Configuring Support for Subscriber Secure Policy Mirroring
Subscriber secure policy runs on the radius-flow-tap service. This topic describes the steps to configure radius-flow-tap support for RADIUS-initiated and DTCP-initiated subscriber secure policy mirroring.
To configure the radius-flow-tap service to support subscriber secure policy mirroring:
- Configure the flow-tap service used for subscriber secure
policy mirroring. [edit services]user@host# edit radius-flow-tap
- Specify how the mirrored packets are forwarded to the
To mirror interfaces created by extensible subscriber services manager (ESSM), assign the virtual tunnel interfaces for the radius-flow-tap service.user@host# set interfaces vt-1/1/0.0
If a currently used tunnel interface is deleted from the pool of interfaces, the active mirroring sessions are redistributed from the deleted interface to other tunnel interfaces in the pool. Also, when a new tunnel interface is added into the pool, the service adds the new interface to the list of interfaces available for new mirroring sessions or for existing sessions transferred from a failed interface.
To mirror flow-based interfaces, specify the logical system and routing instance for the radius-flow-tap service.user@host# set logical-system LS1 routing-instance RI1
You can specify a logical system and routing instance, or a routing instance without a logical system. If you do not specify a logical system, the router uses logical system default. If you do not specify either a logical system or routing instance, the router uses logical system default and routing instance default.
Configure a routing instance to prevent a spoofed mediation device address from diverting traffic away from the device. When the mirrored customer flows are in the same routing instance as the mediation device, a malicious user might hijack the mediation device's route advertisement. By advertising a next hop to the hijacker’s network instead of to the device, the mirrored flows are captured and never reach the mediation device.
If you configure the mirrored traffic to be forwarded to the mediation device by means of a routing instance, then the traffic is separated from the Internet. An external user is then unable to divert the mirrored traffic to the user’ s network.
The interfaces statement applies only to ESSM-created interfaces and is ignored for flow-based interfaces. Similarly, the LS:RI configuration applies only to flow-based interfaces.
- Specify the source IP address that the radius-flow-tap
service uses for mirroring. This address is used in the IP header
prepended to mirrored packets that are sent to the content destination
device.user@host# set source-ipv4-address ipv4-address
- (Optional) Specify the forwarding class that is applied
to the mirrored packets sent to the mediation device.
If you do not specify a forwarding class, mirrored packets inherit the forwarding class from the original packet (which is the forwarding class set by default classification that CoS applies to the packet on the ingress interface).user@host# set forwarding-class class-name
- (Optional) Specify the subscriber secure policy that determines
if any, is not sent to the mediation device.
You can add or change a subscriber secure policy any time, but a changed policy does not apply to a currently enabled policy. To change a policy:
Send a DTCP DELETE message to remove the current policy.
Modify the configuration with the new version of the policy.
Send a DTCP ADD message to add the policy.
Send a DTCP ENABLE message to enable the policy.
- (Optional) Specify the IP address for one or more target mediation
devices to receive SNMPv3 trap notifications. Each target address
must be configured separately.[edit services radius-flow-tap]user@host# set snmp notify-targets ip-address
You must also configure SNMP so that only encrypted notifications are sent to target devices. Targets without privacy configured cannot receive the notifications. For information about the SNMP configuration for subscriber secure policy, see Configuring SNMPv3 Traps for Subscriber Secure Policy Mirroring.