SSG connection schemes

The key advantage of Stingray Service Gateway is the use of all functions in one device, but depending on the task, the SSG can be used only as DPI or BNG/BRAS or NAT.

Stingrat SG connection point:

In the DPI role, the SSG connects after terminating subscribers on BRAS before NAT. Traffic must be symmetrical (all traffic of each subscriber goes via one SSG device).
In the NAT role between the BRAS and the Border Router.
In the BRAS role, it is possible to implement L3-connected and L2-connected schemes.
For the filtering function it is also possible to connect after Border router in the line of uplink.

On-stick installation scheme

After the initial installation, the Stingray operates in L2 Bridge mode (not a hop in the network, not visible to other network devices) and forwards packets between the input and output interfaces with processing according to assigned rules.
Setting example for on-stick mode.

On-stick allows you to save on physical hardware. FastDPI usually works with bridges, bridging two physical ports (devices). For an on-stick device, the physical port is one, on which fastDPI itself creates virtual ports - on the subscriber (subs) and Internet (inet) sides.

Inline mode implementation

After the initial installation, the Stingray operates in L2 Bridge mode (not a hop in the network, not visible to other network devices) and forwards packets between the input and output interfaces with processing according to assigned rules.
Setting example for Inline mode.

The typical implementation scheme if bypass functionality is available

The implementation scheme for inline mode without bypass

When it is necessary to provide a reserve connection without using bypass, an alternate route with a Stand-by SSG licence is used. Switching traffic to alternate route is controlled by routing tools. Only relevant when SSG operates as L2 Bridge and performs DPI, BRAS L3-Connected or NAT functions.

Scaling out

The “symmetric hash” balancing implementation scheme for several SSGin a LAG

LAG is configured on the routers between which SSG is connected. The SSG passes the LACP protocol transparently.

Balancing in the LAG is necessary to ensure symmetrical traffic through each SSG device.

“Loop” SSG implementation scheme

Note the modification in the above diagram using VLAN (Dispatch mode):
The subscriber's traffic comes to the first port of the switch. Then it goes to the second switch port and is received by DPI. Further, the processed by DPI traffic enters the third port of the switch and leaves to Internet via the fourth port. To support such operation, one can arrange the connections like this: the first two ports of the switch form the first VLAN and other two ports form the second VLAN. The traffic would be sent to DPI on L2 level.

The diagram above has an item: Figure 5 Layer 2 Dispatch Mode
One can configure the system in a similar way, but without port-channel: to use one port everywhere.
Note that the manual uses a trunk with VLAN specification. In case you do not use a trunk please set ports into access mode.

Schemes for implementing only the traffic filtering option

Asymmetric scheme with outgoing traffic only

Only outgoing traffic goes through the SSG, incoming traffic goes through a separate physical link without any processing.

The mirroring mode scheme

Example of Mirror-mode implementation
We recommend to use optical splitters for sending mirrored traffic to the DPI.

Applications:

to get real time ClickStream and Netflow via IPFIX for the Quality of Experience module
traffic filtering by black lists
subscribers’ notifications and conducting marketing campaigns
bonus program
caching
traffic pre-filtering for lawful interception.

Show pagesource Old revisions Backlinks

Profile

Settings