- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
01-DPI engine configuration | 124.25 KB |
Contents
Restrictions: Hardware compatibility with the DPI engine
Configure a DPI application profile
Activating policy and rule settings for DPI service modules
Configuring action parameter profiles
Configuring a logging parameter profile
Configuring a redirect parameter profile
Enabling inspection suspension upon excessive CPU usage
Configuring stream fixed length inspection
Specifying a proxy server for online DPI service signature update
Display and maintenance commands for DPI engine
Configuring DPI engine
About DPI engine
DPI engine is an inspection module shared by DPI service modules. DPI engine uses inspection rules to identify the application layer information, including the application layer protocol and behavior. DPI service modules process packets based on the inspection results.
DPI functions
DPI engine provides the following functions:
· Protocol parsing—Identifies the application layer protocols and analyzes the application layer information. Information analysis includes recognizing, normalizing, and uncompressing application layer fields.
· AC pattern matching—Matches packet payloads by the Aho-Corasick (AC) patterns in inspection rules. AC pattern matching is fast and it is the core function of the DPI engine.
· Option matching—Matches packet payloads by the options in the inspection rules whose AC patterns have been matched. Option matching is slower than AC pattern matching.
DPI engine inspection rules
DPI engine uses inspection rules to match packets. Inspection rules are transformed from the rules or signatures of the DPI service modules. The match criteria in an inspection rule can contain the following types:
· AC pattern—Criteria that identify packet signatures. An AC pattern is a character string that is three or more bytes long.
· Option—Criteria other than AC patterns. For example, an option can be the port number or protocol type.
An inspection rule can contain both AC patterns and options. A packet must match both the AC patterns and options to match the rule.
An inspection rule can also contain only options. A packet matches the rule if it matches the options in the rule.
DPI engine mechanism
As shown in Figure 1, DPI engine works as follows:
1. Upon receiving a packet, the DPI engine performs protocol parsing for the packet and searches for applicable inspection rules according to the parsing results.
2. If an applicable inspection rule contains AC patterns, DPI engine performs AC pattern matching first. If an applicable inspection rule does not contain AC patterns, DPI engine directly performs option matching. The packet matches the rule if it matches the options.
3. If the packet matches an AC pattern in an applicable inspection rule, the DPI engine further compares the packet against the options associated with the AC pattern. The packet matches the rule if it matches the both the AC pattern and its associated options. If the packet matches an AC pattern but does not match its associated options, the DPI engine permits the packet to pass.
4. If the packet matches an inspection rule, the DPI engine submits the packet to the corresponding DPI service module for processing. If the packet does not match any rule, the DPI engine permits the packet to pass.
Restrictions: Hardware compatibility with the DPI engine
Hardware series |
Model |
Product code |
DPI engine compatibility |
WX1800H series |
WX1804H-PWR |
EWP-WX1804H-PWR-CN |
Yes |
WX2500H series |
WX2508H-PWR-LTE WX2510H-PWR WX2510H-F-PWR WX2540H WX2540H-F WX2560H |
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H |
Yes |
MAK series |
MAK204 MAK206 |
EWP-MAK204 EWP-MAK206 |
Yes |
WX3000H series |
WX3010H WX3010H-X-PWR WX3010H-L-PWR WX3024H WX3024H-L-PWR WX3024H-F |
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F |
Yes: · WX3010H · WX3010H-X-PWR · WX3024H · WX3024H-F No: · WX3010H-L-PWR · WX3024H-L-PWR |
WX3500H series |
WX3508H WX3508H WX3510H WX3510H WX3520H WX3520H-F WX3540H WX3540H |
EWP-WX3508H EWP-WX3508H-F EWP-WX3510H EWP-WX3510H-F EWP-WX3520H EWP-WX3520H-F EWP-WX3540H EWP-WX3540H-F |
Yes |
WX5500E series |
WX5510E WX5540E |
EWP-WX5510E EWP-WX5540E |
Yes |
WX5500H series |
WX5540H WX5560H WX5580H |
EWP-WX5540H EWP-WX5560H EWP-WX5580H |
Yes |
Access controller modules |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
Yes |
Hardware series |
Model |
Product code |
DPI engine compatibility |
WX1800H series |
WX1804H-PWR WX1810H-PWR WX1820H WX1840H |
EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL |
Yes |
WX3800H series |
WX3820H WX3840H |
EWP-WX3820H-GL EWP-WX3840H-GL |
Yes |
WX5800H series |
WX5860H |
EWP-WX5860H-GL |
Yes |
DPI engine tasks at a glance
To configure the DPI engine, perform the following tasks:
1. Configure a DPI application profile
2. Activating policy and rule settings for DPI service modules
3. Configuring action parameter profiles
4. (Optional.) Optimizing the DPI engine
5. (Optional.) Enabling inspection suspension upon excessive CPU usage
6. (Optional.) Configuring stream fixed length inspection
7. (Optional.) Specifying a proxy server for online DPI service signature update
8. (Optional.) Disabling the DPI engine
Configure a DPI application profile
About this task
A DPI application profile includes a set of DPI service policies, such as a URL filtering policy.
Procedure
1. Enter system view.
system-view
2. Create a DPI application profile and enter its view.
app-profile profile-name
1. Apply a URL filtering policy to the DPI application profile.
url-filter apply policy policy-name
By default, no URL filtering policy policies are applied to a DPI application profile.
For more information about this command, see URL filtering commands in DPI Command Reference.
Activating policy and rule settings for DPI service modules
About this task
After editing the policy and rule settings for DPI service modules such as URL filtering, you must manually activate the settings by using either of the following methods:
· Reboot the device.
· Execute the inspect activate command.
Restrictions and guidelines
This task can cause temporary service outage. As a best practice, perform the task after all DPI service policy and rule settings are complete.
Procedure
1. Enter system view.
system-view
2. Activate policy and rule settings for DPI service modules.
inspect activate
By default, the creation, modification, and deletion of DPI service policies and rules do not take effect.
Configuring action parameter profiles
Configuring a logging parameter profile
About this task
A logging parameter profile defines the log output method for the logging action in DPI service modules.
Procedure
1. Enter system view.
system-view
2. Create a logging parameter profile and enter its view.
inspect logging parameter-profile parameter-name
3. Specify the log export method.
log { email | syslog }
By default, logs are exported to the information center.
Configuring a redirect parameter profile
About this task
A redirect parameter profile defines the URL to which packets are redirected for the redirect action in DPI service modules.
Procedure
1. Enter system view.
system-view
2. Create a redirect parameter profile and enter its view.
inspect redirect parameter-profile parameter-name
3. Specify the URL to which packets are redirected.
redirect-url url-string
By default, no URL is specified for packet redirecting.
Optimizing the DPI engine
About this task
The DPI engine includes a series of optimization features. For example, you can enable the DPI engine to uncompress or decode the compressed or encoded packets to identify the application information of the packets. The optimization features improve inspection and accuracy of the DPI engine, but consume more system resources.
Procedure
1. Enter system view.
system-view
2. Set the maximum number of payload-carrying packets to be inspected per data flow.
inspect packet maximum max-number
By default, the DPI engine can inspect a maximum of 32 payload-carrying packets per data flow.
3. Set the maximum number of options to be cached per TCP/UDP data flow.
inspect cache-option maximum max-number
By default, the DPI engine can cache a maximum of 32 options per TCP/UDP data flow.
4. Configure the TCP segment reassembly feature.
¡ Enable TCP segment reassembly.
inspect tcp-reassemble enable
By default, the TCP segment reassembly feature is disabled.
¡ Set the maximum number of TCP segments that can be cached for reassembly per TCP flow.
inspect tcp-reassemble max-segment max-number
By default, a maximum of 10 TCP segments can be cached for reassembly per TCP flow.
5. (Optional.) Disable a DPI engine optimization feature.
inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable
By default, all DPI engine optimization features are enabled.
You can disable DPI engine optimization features to improve the device performance as needed.
Enabling inspection suspension upon excessive CPU usage
About this task
Packet inspection of the DPI engine is a complex and resource-consuming process.
When the device's CPU usage rises to or above the CPU usage threshold, inspection suspension upon excessive CPU usage is triggered and the DPI engine inspects packets as follows:
· If stream fixed length inspection is disabled, the DPI engine suspends packet inspection to guarantee the device performance.
· If stream fixed length inspection is enabled, the DPI engine inspects only a fixed length of data for a stream and ignores the remaining stream data.
When the device's CPU usage drops to or below the CPU usage recovery threshold, the DPI engine resumes the inspection of the whole stream data.
For information about configuring the CPU usage thresholds, see system management in System Management Configuration Guide.
Restrictions and guidelines
Do not disable inspection suspension upon excessive CPU usage if the device's CPU usage is high. If you disable this feature, the DPI engine continues to inspect the whole stream data even when the CPU usage threshold is reached.
When the device's CPU usage is low, you can disable inspection suspension upon excessive CPU usage to improve inspection accuracy.
Procedure
1. Enter system view.
system-view
2. Enable inspection suspension upon excessive CPU usage.
undo inspect cpu-threshold disable
By default, inspection suspension upon excessive CPU usage is enabled.
Configuring stream fixed length inspection
About this task
This feature enables the DPI engine to inspect only a fixed length of data for a stream when device's CPU usage rises to or above the CPU usage threshold. When the device's CPU usage drops to or below the CPU usage recovery threshold, the DPI engine inspects the whole packet data in a stream. For information about configuring the CPU usage thresholds, see system management in System Management Configuration Guide.
Restrictions and guidelines
This feature takes effect only when inspection suspension upon excessive CPU usage is enabled.
You can also disable this feature so the DPI engine can suspend packet inspection to guarantee the device performance when the CPU usage threshold is reached.
Procedure
1. Enter system view.
system-view
2. Enable stream fixed length inspection.
undo inspect stream-fixed-length disable
By default, stream fixed length inspection is enabled.
3. Set the fixed data inspection length for application protocols.
inspect stream-fixed-length { email I ftp | http } * length
The default length is 32 Kilobytes for FTP, HTTP, and email protocols.
The longer the inspection data length, the lower the device throughput, and the higher the packet inspection accuracy.
Specifying a proxy server for online DPI service signature update
About this task
The device must access the company's website for online signature update of DPI services (such as URL filtering). If direct connectivity is not available, the device can access the company's website through the specified proxy server. For more information about online signature update, see "Configuring URL filtering" and "Configuring anti-virus."
Restrictions and guidelines
If you specify a proxy server by domain name instead of IP address, make sure the device can resolve the domain name into an IP address through DNS. For more information about DNS, see Network Connectivity Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Specify a proxy server for online DPI service signature update
inspect signature auto-update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name password { cipher | simple } string ]
By default, the proxy server used by DPI services for online signature update is not specified.
Disabling the DPI engine
About this task
Packet inspection in the DPI engine is a complex and resource-consuming process. When the CPU usage is too high, you can disable the DPI engine to guarantee the device performance. After you disable the DPI engine, packets will not be processed by DPI.
Procedure
1. Enter system view.
system-view
2. Disable the DPI engine.
inspect bypass
By default, the DPI engine is enabled.
Display and maintenance commands for DPI engine
Execute display commands in any view.
Task |
Command |
Display the status of the DPI engine. |
display inspect status |