FAQ [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    Both sides previous revisionPrevious revision
    Next revision    		Previous revision
    en:dpi:faq:start [2021/07/22 17:25] – ↷ Links adapted because of a move operation lexx26en:dpi:faq:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
    Line 1: Line 1:
    -====== 7 FAQ ====== 
    -{{indexmenu_n>7}} 
    -<html><div class="menu"></html> 
    -  -[[en:dpi:faq:faq_dpicomparison:start|What is the difference between VAS Experts DPI with filtering option and other solutions?]] 
    -  -[[en:dpi:faq:faq_freeversion:start|Do you plan to release free and open version?]] 
    -  -[[en:dpi:faq:faq_whatisscat:start|What is VAS Experts DPI? Is it a router, or NAT, or transparent proxi? Or is it transparent for network devices?]] 
    -  -[[en:dpi:faq:faq_otheros:start|Your SW operates under CentOS only, doesn't it? We run FreeBSD on our servers. Do you have a version for FreeBSD?]] 
    -  -[[en:dpi:faq:lacp:start|How does the aggregated traffic look like? Are ports grouped via LACP?]] 
    -  -[[en:dpi:install_point_scat:start|Where should we connect your equipment: before or after BRAS termination (in other words, on L2 or L3)?]] 
    -  -[[en:dpi:faq:nic_with_bypass:start|Bypass network card questions.]] 
    -  -[[en:dpi:dpi_components:platform:faq:first_install:first_install:start|Installation problems.]] 
    -  -[[en:dpi:faq:mon_stats:start|How to monitor the DPI]] 
    -  -[[en:dpi:faq:dpi_functionality:start|Additional DPI FAQ]] 
    -  -[[en:dpi:faq:dpiui_faq:start|dpiui related questions]] 
    -  -[[en:dpi:faq:troubleshooting:start|BRAS related questions]] 
    -<html></div></html>  
      
    -  -Can one use the own list rather than the one loaded from clouds?\\ Can one make DPI to use our list of restricted resources only?\\ **Answer:** Yes. The cloud service is implemented for your convenience, in order not to process Department of Justice list manually. The cloud list functionality is configured by [[en:dpi:dpi_options:opt_filtration:filtration_settings:start|federal_black_list]]. 
    -  -Do you pass STP transparently?\\ **Answer:** Yes. 
    -  -Does the filtering by Federal Supervision Agency for Information Technologies and Communications and Department of Justice lists work in case VAS Experts DPI processes the outbound traffic only?\\ Can your system operate passing not the whole traffic but only that one bound to IP addresses from restricted resources list?\\ **Answer:** Asymmetric connection is supported but it is not advised. The reasons are:\\ - most of options become unavailable (for example, analytics requires both inbound and outbound streams for protocol analysis and so on);\\ - sending the traffic according to PKH scheme (i.e. only IPs from a list) creates an additional trouble. Our SW does not support the router's control option (and it is not scheduled for future implementation). It means you have to develop this part by yourself. 
    -  -Is the license going to be free in future?\\ Does the free license cover the full functionality or the filtering only?\\ **Answer:** The free license covers filtering only. It is issued for 12 months and can be prolonged. We plan to prolong free of charge now, as we do not consider filtering as a business. We plan to make money on additional options. The income sharing is considered as well.\\ Free evaluation period of 3 months is available for other options.\\ So you are welcome to inform us if you wish to try some options. You provide us the access and we install licenses remotely. These licenses are limited by their term for evaluation. 
    -  -What is the license price for dna&libzero?\\ **Answer:** Approximately:\\ - 1GbE port costs $40-55\\ - 10GbE port costs $250-325 
    -  -Can one use two ports of four-ports card 02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01) for asymmetric filtering?\\ **Answer:** Yes. The VAS Experts DPI runs with this network card at several of our customers.  
    -  -The source code for libzero and DNA drivers for Intel network interfaces are available for download on ntop.org. Can you briefly describe what functionality is restricted in these drivers compared to commercial ones (http://www.nmon.net/shop/cart.php)?\\ **Answer:** Ntop license for dna & libzero is the commercial one. There are no free or GPL licenses for these products. Some part of sources is absent. It is responsible for licensing and connection layer: a part of libzero and driver's code. 
    -  -Does your solution allow the following connection scheme: a server has one 10G network interface. The VAS Experts DPI traffic passes through this interface by means of two VLAN representing input and output?\\ **Answer:** No. The future support is not scheduled. 
    -  -Can your system arrange BGP link to a border in order to export prefixes that require their traffic to be sent to the VAS Experts DPI?\\ **Answer:** No. The future support is not scheduled. 
    -  -Are the url2dic and ip2bin utilities source codes available? Can we get them for FreeBSD 9 x64?\\ **Answer:** Source codes for utilities are not available and we do not plan to provide them in a future. FreeBSD allows to run native Linux applications: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/linuxemu-lbc-install.html . The [[http://vasexperts.ru/centos/6/x86_64/dpiutils.freebsd92.tgz|archive with binary utilities]] is available for FreeBSD 9.2. 
    -  -Is the request https://IP:443 to a resource from custom_ip_black_list to be redirected in a same way as request by http (port 80)? In our case the request is plainly blocked with no redirect to "choke" page.\\ **Answer:**  https request can not be redirected. It requires decoding of the traffic using a private key or a root certificate. That is why we just block the traffic. 
    -  -What is the aggregation logic when working by your list and external one?\\ **Answer:** own lists are used as separate ones. They are added to cloud ones (if the service is on). 
    -  -Can DPI pass the tagged traffic and implement filtering policy on certain VLANs?\\ **Answer:** Yes. The VAS Experts DPI processes tagged traffic - VLAN, QinQ, MPLS.\\ Currently there is no option to indicate the VLAN to block the traffic on. This functionality can be implemented in future versions. 
    -  -All the tagged traffic passing through DPI is filtered and there is no need to create any VLANs on DPI server itself. Is it right?\\ **Answer:** Yes. 
    -  -The process fastdpi_1gb по top shows the load about 140% (4 core CPU) even on non connected server. Is it OK? 'top' shows CPU Load 160-220% on the flow of 50 Mb. Is it correct or we need to fix something?\\ **Answer:** The high idle load is caused by constant queries to network cards, rather than by interrupts. This allows to achieve low latency. The higher is data flow the larger part of this load becomes a useful one. We advise to check CPU load by mpstat -P ALL utility. 
    -  -We connected the internal local area network for tests. Ping's time remains the same. Should it be some delay?\\ **Answer:** The equipment delay is no higher than 30 us if the equipments meets our recommendations. Ping measurements start from 1 ms. In order to detect such small delays one needs specific software and hardware. We use nanosecond timers (supported by modern network cards) in our test bench. 
    -  -Is it possible to increase maximum number of fdpi_ctrl connections ? We have got such errors during sync billing services: ctrl : too many connections=4,max_connections=4\\ **Answer:** Yes, its possible. Set in config file /etc/dpi/fastdpi.conf the parameter - сtrl_max_connection=4 
    -  -For local_passthrough=1 how DPI will process the traffic of local ASN? Where is the traffic counted? Как будет СКАТ обрабатывать приоритет трафика по протоколам, он будет учитывать трафик идущий на эти АСки в общем потоке или нет ?\\ Трафик будет проходить через СКАТ , но он вообще не будет обрабатываться, данные netflow будут скидывать ?\\ local_passthrough=1 - транзит трафика.\\  **Ответ:** трафик не будет обрабатываться полностью, единственное где он будет учтен это в netflow по автономным системам. 
    -  -In mirror schema in_dev=dna1:dna2 receives tagged traffic is DPI can clear the tag for output packets tap_dev=dnaX?\\ **Answer:** Yes, use parameter strip_tap_tags=1 in the config file. 
    -  -How can I get IP list for BGP /32 route ?\\  **Answer:** to anonnce IP for BGP routes you have make script like:\\ bin2ip /var/lib/dpi/blcacheip.bin > tmp.txt\\ dic2host /var/lib/dpi/blcache.bin|dig +short -f -|grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' >> tmp.txt \\ sort -u tmp.txt > ip.lst\\ For processing script use crone. Also you can use exabgp for BGP annoncing. 
    -  -when is licence expired? <code> grep 'expiration_date=' /etc/dpi/fastdpi.lic 
    - expiration_date=20991231 
    - формат: YYYYMMDD</code> 
    -  -how to save licences information?<code> 
    -/etc/dpi/fastdpi.lic 
    -/etc/dpi/fastdpi.sig 
    -/etc/pf_ring/* 
    -</code> 
    - 
    -~~DISCUSSION|Please help us to improve our documentation. Let us know if you found an error or something is unclear..~~