Technical Documentation

Supported Platforms
MX Series

Subscriber Secure Policy Traffic Mirroring Architecture

This topic describes the subscriber secure policy architecture and includes a description of how mirrored traffic flows within the subscriber secure policy environment.

Figure 1 illustrates the RADIUS-initiated subscriber secure policy mirroring environment (in DTCP-initiated mirroring, the DTCP client performs the mirroring-related operations shown for the RADIUS server in the figure).

The Juniper Networks router, functioning as an intercept access point, is the center piece of the subscriber secure policy architecture. The figure indicates the sequence of events that are performed to configure mirroring operations and the traffic flow that occurs during mirroring. The tables after the figure describe the events indicated by the figure. Table 1 describes the configuration sequence. Table 2 and Table 3 describe the sequence of events that occur during mirroring operations.

Figure 1: RADIUS-Initiated Subscriber Secure Policy Architecture

Image g016987.gif

Table 1 lists the high-level steps that are required to configure the subscriber secure policy traffic mirroring environment.

Table 1: Subscriber Secure Policy Configuration Steps

Step	Description
A	An authorized individual or group requests traffic mirroring. This group also ensures that the mediation device is configured to receive and analyze mirrored traffic.
B	For RADIUS-initiated mirroring, the RADIUS server administrator configures the subscriber RADIUS record to include the mirroring-related RADIUS attributes and VSAs. For DTCP-initiated mirroring, the DTCP server administrator configures the DTCP ADD message to include the DTCP mirroring-related attributes.
C	The Juniper Networks router administrator configures the subscriber secure policy service on the router, including the radius-flow-tap service configuration, RADIUS or DTCP server information, and mediation device information.

RADIUS-Initiated Traffic Mirroring Process

Table 2 shows the process for a RADIUS-initiated subscriber login mirroring operation, which is initiated when the mirrored subscriber logs in. Table 3 shows the procedure for a RADIUS-initiated in-session mirroring operation, in which the subscriber is already logged in.

Table 2: RADIUS-Initiated Mirroring at Subscriber Login

Step	Description
1	The subscriber logs in, requesting authentication by the RADIUS server.
2	The RADIUS server authenticates the subscriber and sends an Access-Accept message containing the mirroring-related RADIUS attributes and VSAs to the router (intercept access point). The mirroring trigger in the RADIUS Access-Accept message initiates the mirroring operation. The intercept access point creates the subscriber secure policy based on the mirroring VSAs and begins mirroring the subscriber’s traffic.
3	The intercept access point sends the original subscriber traffic to its intended destination.
4	The intercept access point sends the mirrored subscriber traffic to the mediation device.
5	The mediation device provides information about the mirrored traffic to the requesting authority.

Table 3: RADIUS-Initiated Mirroring for Current Subscriber

Step	Description
1	The subscriber logs in, requesting authentication by the RADIUS server. The RADIUS server authenticates the subscriber (no mirroring activity occurs).
2	Subscriber-based mirroring is later requested by the requesting authority and then enabled on the RADIUS server. The RADIUS server sends a CoA message containing the mirroring-related RADIUS attributes and VSAs to the router (intercept access point). The mirroring trigger in the RADIUS CoA message initiates the mirroring operation. The intercept access point creates the subscriber secure policy based on the mirroring VSAs and immediately begins mirroring subscriber traffic.
3	The intercept access point sends the original subscriber traffic to its intended destination.
4	The intercept access point sends the mirrored subscriber traffic to the mediation device.
5	The mediation device provides information about the mirrored traffic to the requesting authority.

DTCP-Initiated Traffic Mirroring Process

Table 4 shows the process for a DTCP-initiated mirroring operation.

Table 4: DTCP-Initiated Traffic Mirroring

Step	Description
1	The DTCP client sends the ADD message containing the mirroring-related attributes to the router, which functions as the intercept access point and the DTCP server. If the DTCP ADD is received before the subscriber logs on, the traffic mirroring begins when the subscriber subsequently logs on. If the DTCP ADD is received after the subscriber has logged on, the traffic mirroring begins when the ADD is received. The intercept access point creates the subscriber secure policy based on the mirroring attributes, then begins mirroring traffic for subscribers currently logged on, and will mirror traffic for subscribers that log on in the future.
2	The intercept access point sends the original subscriber traffic to its intended destination.
3	The intercept access point sends the mirrored subscriber traffic to the mediation device.
4	The mediation device provides information about the mirrored traffic to the requesting authority.

Technical Documentation

Subscriber Secure Policy Traffic Mirroring Architecture

RADIUS-Initiated Traffic Mirroring Process

DTCP-Initiated Traffic Mirroring Process

Related Topics

Published: 2010-07-12