[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Subscriber Secure Policy Traffic Mirroring Architecture

This topic describes the subscriber secure policy architecture and includes a description of how mirrored traffic flows within the subscriber secure policy environment.

Figure 4 illustrates the subscriber secure policy mirroring environment. The Juniper Networks router, functioning as an intercept access point, is the center piece of the subscriber secure policy architecture. The figure indicates the sequence of events that are performed to configure mirroring operations and the traffic flow that occurs during mirroring. The tables after the figure describe the events indicated by the figure. Table 18 describes the configuration sequence. Table 19 and Table 20 describe the sequence of events that occur during mirroring operations.

Note: A special UDP/IP header is prepended to each mirrored packet sent to the mediation device. The prepended header is used as a demultiplexer, enabling the mediation device to differentiate the multiple mirrored streams that arrive from different sources.

Figure 4: Subscriber Secure Policy Architecture

Image g016987.gif

Table 18 lists the high-level steps that are required to configure the subscriber secure policy traffic mirroring environment.

Table 18: Subscriber Secure Policy Configuration Steps

StepDescription

A

An authorized individual or group requests traffic mirroring. This group also ensures that the mediation device is configured to receive and analyze mirrored traffic.

B

The RADIUS server administrator configures the subscriber RADIUS record to include the mirroring-related RADIUS attributes and VSAs.

C

The Juniper Networks router administrator configures the subscriber secure policy service on the router, including the flow-tap service configuration, RADIUS server information, and mediation device information.

Table 19 shows the process for a subscriber login mirroring operation, which is initiated when the mirrored subscriber logs in.

Table 19: RADIUS-Initiated Mirroring at Subscriber Login

StepDescription

1

The subscriber logs in, requesting authentication by the RADIUS server.

2

  • The RADIUS server authenticates the subscriber and sends an Access-Accept message containing the mirroring-related RADIUS attributes and VSAs to the router (intercept access point).
  • The mirroring trigger in the RADIUS Access-Accept message initiates the mirroring operation.
  • The intercept access point creates the subscriber secure policy based on the mirroring VSAs and begins mirroring the subscriber’s traffic.

3

The intercept access point sends the original subscriber traffic to its intended destination.

4

The intercept access point sends the mirrored subscriber traffic to the mediation device.

5

The mediation device provides information about the mirrored traffic to the requesting authority.

Table 20 shows the mirroring procedure for an in-session mirroring operation, in which the subscriber is already logged in.

Table 20: RADIUS-Initiated Mirroring for Current Subscriber

StepDescription

1

The subscriber logs in, requesting authentication by the RADIUS server. The RADIUS server authenticates the subscriber (no mirroring activity occurs).

2

  • Subscriber-based mirroring is later requested by the requesting authority and then enabled on the RADIUS server.
  • The RADIUS server sends a CoA message containing the mirroring-related RADIUS attributes and VSAs to the router (intercept access point).
  • The mirroring trigger in the RADIUS CoA message initiates the mirroring operation.
  • The intercept access point creates the subscriber secure policy based on the mirroring VSAs and immediately begins mirroring subscriber traffic.

3

The intercept access point sends the original subscriber traffic to its intended destination.

4

The intercept access point sends the mirrored subscriber traffic to the mediation device.

5

The mediation device provides information about the mirrored traffic to the requesting authority.

Related Topics


[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]