Table of Contents
SSG connection schemes
The key advantage of Stingray Service Gateway is the use of all functions in one device, but depending on the task, the SSG can be used only as DPI or BNG/BRAS or NAT.
Stingrat SG connection point:
- In the DPI role, the SSG connects after terminating subscribers on BRAS before NAT. Traffic must be symmetrical (all traffic of each subscriber goes via one SSG device).
- In the NAT role between the BRAS and the Border Router.
- In the BRAS role, it is possible to implement L3-connected and L2-connected schemes.
- For the filtering function it is also possible to connect after Border router in the line of uplink.
On-stick installation scheme
Setting example for on-stick mode.
On-stick allows you to save on physical hardware. FastDPI usually works with bridges, bridging two physical ports (devices). For an on-stick device, the physical port is one, on which fastDPI itself creates virtual ports - on the subscriber (subs) and Internet (inet) sides.
Inline mode implementation
Setting example for Inline mode.
The typical implementation scheme if bypass functionality is available
The implementation scheme for inline mode without bypass
When it is necessary to provide a reserve connection without using bypass, an alternate route with a Stand-by SSG licence is used. Switching traffic to alternate route is controlled by routing tools. Only relevant when SSG operates as L2 Bridge and performs DPI, BRAS L3-Connected or NAT functions.
Scaling out
The “symmetric hash” balancing implementation scheme for several SSGin a LAG
LAG is configured on the routers between which SSG is connected. The SSG passes the LACP protocol transparently.
Balancing in the LAG is necessary to ensure symmetrical traffic through each SSG device.
“Loop” SSG implementation scheme
Note the modification in the above diagram using VLAN (Dispatch mode):
The subscriber's traffic comes to the first port of the router. Then it goes to the second router port and is received by DPI. Further, the processed by DPI traffic enters the third port of the router and leaves to Internet via the fourth port. To support such operation, one can arrange the connections like this: the first two ports of the router form the first VLAN and other two ports form the second VLAN. The traffic would be sent to DPI on L2 level.
The diagram above has an item: Figure 5 Layer 2 Dispatch Mode
One can configure the system in a similar way, but without port-channel: to use one port everywhere.
Note that the manual uses a trunk with VLAN specification. In case you do not use a trunk please set ports into access mode.
Schemes for implementing only the traffic filtering option
Asymmetric scheme with outgoing traffic only
Only outgoing traffic goes through the SSG, incoming traffic goes through a separate physical link without any processing.
The mirroring mode scheme
We recommend to use optical splitters for sending mirrored traffic to the DPI.
Applications:
- to get real time ClickStream and Netflow via IPFIX for the Quality of Experience module
- traffic filtering by black lists
- subscribers’ notifications and conducting marketing campaigns
- bonus program
- caching
- traffic pre-filtering for lawful interception.