Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| en:dpi:faq:first_install:install_mirror_mode [2023/08/28 14:37] – ↷ Links adapted because of a move operation elena.krasnobryzh | en:dpi:faq:first_install:install_mirror_mode [2024/07/29 12:35] (current) – removed elena.krasnobryzh | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== 2 Out-of-line network schema for VAS Experts DPI ====== | ||
| - | {{indexmenu_n> | ||
| - | (SPAN ports or optical splitter) | ||
| - | {{ en: | ||
| - | |||
| - | When detecting a blocked url VAS Experts DPI sends HTTP redirect to browser WEB page with information about blocking. | ||
| - | |||
| - | ===== Packet headers: ===== | ||
| - | |||
| - | * Destination MAC - routers' | ||
| - | * Source MAC - out_dev NICs' MAC | ||
| - | * Source IP - IP of blocked host (IP2) | ||
| - | * Destination IP - users' IP (IP1) | ||
| - | |||
| - | VLAN can be keeped or cleared by configurable parameter. | ||
| - | |||
| - | To IP2 (blocked host) sending a packet with TCP RST for connection reset. | ||
| - | Blocking (HTTPS) and redirecting (HTTP) ocures because of difference in response time between VAS Experts DPI and blocked host. VAS Experts DPI is close to users' IP1 then blocked IP2. | ||
| - | |||
| - | ===== Router settings ===== | ||
| - | Router port where VAS Experts DPIs' outgoing link is pluged in has to be L3 mode as usual. Main task is receive packet from VAS Experts DPI and route it by subscrider by general routing tables. | ||
| - | |||
| - | Config sample for Juniper: | ||
| - | eth1 is pluged in to Juniper MX | ||
| - | Juniper MX settings: | ||
| - | |||
| - | <code bash> | ||
| - | | ||
| - | unit 0 { | ||
| - | | ||
| - | | ||
| - | } | ||
| - | } | ||
| - | </ | ||
| - | |||
| - | ====== VAS Experts DPI Config sample ====== | ||
| - | Change the settings by editing the configuration file __**/ | ||
| - | |||
| - | Let VAS Experts DPI be connected as follows: | ||
| - | dna1, | ||
| - | dna0 - is connected to the router that receives and redirects subscribers' | ||
| - | |||
| - | One has to configure DPI for mirrored traffic processing as follows: | ||
| - | |||
| - | First, assign the input ports that receive the mirrored traffic to in_dev: | ||
| - | |||
| - | in_dev=dna1: | ||
| - | |||
| - | Second, assign the ports that get the redirection request to tap_dev: | ||
| - | |||
| - | tap_dev=dna0 | ||
| - | |||
| - | Enable asymmetric mode: | ||
| - | asym_mode=1 | ||
| - | | ||
| - | Set direction of replies tap_dev: | ||
| - | emit_direction=2 | ||
| - | tap_mode=2 | ||
| - | |||
| - | Set to clear VLAN in outgoing packets: | ||
| - | strip_tap_tags=1 | ||
| - | | ||
| - | And configure MAC replacement: | ||
| - | replace_source_mac=00: | ||
| - | replace_destination_mac=78: | ||
| - | |||
| - | Set number of packets repeats, for unstable delivery in networks: | ||
| - | emit_duplication=3 | ||
| - | here 3 - number repeats of packets with redirection or RST (dublicates packets send with RST or redirection) | ||
| - | |||
| - | It is advised to use an additional 1GbE network card to send the replies in mirrored traffic mode. For example, intel i350 (with DNA license) can be used. This allows to configure an individual port for sending redirection replies and to reserve 10GbE ports to receive the mirrored traffic. | ||
| - | |||
| - | [[en: | ||