| + | |||
| + | Suppose the SCAT is connected as follows: | ||
| + | * '' | ||
| + | * '' | ||
| + | |||
| + | To set the DPI in mirroring mode, you have to specify the following in the configuration: | ||
| + | |||
| + | In the configuration for the inbound ports '' | ||
| + | <code bash> | ||
| + | in_dev=01-00.0: | ||
| + | </ | ||
| + | |||
| + | In the configuration for outgoing ports '' | ||
| + | <code bash> | ||
| + | tap_dev=01-00.3 | ||
| + | </ | ||
| + | |||
| + | Specify the mode – asymmetric | ||
| + | <code bash> | ||
| + | asym_mode=1 | ||
| + | </ | ||
| + | |||
| + | Specify the direction of '' | ||
| + | <code bash> | ||
| + | emit_direction=2 | ||
| + | tap_mode=2 | ||
| + | </ | ||
| + | |||
| + | <note important> | ||
| + | |||
| + | Specify that VLAN should be reset: | ||
| + | <code bash> | ||
| + | strip_tap_tags=1 | ||
| + | </ | ||
| + | |||
| + | Set MAC change: | ||
| + | <code bash> | ||
| + | replace_source_mac=00: | ||
| + | replace_destination_mac=78: | ||
| + | </ | ||
| + | |||
| + | Set the number of retries if there are network losses: | ||
| + | <code bash> | ||
| + | emit_duplication=3 | ||
| + | #here, 3 is the number of repetitions (duplicates) of a packet with redirect or blocking. | ||
| + | </ | ||
| + | |||
| + | ===== Implementation scheme and description of operation ===== | ||
| + | {{ en: | ||
| + | |||
| + | <note important> | ||
| + | |||
| + | ===== Header of the IP response packet ===== | ||
| + | - **Destination MAC** – MAC address of the router port where the response link is connected. | ||
| + | - **Source MAC** – MAC address of the '' | ||
| + | - **Source IP** – IP address of the restricted resource IP2. | ||
| + | - **Destination IP** – IP address of user IP1. | ||
| + | |||
| + | ===== Router configuration example ===== | ||
| + | The port on the router where the reply link from the SSG is included should be configured as a normal L3 port. The task is to receive a packet from the SSG and forward it to the subscriber based on the common routing tables. | ||
| + | |||
| + | Configuration example: | ||
| + | '' | ||
| + | |||
| + | <code bash> | ||
| + | #Settings on tha MX side: | ||
| + | description from_SSG_redirect; | ||
| + | unit 0 { | ||
| + | family inet { | ||
| + | address a.b.c.d/30; | ||
| + | } | ||
| + | } | ||
| + | </ | ||
| + | |||
| + | ===== Statistics collection ===== | ||
| + | <code bash> | ||
| + | # | ||
| + | netflow=8 | ||
| + | netflow_full_collector_type=2 | ||
| + | netflow_dev=eth3 | ||
| + | netflow_timeout=20 | ||
| + | netflow_full_collector=172.18.254.124: | ||
| + | netflow_rate_limit=30 | ||
| + | netflow_passive_timeout=40 | ||
| + | netflow_active_timeout=120 | ||
| + | |||
| + | # | ||
| + | ipfix_dev=eth3 | ||
| + | ipfix_tcp_collectors=172.18.254.124: | ||
| + | |||
| + | #SIP | ||
| + | ipfix_meta_tcp_collectors=172.18.254.124: | ||
| + | rlimit_fsize=32000000000 | ||
| + | </ | ||
| + | |||
| + | Further settings are made depending on which components are to be used. The settings are described in the [[en: | ||