Configuring CLI-Based Packet Mirroring ! 153
Chapter 6: Packet Mirroring
To create a secure packet mirroring environment, you use a combination of the
JUNOSe software’s authorization methods and the mirror-enable command. You
configure the authorization method to control who can use the mirror-enable
command. Authorized users can then issue the mirror-enable command, making
the packet mirroring commands visible. However, the commands are still hidden
from unauthorized users. Ta b l e 2 4 lists the commands whose visibility is controlled
by the mirror-enable command.
To provide increased security, the mirror-enable command must be the only
command at its access level (level 12 by default) and it also must be at a different
privilege level than the other packet mirroring commands (level 13 by default) and
other regular JUNOSe CLI commands. This separation enables you to control
authorization to the mirror-enable command and to limit the visibility of packet
mirroring commands. For example, if you are using TACACS+, the mirror-enable
command is the only packet mirroring command that is sent to the TACACS+
server.
The following two examples describe techniques you might use to enable and
secure your CLI-based packet mirroring environment. Example 1 uses a
combination of TACACS+ authorization and virtual terminal (vty) access lists to
secure the packet mirroring environment. Example 2 uses only vty access lists.
See JUNOSe System Basics Configuration Guide, Chapter 8, Passwords and Security for
more information about access levels. See JUNOSe Broadband Access Configuration
Guide, Chapter 5, Configuring TACACS+ for information about TACACS+
authorization.
Reloading a CLI-Based Packet Mirroring Configuration
You can reload your packet mirroring configuration as part of a configuration file
(.cnf) reload operation or when you run a script file (.scr) that you have saved from
the show configuration command display. When you reload a .cnf file, the packet
mirroring configuration is restored—no additional steps are required.
Table 24: Commands Made Visible by the mirror-enable Command
! ip policy { secure-input | secure-output } ! secure policy-list
! clear mirror log ! show mirror log
! mirror acct-session-id ! show mirror rules
! mirror analyzer-ip-address ! show mirror trap
! mirror calling-station-id ! show mirror subscribers
! mirror disable ! show secure policy-list
! mirror ip-address ! show snmp trap (packet mirroring
information)
! mirror nas-port-id ! snmp-server secure-log
! mirror trap-enable ! snmp-server enable traps (packetMirror
keyword)
! mirror username ! snmp-server host (packetMirror keyword)
To Next Page
Loading...
Need help?
General
