Base SSG configuration for MIRROR scheme [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show pagesource
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show pagesource
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
    • Stingray Service Gateway by VAS ExpertsGetting startedSSG connection schemesBase SSG configuration for MIRROR scheme

    This is an old revision of the document!

    The SSG installation manual using MIRRORING installation scheme

    1. Install and start the Stingray SG, please refer to the installation requirements
    2. Set an IP address
    3. Apply for license and fastDPI installation to Service Desk
    4. Once installed both, you should edit the following settings:

    Configure mirror traffic reception and response:

    The settings are changed by editing the configuration file /etc/dpi/fastdpi.conf. Let's assume that the SSG is connected as follows:

    • dna1, dna2, dna3 – receive the mirror traffic
    • dna0 – connected to a router that receives and forwards responses to subscribers and to the internet.

    To set the DPI in mirroring mode, you have to specify the following in the configuration:

    In the configuration for the inbound ports in_dev set the ports that accept mirror traffic: 

    in_dev=dna1:dna2:dna3

    In the configuration for outgoing ports tap_dev set the port to which the forwarding response is sent: 

    tap_dev=dna0

    Specify the mode – asymmetric 

    asym_mode=1

    Specify the direction of tap_dev responses: 

    emit_direction=2
tap_mode=
    To send responses in mirroring mode it is correct to use an additional 1GbE card such as intel i350 (+ DNA license), configure a separate port in the system to send tap_dev forwarding, and use 10GbE ports for in_dev mirrored traffic flows.

    Specify that VLAN should be reset: 

    strip_tap_tags=1

    Set MAC change: 

    replace_source_mac=00:25:90:E9:43:59 #- MAC address of card out_dev - dna0
replace_destination_mac=78:19:F7:0E:B1:F4 #- MAC address of the router, or the routing switch

    Set the number of retries if there are network losses: 

    emit_duplication=3 
#here, 3 is the number of repetitions (duplicates) of a packet with redirect or blocking.

    Implementation scheme and description of operation

    When a request for a restricted resource is detected, the SSG sends an HTTP redirect to a placeholder page to the subscriber (IP1). A TCP RST packet is sent to the restricted resource (IP2) to drop the connection. Blocking (HTTPS) and redirecting (HTTP) occurs because the SSG responds to the request from IP1 faster than IP2.

    Header of the IP response packet

    1. Destination MAC – MAC address of the router port where the response link is connected.
    2. Source MAC – MAC address of the out_dev card.
    3. Source IP – IP address of the restricted resource IP2.
    4. Destination IP – IP address of user IP1.

    Router configuration example

    Configuration example: The port on the router where the response link from the SSG is connected should be configured as a regular L3 port. The task is to receive a packet from the SSG and, based on the common routing tables, forward it to the subscriber.

    Eth1 is connected to the Juniper MX side 

    #Settings on tha MX side:
description from_SSG_redirect;
unit 0 {
  family inet {
  address a.b.c.d/30;
  }
}

    Statistics collection

    http_parse_reply=1
 
netflow=8
netflow_full_collector_type=2
netflow_dev=eth3
netflow_timeout=20
netflow_full_collector=172.18.254.124:1500
netflow_rate_limit=30
netflow_passive_timeout=40
netflow_active_timeout=120
 
#URL upload
ipfix_dev=eth3
ipfix_tcp_collectors=172.18.254.124:1501
ipfix_observation=127
 
#SIP
ipfix_meta_tcp_collectors=172.18.254.124:1511
rlimit_fsize=32000000000

    Further settings are made depending on which components are to be used and are described in section 3.