Directing Subscriber Traffic to IDP for Monitoring
You can direct all traffic to IDP by placing an IDP sensor in the network paths through which all incoming and outgoing subscriber traffic passes. In this case, you do not need to configure the SDX software to direct subscriber traffic to an IDP sensor.
If you do plan to direct subsets of subscriber traffic to an IDP sensor, how you do so depends on your network configuration. Table 20 lists ways in which you route subscriber traffic to an IDP sensor.
For policy-based routing from JUNOSe routers, a service is activated on subscriber interfaces for each subscriber IP address, and on each core interface. For mirroring on JUNOS routing platforms, a service is activated only one time for a router or for a set of routers. If your configuration includes a JUNOS routing platform, we recommend that you use mirroring to direct subscriber traffic to IDP.
Surveillance Director
The Surveillance Director manages how to direct subscriber traffic to an IDP sensor. It queries the directory for IP pools associated with specified virtual routers and generates classless interdomain routing (CIDR) subnets that include only the set of IP addresses that are assigned to subscribers. You can configure the number of IP addresses to be included in a CIDR subnet. The Surveillance Director uses CIDR subnets because routers can efficiently handle these subnets to match policy rules.
For each CIDR subnet, the Surveillance Director activates a specified aggregate service, and then the aggregate service activates its fragment services to route traffic to an IDP sensor. The configuration for the fragment services determines whether it policy-routes or mirrors traffic.
Table 21 describes the types of fragment services to configure in an aggregate service, and shows where the fragment services are activated. For general information about aggregate services and fragment services, see SDX Services and Policies Guide, Chapter 1, Managing Services.
Traffic for one group of CIDR subnets at a time is sent to an IDP sensor for monitoring. You can configure the length of the interval during which to monitor traffic from CIDR subnet; all traffic for subscribers with IP addresses within the CIDR subnet is monitored during a specified monitoring interval.
The Surveillance Director provides subscriber IDs in the form of a distinguished name (DN) to locate the subscriber session in which to activate a service. The DN is used to locate the SAE that manages the subscriber session in which the aggregate service is activated.
Router and Interface Subscriber Sessions
In addition to the typical subscriber sessions used to activate services, the services to support IDP integration require special subscriber sessions to host:
- An aggregate service
- Core interface fragment services if traffic is policy-routed to an IDP sensor
- Router fragment services if traffic is mirrored to an IDP sensor
Subscriber Session to Host an Aggregate Service
On a JUNOSe router, a router subscriber session hosts an aggregate service. In these cases, a subscriber profile must have a name in the form <vrName>@<routerName>. The <vrName> and <routerName> must correspond to virtual router names and routers names of objects under o=Networks, o=umc in the directory.
Subscriber Session to Host a Core Interface Fragment Service
On a JUNOSe router, a subscriber session is needed to activate a core interface fragment service that policy-routes traffic to the IDP sensor. All core routing interfaces use a single shared subscriber object in the directory.
Subscriber Session to Host a Router Interface Fragment Service
On a JUNOS routing platform, a router subscriber session is used to activate the fragment service that mirrors traffic to the IDP sensor. We recommend that the router subscriber profile have a name in the form <vrName>@<routerName>. The router subscriber session must be associated with the forwarding interface that the SDX creates.