====== SSG connection schemes ====== {{indexmenu_n>2}} The key advantage of Stingray Service Gateway is the use of [[dpi:dpi_options|all functions]] in one device, but depending on the task, the SSG can be used only as [[dpi:qoe:use_cases#dpi|DPI]] or [[dpi:qoe:use_cases#bng_bras|BNG/BRAS]] or [[dpi:opt_cgnat:cgnat_description|NAT]]. {{ dpi:dpi_brief:install_point_ssg:multi-solution.png?nolink&600 |}} Stingrat SG connection point: - In the DPI role, the SSG connects after terminating subscribers on BRAS before NAT. Traffic must be symmetrical (all traffic of each subscriber goes via one SSG device). - In the NAT role between the BRAS and the Border Router. - In the BRAS role, it is possible to implement [[dpi:bras_bng:general_setup#fastdpi_l3_bras_setup|L3-connected]] and [[dpi:bras_bng:general_setup#fastdpi_l2_bras_setup|L2-connected]] schemes. - For [[dpi:dpi_options:opt_filtration|the filtering function]] it is also possible to connect after Border router in the line of uplink. ===== On-stick installation scheme ===== After [[veos:installation#pre-configuring_veos|the initial installation]], the Stingray operates in L2 Bridge mode (not a hop in the network, not visible to other network devices) and forwards packets between the input and output interfaces with processing according to assigned rules.\\ [[dpi:dpi_brief:network_preparation:install_point_ssg:instruction_instal_onstick|Setting example for on-stick mode.]] On-stick allows you to save on physical hardware. FastDPI usually works with bridges, bridging two physical ports (devices). For an on-stick device, the physical port is one, on which fastDPI itself creates virtual ports - on the subscriber (subs) and Internet (inet) sides. {{ :dpi:dpi_brief:install_point_ssg:onstick.png?nolink&550 |}} ===== Inline mode implementation ===== After [[veos:installation#pre-configuring_veos|the initial installation]], the Stingray operates in L2 Bridge mode (not a hop in the network, not visible to other network devices) and forwards packets between the input and output interfaces with processing according to assigned rules.\\ [[dpi:dpi_brief:network_preparation:install_point_ssg:instruction_instal|Setting example for Inline mode.]] ==== The typical implementation scheme if bypass functionality is available ==== {{ dpi:dpi_brief:install_point_ssg:implementation_with_bypass.png?nolink&600 |}} [[dpi:dpi_components:platform:by_pass|Read more about the implementation of built-in bypass in Silicom cards.]] ==== The implementation scheme for inline mode without bypass ==== When it is necessary to provide a reserve connection without using bypass, an alternate route with a [[dpi:licensing#резервная_лицензия_скат|Stand-by SSG licence]] is used. Switching traffic to alternate route is controlled by routing tools. Only relevant when SSG operates as L2 Bridge and performs DPI, BRAS L3-Connected or NAT functions. {{ dpi:dpi_brief:install_point_ssg:scheme_without_bypass.png?nolink&600 |}} ===== Scaling out ===== ==== The “symmetric hash” balancing implementation scheme for several SSGin a LAG ==== LAG is configured on the routers between which SSG is connected. The SSG passes the LACP protocol transparently. {{ dpi:dpi_brief:install_point_ssg:stingray_lag.png?nolink&600 |}} Balancing in the LAG is necessary to ensure symmetrical traffic through each SSG device. * [[https://www.juniper.net/documentation/en_US/junos13.1/topics/usage-guidelines/interfaces-configuring-symmetrical-load-balancing-lag-on-mx-routers.html|Juniper symetric hash configuration example]] * [[https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/SCE_DPI.html#wp150557|CISCO configuration example]] * [[https://extremeportal.force.com/ExtrArticleDetail?an=000082730|Extreme configuration example]] ===== “Loop” SSG implementation scheme ===== {{ dpi:dpi_brief:install_point_ssg:ssg_scheme_loop.png?nolink&600 |}} **Note the modification in the above diagram using VLAN (Dispatch mode):** \\ The subscriber's traffic comes to the first port of the router. Then it goes to the second router port and is received by DPI. Further, the processed by DPI traffic enters the third port of the router and leaves to Internet via the fourth port. To support such operation, one can arrange the connections like this: the first two ports of the router form the first VLAN and other two ports form the second VLAN. The traffic would be sent to DPI on L2 level. The diagram above has an item: [[https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/SCE_DPI.html#wp150376|Figure 5 Layer 2 Dispatch Mode]] \\ One can configure the system in a similar way, but without port-channel: to use one port everywhere. \\ Note that the manual uses a trunk with VLAN specification. In case you do not use a trunk please set ports into access mode. ===== Schemes for implementing only the traffic filtering option ===== ==== Asymmetric scheme with outgoing traffic only ===== Only outgoing traffic goes through the SSG, incoming traffic goes through a separate physical link without any processing. {{ dpi:dpi_brief:install_point_ssg:stingray_asymmetric.png?nolink&600 |}} ==== The mirroring mode scheme ==== [[dpi:dpi_brief:network_preparation:install_point_ssg:instruction_instal_mirror|Example of Mirror-mode implementation]] \\ We recommend to use optical splitters for sending mirrored traffic to the DPI. {{ dpi:dpi_brief:install_point_ssg:stingray_mirror.png?nolink&600 |}} Applications: * to get real time ClickStream and Netflow via IPFIX for the Quality of Experience module * traffic filtering by black lists * subscribers’ notifications and conducting marketing campaigns * bonus program * caching * traffic pre-filtering for lawful interception.