[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Packet Mirroring

To support packet mirroring in an SRC network, configure a script service that can be activated to set up RADIUS-based packet-mirroring policies on a JUNOSe router. The script service defines the parameters needed to mirror subscriber traffic, such as the address of the subscriber or the analyzer device. This script service is activated for the subscriber whose traffic should be mirrored. For detailed information about configuring script services, see SRC-PE Services and Policies Guide, Chapter 2, Managing Services on a Solaris Platform.

You must have preconfigured RADIUS-based packet mirroring on JUNOSe routers. The JUNOSe software provides RADIUS-based packet mirroring, which allows the router to create dynamic secure policies for the mirroring operation. The RADIUS administrator can configure and manage interface mirroring services that are activated by means of CoA. For information about configuring RADIUS-based packet mirroring on the JUNOSe router, see the JUNOSe Policy Management Configuration Guide.

For information about dynamic RADIUS requests, see RFC 3576—Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) (July 2003).

To set up the SRC software for packet mirroring, perform the following tasks:

The SRC software includes a sample script service that you can configure to send dynamic RADIUS requests to the JUNOSe router. You can use the sample service definition and customize it for your environment by modifying the service substitutions. For information about the sample packet mirroring application, see Example: Using the Sample Packet-Mirroring Application.

Creating the Script Service for Packet Mirroring

To create the script service:

  1. In the SDX Admin navigation pane, right-click the Services folder, highlight New, and then click SSP Service.
  2. In the New SSP Service dialog box, enter a service name or select a name from the drop-down list.
  3. In the Main tab pane, select script in the Type field.
  4. If you want to hide the service from users and unauthorized administrators, select true from the menu in the Secret field.
  5. Click the Script tab.

The Script pane appears.

  1. Edit the values in the Script fields for the sample packet-mirroring script service.
  1. Click Save.

After you create the script service, you need to configure parameters for the script service. For more information about configuring script services and parameters, see SRC-PE Services and Policies Guide, Chapter 2, Managing Services on a Solaris Platform.

Configuring the Script Service for Packet Mirroring

To configure the script service, you provide parameter substitutions with the values that are in the service definitions. To do so:

  1. In SDX Admin, select the Parameter tab in the script service configuration. The parameter pane appears.
  2. Configure the parameters.

Table 7 lists the parameters specified by the sample packet-mirroring script service. In most cases, you can use the sample script service without modification.




Table 7: Parameter Substitutions for Packet-Mirroring Services 
Parameter Name
Description

dynAnalyzerIPAddress

RADIUS VSA that is the IP address of the analyzer device. This attribute is required.

dynAnalyzerPortNumber

RADIUS VSA that is the UDP port number of the monitoring application in the analyzer device. If specified, dynMirrorIdentifier must also be specified.

dynMirrorIdentifier

RADIUS VSA in the form of a hexadecimal string. If specified, dynAnalyzerPortNumber must also be specified.

dynClientIp

IP address of the dynamic RADIUS client.

dynClientPort

UDP port number of the dynamic RADIUS client.

dynSecret

Shared secret.

dynRetry

Number of retries for sending dynamic RADIUS packet when no RADIUS response is received. The retry interval is 3 seconds.

dynConfig

Content of dynamic RADIUS request packets in the format <action>. <radiusAttributeName>=<pluginEventAttribute>\n

  • action—Action that is executed on packet content (attribute)
  • start
  • stop
  • start-stop
  • radiusAttributeName—Valid RADIUS attribute specified as follows:
  • Standard RADIUS attribute name or number.
  • JUNOSe VSA in one of the following formats: vendor-specific.4874.<vsa#>[.salt] 26.4874.<vsa#>[.salt] where .salt indicates that the attribute is MD5 salt-encrypted in the RADIUS packet.
  • pluginEventAttribute—Valid Python expression
  • \n—New-line character included between the lines of a configuration containing multiple lines; the entire configuration must be enclosed in quotation marks

For example:

start-stop.Acct-Session-Id = ifSessionId

"start-stop.Acct-Session-Id=ifSessionId\nstart.vendor-specific. 4874.58.salt=1\nstart.vendor-specific.JUNIPER.Unisphere-Med- Dev-Handle.salt=custom['dynMirrorIdentifier']\nstart.vendor-specific.JUNIPER.Unisphere-Med-Ip-Address.salt=intIp(custom ['dynAnalyzerIPAddress'])\nstart.vendor-specific.JUNIPER. Unisphere-Med-Port-Number.salt=int(custom ['dynAnalyzerPortNumber'])\nstop.vendor-specific.4874.58.salt=0"

You can also configure dynamic RADIUS requests with the sendDynamicRadius method of the ServiceSessionInfo interface (see Defining RADIUS Attributes for Dynamic Authorization Requests with the API).

For detailed information about configuring services, see SRC-PE Services and Policies Guide, Chapter 2, Managing Services on a Solaris Platform.

Configuring Subscriptions to the Packet-Mirroring Service

You need to configure subscriptions to the packet-mirroring service. You can set up the subscriptions to activate immediately on login.

For more information, see SRC-PE Subscribers and Subscriptions Guide, Chapter 13, Configuring Subscribers and Subscriptions with SDX Admin.


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]