Defining Services for Mirroring on JUNOS Routing Platforms

Figure 13 illustrates the services in the sample data that mirror subscriber traffic from JUNOS routing platforms to an IDP sensor and shows the routers on which the services are activated. In this example, the DN for subscriber profiles is routerName= default@JunoseB, <DN of Router Profiles>.

Figure 13: Services to Mirror Traffic to an IDP Sensor

The Surveillance Director passes the value for the subrSubnet parameter to the aggregate service; the aggregate service then passes the value of the parameter to the router fragment services. For example, in Figure 14 the Surveillance Director passes value 111.2.1.6/31 for the CIDR subnet, to the aggregate service. The aggregate service passes the value for the CIDR subnet to the router fragment services.

Figure 14: Sample Values for SubrSubnet Parameter in Services for Mirroring

Before you configure services to mirror subscriber traffic to an IDP sensor:

• Make sure that the configuration on the JUNOS routing platform:
  • Specifies which ports to use for mirroring
  • Has a forwarding interface configured

    SRC service policies specify which traffic to mirror; the router configuration specifies how to implement mirroring on that system. For information about port mirroring on a JUNOS routing platform, see the JUNOS documentation at

    http://www.juniper.net/techpubs/software/junos/junos71/index.html

• Read the overview of services to be used to mirror traffic to an IDP sensor. See Defining Services for Mirroring on JUNOS Routing Platforms .

To configure services to mirror subscriber traffic to an IDP sensor:

1. Configure a policy to mirror traffic for a set of subscribers (selected by Surveillance Director) to the IDP sensor. The subrSubnet parameter (for a specified CIDR subnet) includes the source IP addresses designated for traffic sent by these subscribers.

   For a mirroring policy, you specify policy rules for traffic sent to and received from the subscriber subnet (the value of the subrSubnet parameter) that have the action Port Mirror.

   For a sample policy that implements mirroring, see policyGroupName=mirrorToIdp, ou=idp, o=Policies, o=umc in the sample data.

2. Create a service, which is a router fragment service in this configuration; set the type to normal; and specify the policy group configured in Step 1. This service is activated once for each JUNOS routing platform in a specified POP.

   For a sample service, see servicename=RouterFragment, l=IDP-JunosPop, o=Scopes, o=umc in the sample data.

3. Create an aggregate service; add the service configured in Step 2 to the aggregate service; and in the Service Fragment dialog box specify:
   • Expression—A subscriber reference expression to specify the vrNames substitution and the interface name used to activate the service. For example:

     vr = “ <- substitution.vrNames ->” , interfaceName = “ FORWARDING_INTERFACE”

     where FORWARDING_INTERFACE is used to activate the fragment service for the forwarding table. The vrNames substitution must be defined in each separate POP-specific scope.

     For the configuration shown in Figure 13, the substitution would be:

     vrNames=[“ default@JunosC” , “ default@JunosD” ]

     as defined in the JUNOS POP1 scope.

   • Mandatory—Set the value to false if you want the traffic to be redirected to the IDP sensor even if some of the core routers are down.
   • Redundancy Group—Name of a group of services that provide redundancy.

     We recommend that you configure a redundant service. By configuring a redundancy group, the Surveillance Director can move through the groups of addresses more rapidly. When you configure a group, at least one of the fragments must become active for the aggregate service to become active. If none of the core routers is up for the subscriber addresses when the aggregate service is being activated, activation of the aggregate service fails, and the Surveillance Director skips to the next group of addresses.

   • Subscription—False.
   • Substitution—subrSubnet specifies the list of addresses provided by the Surveillance Director.

   For a sample aggregate service, see serviceName=CheckForAttacks, l=IDP-JunosPop, o=Scopes, o=umc in the sample data.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.