JUNOSe 7.2.x Policy Management Configuration Guide
158 ! Configuring CLI-Based Packet Mirroring
5. Verify the secure policy configuration.
host1#show secure policy-list name secureIpPolicy1
Policy Table
------ -----
Secure IP Policy secureIpPolicy1
Administrative state: enable
Reference count: 2
Classifier control list: *
mirror analyzer-ip-address 192.168.125.29 analyzer-virtual-router vr1
Referenced by interface(s):
ATM5/0.1 secure-input policy, virtual-router vr1
ATM5/0.2 secure-output policy, virtual-router vr1
Configuring CLI-Based User-Specific Mirroring
In user-specific packet mirroring, you use triggers to identify the user whose traffic
you want to mirror and to start the mirroring session. The triggers are similar to the
RADIUS attributes used in RADIUS-based mirroring. However, for CLI-based
mirroring, AAA can use any supported authentication method, including RADIUS.
The following list shows the triggers you can use to identify users:
! Username (virtual router specific)
! IP address (virtual router specific)
! Calling station ID
! Account session ID
This example shows the configuration of a CLI-based packet mirroring session for
an L2TP user. The configuration uses the username as the trigger to identify the
user and start the mirroring session. The mirroring session replicates all traffic
associated with the user, and then sends the replicated traffic through an IPSec
tunnel to the analyzer device.
1. Enable the visibility and use of the packet mirroring CLI commands.
host1#mirror-enable
2. Create the analyzer port and the route to the analyzer device at address
192.168.99.2.
host1(config)# interface tunnel ipsec:mirror3 transport-virtual-router default
host1(config-if)#ip analyzer
host1(config-if)#exit
host1(config)#ip route 192.168.99.2 255.255.255.255 tunnel ipsec:mirror3
NOTE: An E-series router supports a maximum of 100 mirror trigger rules.
To Next Page
Loading...
Need help?
General
