EasyManuals Logo
Home>Juniper>Network Router>E Series

Juniper E Series Configuration Guide

Juniper E Series
212 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #182 background imageLoading...
Page #182 background image
JUNOSe 7.2.x Policy Management Configuration Guide
166 ! Configuring RADIUS-Based Mirroring
You add the trigger to the RADIUS record of the user whose traffic will be mirrored.
In addition, you must include the RADIUS VSAs listed in Ta b l e 2 9 in the mirrored
user’s RADIUS record.
A Mirror-Action setting of 2 specifies that the router does not perform any packet
mirroring–related configuration. This setting can provide additional security by
confusing unauthorized users who attempt to access packet mirroring
communication between the router and the RADIUS server.
Dynamically Created Secure Policies
RADIUS-based packet mirroring uses dynamically created secure policies, which are
based on the RADIUS VSAs that an authorized RADIUS administrator creates. A
policy is created when the packet mirroring action is initiated at the RADIUS server,
and then applied to the interface that is dynamically created for the user. When the
mirroring operation is disabled, the secure policy is deleted.
The E-series router creates a name for the dynamically created policies—the name
consists of the string spl followed by a hexadecimal integer, such as spl_88000008.
The name is displayed by the show secure policy-list command.
Mirroring MLPPP Sessions
When you use RADIUS-based packet mirroring on MLPPP traffic, RADIUS
authentication and authorization is performed on the individual links. The
mirroring-related VSAs are returned with the RADIUS response. For user-initiated
mirroring, which starts when the user logs on, a RADIUS response is returned for
each successful authentication/authorization. For RADIUS-initiated mirroring of a
user who is already logged in, a single RADIUS request is sent for each link.
! If you are mirroring an L2TP session, the packet mirroring operation is enabled
or disabled on a single link that is uniquely identified by the trigger you use (the
RADIUS attributes for Acct-Session-ID or User-Name). For tunneled MLPPP, the
individual links in the MLPPP bundle are mirrored separately. The packet
mirroring configuration fails if you use the Acct-Multi-Session-ID attribute
(RADIUS attribute 50) for the configuration.
NOTE: For IP mirroring, you must include both VSA 59 and 61 or neither. If you use
only one of these two VSAs, the configuration fails.
Table 29: RADIUS-Based Mirroring Attributes
Standard Number Attribute Name Setting
[26-58] Mirror-Action 0 = disable mirroring
1 = enable mirroring
2 = no action
[26-59] Mirror-Identifier String (not null-terminated)
[26-60] Analyzer-IP-Address IP address of analyzer device
[26-61] Analyzer-Port-Number UDP port number of monitoring
application in analyzer device

Table of Contents

Other manuals for Juniper E Series

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Juniper E Series and is the answer not in the manual?

Juniper E Series Specifications

General IconGeneral
BrandJuniper
ModelE Series
CategoryNetwork Router
LanguageEnglish

Related product manuals