Example: Using the Sample Packet-Mirroring Application

[Contents] [Prev] [Next] [Index] [Report an Error]

Example: Using the Sample Packet-Mirroring Application

To use the sample packet-mirroring application:

Download the SRC sample applications to your system from the Juniper Networks Web site:
http://www.juniper.net/support/csc/swdist-erx/src.html
Locate the file that contains the service definition:
/SDK/scriptServices/packetMirroring/ldif/service.ldif
Import the sample service definition to the Juniper Networks Database on the C Series Controller. To load the sample data into the database, you can use an LDAP tool, such as ldapadd.
You can obtain ldapadd from the following Web site:

http://www.openldap.org/

To load data into the Juniper Networks database, you need the IP address of the database and the database credentials. The default bind distinguished name (DN) for the database is cn=umcadmin, o=umc and the password is admin123.
Copy the /lib/pm.jar file used by the script service to the /opt/UMC/sae /var/run directory on the C Series Controller.
Modify the service substitutions for your environment.
You can make these substitutions by defining the parameter substitutions in the packetMirroring service (serviceName=packetMirroring, o=Services, o=umc) with the SRC CLI or by passing the values through the SAE core API.

For information about parameter substitutions, see Configuring Parameters for the Script Service for Packet Mirroring. For information about passing the values through the SAE core API, see Defining RADIUS Attributes for Dynamic Authorization Requests with the SAE Core API.
Configure a subscription to the packetMirroring service that is activated on login.
For information about subscriptions, see Overview of Subscriptions.
If you are modifying the sample application, copy the sae.jar and logger.jar files from the SKD/lib directory, and add the sae.jar and logger.jar files to the classpath when you compile your application.

Example: Packet Mirroring for PPP Subscribers

When a PPP subscriber is subscribed to the packet-mirroring service, configure the service as an activate-on-login service at user connection time. After the subscriber has logged in through the SAE remote API, the packet-mirroring service can be subscribed to the PPP subscriber and activated. When the service is activated, a CoA request is sent to the router running JUNOSe Software that includes the PPP subscriber’s accounting session ID to start packet mirroring for this subscriber.

Example: Packet Mirroring for DHCP Subscribers

When a DHCP subscriber is subscribed to the packet-mirroring service, configure the service as an activate-on-login service at user connection time. After the subscriber has logged in through the SAE remote API, the packet-mirroring service can be subscribed to the DHCP subscriber and activated. When the service is activated, a CoA request is sent to the router running JUNOSe Software that includes the DHCP subscriber’s IP address and virtual router name for the router running JUNOSe Software to start packet mirroring for this subscriber.

Configuring DHCP Subscriber Sessions

You can use DHCP option 82 to identify the subscriber session. For example, if you set DHCP option 82 as the user login name, an external application can use this setting to search for the subscriber session. The following subscriber classification script illustrates this example:


            
               [retailername=default,o=Users,o=UMC?loginName=<-dhcp[82].suboptions[1].string->?sub?(interfaceName=<-dhcp[82].suboptions[1].string->)]
                  
               
               loginType = “ ADDR”  
               [<-retailerDN->??sub?(uniqueID=<-userName->)] 
               retailerDN != “ “  
               & userName != “ “  
               [<-unauthenticatedUserDn->] 
               loginType == "ADDR" 
               loginType == "AUTHADDR"

Disabling RADIUS Authentication for DHCP Subscribers

Packet mirroring for DHCP subscribers does not involve RADIUS authentication, so you might have to configure authentication to grant all IP subscriber management interfaces access without authentication. For example, configure the router running JUNOSe Software with the following authentication:


            
               aaa authentication ip default none

You can still configure other subscribers to use RADIUS authentication. For example, configure the router running JUNOSe Software with the following authentication for PPP subscribers:


            
               aaa authentication ppp default radius