Configuring Services to Mirror Traffic to IDP

The tasks to configure services to policy-route traffic to IDP are:

1. (Optional) Configuring Scopes When Mirroring Traffic
2.  Defining Services for Mirroring on JUNOS Routing Platforms

Configuring Scopes When Mirroring Traffic

You configure scopes to define the services to be activated for a specific SRC-managed network. Which scopes you configure depends on how you direct traffic to an IDP sensor.

In a network that contains both JUNOSe routers and JUNOS routing platforms, you can assign a single scope to all routers, and a second scope to only JUNOS routing platforms. Figure 12 shows the scopes and routers configured in the sample data. The Junos POP scope contains the aggregate and fragment services. The Junos POP1 scope defines the list of JUNOS routing platforms that provide the mirroring service for the subscriber access router.

Figure 12: Scopes to Support Mirroring Traffic to an IDP Sensor

To mirror traffic from a JUNOS routing platform to an IDP sensor:

1. Create a general JUNOS POP scope.
2. Assign the scope to the virtual routers on the JUNOSe subscriber access router and the JUNOS routing platforms. Make sure that these routers appear under o=Networks, o=umc in the directory. You create the aggregate service in this scope.

   For a sample scope for JUNOS routing platforms, see l=IDP-JunosPop, o=Scopes, o=umc in the sample data.

3. Create a network-specific JUNOS scope that is associated with the general JUNOS scope for each specific POP.

   To show the relationship between the two types of JUNOS scopes, we recommend that you incorporate the name of the general JUNOS scope into the name of the network-specific scope. For example, if the name of the general JUNOS scope is JunosPop, then the names of network-specific scopes are JunosPop1, JunosPop2, and so on.

   A network-specific scope must contain a parameter that lists the names of the JUNOS routers in the JUNOS POP. By using this list, the SRC software activates the services in the JUNOS scope for each router listed.

For an example of a network-specific scope, see l=IDP-JunosPop1, o=Scopes, o=umc in the sample data.

Defining Services for Mirroring on JUNOS Routing Platforms

Figure 13 illustrates the services in the sample data that mirror subscriber traffic from JUNOS routing platforms to an IDP sensor and shows the routers on which the services are activated. In this example, the DN for subscriber profiles is routerName= default@JunoseB, <DN of Router Profiles>.

Figure 13: Services to Mirror Traffic to an IDP Sensor

The Surveillance Director passes the value for the subrSubnet parameter to the aggregate service; the aggregate service then passes the value of the parameter to the router fragment services. For example, in Figure 14 the Surveillance Director passes value 111.2.1.6/31 for the CIDR subnet, to the aggregate service. The aggregate service passes the value for the CIDR subnet to the router fragment services.

Figure 14: Sample Values for SubrSubnet Parameter in Services for Mirroring

Before you configure services to mirror subscriber traffic to an IDP sensor:

• Make sure that the configuration on the JUNOS routing platform:
  • Specifies which ports to use for mirroring
  • Has a forwarding interface configured

    SRC service policies specify which traffic to mirror; the router configuration specifies how to implement mirroring on that system. For information about port mirroring on a JUNOS routing platform, see the JUNOS documentation at

    http://www.juniper.net/techpubs/software/junos/junos71/index.html

• Read the overview of services to be used to mirror traffic to an IDP sensor. See Defining Services for Mirroring on JUNOS Routing Platforms .

To configure services to mirror subscriber traffic to an IDP sensor:

1. Configure a policy to mirror traffic for a set of subscribers (selected by Surveillance Director) to the IDP sensor. The subrSubnet parameter (for a specified CIDR subnet) includes the source IP addresses designated for traffic sent by these subscribers.

   For a mirroring policy, you specify policy rules for traffic sent to and received from the subscriber subnet (the value of the subrSubnet parameter) that have the action Port Mirror.

   For a sample policy that implements mirroring, see policyGroupName=mirrorToIdp, ou=idp, o=Policies, o=umc in the sample data.

2. Create a service, which is a router fragment service in this configuration; set the type to normal; and specify the policy group configured in Step 1. This service is activated once for each JUNOS routing platform in a specified POP.

   For a sample service, see servicename=RouterFragment, l=IDP-JunosPop, o=Scopes, o=umc in the sample data.

3. Create an aggregate service; add the service configured in Step 2 to the aggregate service; and in the Service Fragment dialog box specify:
   • Expression—A subscriber reference expression to specify the vrNames substitution and the interface name used to activate the service. For example:

     vr = “ <- substitution.vrNames ->” , interfaceName = “ FORWARDING_INTERFACE”

     where FORWARDING_INTERFACE is used to activate the fragment service for the forwarding table. The vrNames substitution must be defined in each separate POP-specific scope.

     For the configuration shown in Figure 13, the substitution would be:

     vrNames=[“ default@JunosC” , “ default@JunosD” ]

     as defined in the JUNOS POP1 scope.

   • Mandatory—Set the value to false if you want the traffic to be redirected to the IDP sensor even if some of the core routers are down.
   • Redundancy Group—Name of a group of services that provide redundancy.

     We recommend that you configure a redundant service. By configuring a redundancy group, the Surveillance Director can move through the groups of addresses more rapidly. When you configure a group, at least one of the fragments must become active for the aggregate service to become active. If none of the core routers is up for the subscriber addresses when the aggregate service is being activated, activation of the aggregate service fails, and the Surveillance Director skips to the next group of addresses.

   • Subscription—False.
   • Substitution—subrSubnet specifies the list of addresses provided by the Surveillance Director.

   For a sample aggregate service, see serviceName=CheckForAttacks, l=IDP-JunosPop, o=Scopes, o=umc in the sample data.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.