Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| en:dpi:faq:first_install:install_mirror_mode [2019/03/04 10:37] – lexx26 | en:dpi:faq:first_install:install_mirror_mode [2024/07/29 12:35] (current) – removed elena.krasnobryzh | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== 2 Out-of-line network schema for SCAT ====== | ||
| - | {{indexmenu_n> | ||
| - | (SPAN ports or optical splitter) | ||
| - | {{ : | ||
| - | |||
| - | |||
| - | if block url is detected SCAT sends HTTP redirect for browser to stub WEB page with information about blocking. | ||
| - | |||
| - | ===== Packet headers: ===== | ||
| - | |||
| - | * Destination MAC - routers' | ||
| - | * Source MAC - out_dev NICs' MAC | ||
| - | * Source IP - IP of blocked host (IP2) | ||
| - | * Destination IP - users' IP (IP1) | ||
| - | |||
| - | VLAN can be keeped or cleared by configurable parameter. | ||
| - | |||
| - | To IP2 (blocked host) sending a packet with TCP RST for connection reset. | ||
| - | Blocking (HTTPS) and redirecting (HTTP) ocures because of difference in response time between SCAT and blocked host. SCAT is close to users' IP1 then blocked IP2. | ||
| - | |||
| - | ===== Router settings ===== | ||
| - | Router port where SCATs' outgoing link is pluged in has to be L3 mode as usual. Main task is receive packet from SCAT and route it by subscrider by general routing tables. | ||
| - | |||
| - | Config sample for Juniper: | ||
| - | To Juniper MX pluged in eth1 | ||
| - | * Juniper MX settings: | ||
| - | * description from_SKAT_redirect; | ||
| - | * unit 0 { | ||
| - | * family inet { | ||
| - | * address a.b.c.d/30; | ||
| - | * } | ||
| - | * } | ||
| - | |||
| - | |||
| - | |||
| - | ====== SCAT Config sample ====== | ||
| - | Let SKAT be connected as follows: | ||
| - | dna1, | ||
| - | dna0 - is connected to the router that receives and redirects subscribers' | ||
| - | |||
| - | One has to configure DPI for mirrored traffic processing as follows: | ||
| - | |||
| - | First, assign the input ports that receive the mirrored traffic to in_dev: | ||
| - | |||
| - | in_dev=dna1: | ||
| - | |||
| - | Second, assign the ports that get the redirection request to tap_dev: | ||
| - | |||
| - | tap_dev=dna0 | ||
| - | |||
| - | Enable asymmetric mode: | ||
| - | asym_mode=1 | ||
| - | | ||
| - | Set direction of replies tap_dev: | ||
| - | emit_direction=2 | ||
| - | tap_mode=2 | ||
| - | |||
| - | Set to clear VLAN in outgoing packets: | ||
| - | strip_tap_tags=1 | ||
| - | | ||
| - | And configure MAC replacement: | ||
| - | replace_source_mac=00: | ||
| - | replace_destination_mac=78: | ||
| - | |||
| - | Set number of packets repeats, for unstable delivery in networks: | ||
| - | emit_duplication=3 | ||
| - | here 3 - number repeats of packets with redirection or RST (dublicates packets send with RST or redirection) | ||
| - | |||
| - | It is advised to use an additional 1GbE network card to send the replies in mirrored traffic mode. For example, intel i350 (with DNA license) can be used. This allows to configure an individual port for sending redirection replies and to reserve 10GbE ports to receive the mirrored traffic. | ||