Configuring an Aggregate Service

Before you configure an aggregate service, read the overview of services to be used for policy-based routing. See Defining Services for Policy-Based Routing on JUNOSe Routers .

You configure an aggregate service to include the subscriber interface service and the core interface service as fragment services.

To configure an aggregate service:

1. In SDX Admin in the JUNOSe scope, create an aggregate service.
2. Add the subscriber interface service as a fragment service, and in the Fragment Service dialog box specify:
   • Expression—A subscriber reference expression written in Python to supply a list of IP addresses, such as:

     address = “ <- substitution.subrIps ->”

     where subrIps is a parameter that provides a list of subscriber IP addresses.

     This expression causes one subscriber interface fragment service to be activated for each subscriber whose address appears in the list.

   • Service—Name of a subscriber interface service.
   • Mandatory—False.

     When set to false, the service is activated even if some of the subscribers for some of the addresses are offline. If set to true, the aggregate service is not activated when some of the addresses are not in use.

   • Redundancy Group—Name of a group of services that provide redundancy.

     We recommend that you configure a redundant service. By configuring a redundancy group, the Surveillance Director can move through the groups of addresses more rapidly. When you configure a group, at least one of the fragments must become active for the aggregate service to become active. If none of the subscribers for the addresses is online when the aggregate service is being activated, activation of the aggregate service fails, and the Surveillance Director skips to the next group of addresses.

   • Subscription—False.
   • Substitution—idpAddress. Specifies the IP address of an IDP sensor The sample data defines the value for the idpAddress substitution in the service. You can use this strategy if an IDP sensor or cluster of sensors has a single IP address. If you use more than one IDP sensor that have different IP addresses, define the value of the idpAddress substitution in a scope, one scope for each IDP sensor, and assign the scope for an IDP sensor to the routers that use that sensor.
3. Add the core interface service as a fragment service, and in the Fragment Service dialog box specify:
   • Expression—A subscriber reference expression written in Python to supply the virtual router name and the login name used to identify subscriber sessions in which to activate the core fragment service. For example:

     vr = “ <- virtualRouterName ->” , login_name = “ idp@idp”

     The expression specifies a set of core interfaces on the same virtual router as the aggregate service.

     The loginName that you use in this expression must be the same as the login name configured in the subscriber classification script for the core interfaces. For information about configuring the login name, see Classifying Subscribers for IDP Integration .

   • Service—Name of a core interface service.
   • Mandatory—False.

     When set to false, the service is activated even if some of core interfaces are down. If set to true, the aggregate service is not activated when some of the core interfaces are down.

   • Redundancy Group—Name of a group of services that provide redundancy.

     We recommend that you configure a redundant service. By configuring a redundancy group, the Surveillance Director can move through the groups of addresses more rapidly. When you configure a group, at least one of the fragments must become active for the aggregate service to become active. If none of the core interfaces is up when the aggregate service is being activated, activation of the aggregate service fails, and the Surveillance Director skips to the next group of addresses.

   • Subscription—False.
   • Substitutions:
     • idpAddress—Specifies the IP address of the IDP sensor

       The sample data defines the value of the idpAddress substitution in the service. You can use this strategy if an IDP sensor or cluster of sensors has a single IP address. If you use more than one IDP sensor that have different IP addresses, define the value of the idpAddress substitution in a scope, one scope for each IDP sensor, and assign the scope for an IDP sensor to the routers that use that sensor.

     • subrSubnet—Specifies the addresses provided by the Surveillance Director

     The subrSubnet parameter specifies a CIDR-specified subnet. The core interface fragment service uses the subrSubnet parameter in policies that are applied to each core interface.

For a sample aggregate service, see serviceName=CheckForAttacks, o=IDP-JunosePop, o=Scopes, o=umc in the sample data.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.