Juniper Networks :: Technical Documentation :: Examples: Classifying Subscribers and Interfaces for the Threat Mitigation Application

Related Topics
Overview of the Threat Mitigation Application
Overview of Classification Scripts

Examples: Classifying Subscribers and Interfaces for the Threat Mitigation Application

To apply policies to the forwarding interfaces, you configure additional entries in the subscriber classification and interface classification scripts.

Example: Subscriber Classification Scripts

In the subscriber classification script, threat mitigation requires the assignment of a subscriber profile for the forwarding interface and for any interface other than the forwarding interface (such as the provider edge interface on the JUNOS routing platform).

The Threat Mitigation Application needs to identify subscriber sessions in which to activate services persistently. These subscriber sessions should have a login name so that subscriber entries in the directory can be shared among the managed routers or interfaces. The login name must be unique. We recommend using the interface name and virtual router name to construct a unique login name. The login name must end in @<retailer’s domain> and must not contain a / (slash) or another @ (at sign).



[routerName=commonRouterProfile,ou=routers,retailername=SP-THMA,o=Users,o=UMC?loginName=
<-virtualRouterName.replace("@", "_")+"@thma"->??] 
# host subscriber for JUNOS routers 
interfaceName=="FORWARDING_INTERFACE"

This subscriber classification for the forwarding interface sets the virtual router name as the login name and thma as the service provider’s domain name. The domain name must match the value of the Retailer Domain field specified when configuring the SRC-TMP.



[uniqueID=DefaultTHMASubscriber,ou=subscribers,retailername=SP-THMA,o=Users,
o=UMC?loginName=<-interfaceName.replace("@", "_").replace("/", 
"_")+"_"+virtualRouterName.replace("@", "_")+"@thma"->??] 
# anything that is not the forwarding interface uses default
subscriber 
interfaceName!="FORWARDING_INTERFACE"

This subscriber classification for the provider edge interface sets the interface name as the login name.

To view the subscriber classifications referenced in this section, see l=THMA, l=SAE, ou=staticConfiguration, ou=Configuration, o=Management, o=umc in the sample data.

Example: Interface Classification Scripts for JUNOS Routing Platforms

An entry is needed in the interface classification script to specify the default policy for forwarding interfaces and provider edge interfaces on the JUNOS routing platforms. For example:



[policyGroupName=default,ou=forwardingInterface,ou=thma,o=Policies,o=UMC] 
# manage router interface for mirroring 
interfaceName=="FORWARDING_INTERFACE" 
[policyGroupName=default,ou=peInterface,ou=thma,o=Policies,o=UMC] 
# manage interfaces with an alias indicating 
# an enterprise customer 
interfaceName!="FORWARDING_INTERFACE"

To view the interface classifications referenced in this section, see the interface classification for the THMA<number> routers listed under o=Network, o=umc in the sample data.

Example: Interface Classification Scripts for JUNOSe Routers

An entry is needed in the interface classification script to specify the default policy for subscriber interfaces on the JUNOSe routers. For example:



# generic PPP users
[policyGroupName=default,ou=subrInterface,ou=thma,o=Policies,o=UMC] 
pppLoginName!=""
# define DHCP interfaces here 
[policyGroupName=DHCP,ou=junose,ou=sample,o=Policies,o=umc] 
# all fastEthernet interfaces 
interfaceName="fastEthernet*"

To view the interface classifications referenced in this section, see the interface classification for orderedCimKeys=THMA_JUNOSE, o=Network, o=umc in the sample data.