This topic describes the subscriber secure policy architecture
and includes a description of how mirrored traffic flows within the
subscriber secure policy environment.
Figure 4 illustrates the subscriber secure policy mirroring environment.
The Juniper Networks router, functioning as an intercept access point,
is the center piece of the subscriber secure policy architecture.
The figure indicates the sequence of events that are performed to
configure mirroring operations and the traffic flow that occurs during
mirroring. The tables after the figure describe the events indicated
by the figure. Table 18 describes the configuration sequence. Table 19 and Table 20 describe
the sequence of events that occur during mirroring operations.
Note:
A special UDP/IP header is prepended to each mirrored
packet sent to the mediation device. The prepended header is used
as a demultiplexer, enabling the mediation device to differentiate
the multiple mirrored streams that arrive from different sources.
Figure 4: Subscriber
Secure Policy Architecture
Table 18 lists
the high-level steps that are required to configure the subscriber
secure policy traffic mirroring environment.
An authorized individual or group requests traffic mirroring.
This group also ensures that the mediation device is configured to
receive and analyze mirrored traffic.
B
The RADIUS server administrator configures the subscriber
RADIUS record to include the mirroring-related RADIUS attributes and
VSAs.
C
The Juniper Networks router administrator configures
the subscriber secure policy service on the router, including the
flow-tap service configuration, RADIUS server information, and mediation
device information.
Table 19 shows the process for a subscriber login mirroring operation, which
is initiated when the mirrored subscriber logs in.
Table 19: RADIUS-Initiated
Mirroring at Subscriber Login
Step
Description
1
The subscriber logs in, requesting authentication by
the RADIUS server.
2
The RADIUS server authenticates the subscriber and sends
an Access-Accept message containing the mirroring-related RADIUS attributes
and VSAs to the router (intercept access point).
The mirroring trigger in the RADIUS Access-Accept message
initiates the mirroring operation.
The intercept access point creates the subscriber secure
policy based on the mirroring VSAs and begins mirroring the subscriber’s
traffic.
3
The intercept access point sends the original subscriber
traffic to its intended destination.
4
The intercept access point sends the mirrored subscriber
traffic to the mediation device.
5
The mediation device provides information about the mirrored
traffic to the requesting authority.
Table 20 shows the mirroring procedure for an in-session mirroring
operation, in which the subscriber is already logged in.
Table 20: RADIUS-Initiated Mirroring for Current Subscriber
Step
Description
1
The subscriber logs in, requesting authentication by
the RADIUS server. The RADIUS server authenticates the subscriber
(no mirroring activity occurs).
2
Subscriber-based mirroring is later requested by the requesting
authority and then enabled on the RADIUS server.
The RADIUS server sends a CoA message containing the mirroring-related
RADIUS attributes and VSAs to the router (intercept access point).
The mirroring trigger in the RADIUS CoA message initiates
the mirroring operation.
The intercept access point creates the subscriber secure
policy based on the mirroring VSAs and immediately begins mirroring
subscriber traffic.
3
The intercept access point sends the original subscriber
traffic to its intended destination.
4
The intercept access point sends the mirrored subscriber
traffic to the mediation device.
5
The mediation device provides information about the mirrored
traffic to the requesting authority.
