• Deep Packet Inspection with Tap Aggregation

 
 
Print Friendly, PDF & Email

Introduction

In this article we will focus on the Deep Packet Inspection access list enhancements available in Tap Aggregation Exclusive mode on the Arista 7150 series switches.

Deep Packet Inspection (DPI) is an Access List enhancement that was introduced in EOS 4.14.0.F. This feature allows the administrator to inspect and match additional bytes in the packet header after the Layer 2, Layer 3 or Layer 4 header. DPI was designed to be utilized while in Tap Aggregation exclusive mode.

Typical Use cases for DPI are:

  • Identifying custom fields in Day zero attacks
  • SLA Enforcement via identifying illegal content
  • Behavioural targeting of user traffic

Command Examples

Initial Configuration

In the first example we are performing the initial configuration using the default skip value of zero. This configures the switch to begin inspection at the first few bytes after the L2 or L3 header. Please note: when the switch is configured for TapAgg mode, deep inspection with a skip value of zero is automatically configured. You only need to change the configuration of the skip value if you intend to set the skip to 1 or more.

7150#configure
7150(config)#tap aggregation
7150(config-tap-agg)#mode exclusive
7150(config)#deep-inspection payload l2 skip ?
<0-11>  Words to skip ( in 32 bits )

7150(config)#deep-inspection payload l2 skip 0
7150(config)#deep-inspection payload l4 skip ?
<0-8>  Words to skip ( in 32 bits )

7150(config)#deep-inspection payload l4 skip 0

 

DPI Access List

Now let’s configure an Access list that will only match on HTTP Get traffic. This example will use the generic payload match function

7150(config)#ip access-list DPI
7150(config-acl-DPI)#permit tcp any any eq www payload offset 0 pattern 0x47445400 mask 0x000000ff

In the above example we configured the payload offset to begin matching after the TCP header. The pattern is the HEX value of the layer 4 HTTP GET request. By allowing unique pattern matches, the administrator can match on non traditional values that an attacker may define in a Day zero attack.

Please note: If the bit in the mask is set to “0”, that means match the exact pattern. If the bit in the mask is set to “1”, that means match any bit.

 

Class Maps and Policy Maps

In this example we will configure class maps and policy maps. The goal is to redirect only the HTTP Get traffic to a separate Tool group named “DPI_Group”. All other traffic will flow to a default group named “GROUP1”.

7150#configure
7150(config)#class-map type tapagg match-any CMAP1
7150(config-cmap-CMAP1)#match ip access-group DPI
7150(config-cmap-CMAP1)#policy-map type tapagg PMAP1
7150(config-pmap-PMAP1)#class CMAP1
7150(config-pmap-c-PMAP1-CMAP1)#set aggregation-group DPI_Group

Interface Configuration

Now that we have our ACL, class maps and policy maps defined, lets perform the final interface configuration. First we will configure the Tap port where the traffic will ingress the switch from the physical Taps or Span session from the production network. The default group that all traffic will flow to will be named “GROUP1”.  The “PMAP1” service policy will be used to match the access list we defined named “DPI”. If traffic matches the DPI access list, the Tap/Tool group will be set to “DPI_Group” which is what we defined in the previous configuration steps.

7150(config)#interface ethernet 3
7150(config-if-Et3)#switchport mode tap
7150(config-if-Et3)#service-policy type tapagg input PMAP1
7150(config-if-Et3)# switchport tap default group GROUP1

Next we will configure the Tool ports. The tool ports are the destination ports on the switch where the analytics tools are connected.  Ethernet interface 10 will be configured to receive traffic sent to the DPI_Group. This group is where our HTTP Get traffic will be sent to.

7150(config)#interface Ethernet10
7150(config-if-Et10)#switchport tool group set DPI_Group

Next we will configure Ethernet interface 1 to receive traffic sent to the Tap/Tool group named “GROUP1”. This group is our default traffic group where all traffic received on the Tap port will be sent.

7150(config)#interface ethernet 1
7150(config-if-Et1)#sw mode tool
7150(config-if-Et1)#sw tool group set GROUP1

 

GUI Example

After successful configuration, this is what you will see on the Tap Aggregation Manager Gui. When you transmit http get traffic, the interface counters for Ethernet 10 will increase.

DPIGui

 

Along with the provided example, we can also utilize the Deep Packet inspection feature to match on well known protocols via their text name in the DPI access list. Some of the well known protocols are:

  • VXLan VNI
  • MPLS Label
  • MPLSoE
  • NVGRE
  • GRE
  • GTP

 

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: