You can direct all traffic to IDP by placing an IDP sensor in the network paths through which all incoming and outgoing subscriber traffic passes. In this case, you do not need to configure the SRC software to direct subscriber traffic to an IDP sensor.
If you do plan to direct subsets of subscriber traffic to an IDP sensor, how you do so depends on your network configuration. Table 7 lists ways in which you route subscriber traffic to an IDP sensor.
Table 7: Network Configuration and Forwarding Method
 |
Note: Use mirroring from JUNOS routing platform(s) if you are sure that most, or all, of the subscriber traffic traverses those routers. When you mirror traffic to IDP, IDP monitors only the subscriber traffic that traverses a JUNOS routing platform. |
For policy-based routing from JUNOSe routers, a service is activated on subscriber interfaces for each subscriber IP address, and on each core interface. For mirroring on JUNOS routing platforms, a service is activated only one time for a router or for a set of routers. If your configuration includes a JUNOS routing platform, we recommend that you use mirroring to direct subscriber traffic to IDP.
The Surveillance Director manages how to direct subscriber traffic to an IDP sensor. It queries the directory for IP pools associated with specified virtual routers and generates classless interdomain routing (CIDR) subnets that include only the set of IP addresses that are assigned to subscribers. You can configure the number of IP addresses to be included in a CIDR subnet. The Surveillance Director uses CIDR subnets because routers can efficiently handle these subnets to match policy rules.
For each CIDR subnet, the Surveillance Director activates a specified aggregate service, and then the aggregate service activates its fragment services to route traffic to an IDP sensor. The configuration for the fragment services determines whether it policy-routes or mirrors traffic.
Table 8 describes the types of fragment services to configure in an aggregate service, and shows where the fragment services are activated.
Table 8: Types of Fragment Services in an Aggregate Service
Traffic for one group of CIDR subnets at a time is sent to an IDP sensor for monitoring. You can configure the length of the interval during which to monitor traffic from CIDR subnet; all traffic for subscribers with IP addresses within the CIDR subnet is monitored during a specified monitoring interval.
The Surveillance Director provides subscriber IDs in the form of a distinguished name (DN) to locate the subscriber session in which to activate a service. The DN is used to locate the SAE that manages the subscriber session in which the aggregate service is activated.
In addition to the typical subscriber sessions used to activate services, the services to support IDP integration require special subscriber sessions to host:
On a JUNOSe router, a router subscriber session hosts an aggregate service. In these cases, a subscriber profile must have a name in the form <vrName>@<routerName>. The <vrName> and <routerName> must correspond to virtual router names and routers names of objects under o=Networks, o=umc in the directory.
On a JUNOSe router, a subscriber session is needed to activate a core interface fragment service that policy-routes traffic to the IDP sensor. All core routing interfaces use a single shared subscriber object in the directory.
On a JUNOS routing platform, a router subscriber session is used to activate the fragment service that mirrors traffic to the IDP sensor. We recommend that the router subscriber profile have a name in the form <vrName>@<routerName>. The router subscriber session must be associated with the forwarding interface that the SRC software creates.
 |
Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |