[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]
Configuring Session Mirroring
Session mirroring commands are hidden by default. You must have
a login with sufficient permission to configure session mirroring.
The set system login class class-name permissions
pgcp-session-mirroring-control command grants this permission.
Step-by-Step Procedure
To configure session mirroring:
- Access the configuration of the delivery function
properties under session-mirroring.
- [edit services pgcp ]
- user@host#edit session-mirroring delivery-function
df-1
- Configure the network operator ID. The
PG includes the network operator ID in the header of intercepted packets
that it sends to the delivery function. It is used to identify the
operator.
- [edit services pgcp session-mirroring delivery-function
df-1]
- user@host#set network-operator-id ABCDE
- Configure the address of the delivery
function to which the PG sends session-mirroring information.
- [edit services pgcp session-mirroring delivery-function
df-1]
- user@host#set destination-address 10.1.1.63
- Configure the port on the delivery function
that receives session-mirroring information.
- [edit services pgcp session-mirroring delivery-function
df-1]
- user@host#set destination-port 15000
- Configure the address of the interface
on which the PG sends session-mirroring data to the deliver function.
- [edit services pgcp session-mirroring delivery-function
df-1]
- user@host#set source-address 10.1.1.43
- Configure the port on which the PG sends
session-mirroring data to the delivery function.
- [edit services pgcp session-mirroring delivery-function
df-1]
- user@host#set source-port 10000
Disabling Session Mirroring
To disable session mirroring:
- [edit services pgcp session-mirroring]
- user@host#set disable-session-mirroring
Re-Enabling Session Mirroring
To re-enable session mirroring:
- [edit services pgcp session-mirroring]
- user@host#delete disable-session-mirroring
Configuring IPSec for Mirrored Sessions
To protect mirrored traffic that is sent from the PG to the
delivery function, you can use IPSec. To have IPSec and PGCP performed
on the same PIC, you create PGCP and IPSec service sets and chain
these service-sets using routing-options.
To create the service sets and routing options:
- Configure a PGCP service set. The NAT routes installed
as part of PGCP service direct PGCP traffic to sp-1/0/0.10 and sp-1/0/0.20.
- [edit services service-set pgcp-svc-set]
- user@host#set pgcp-rules pgcp-rule
- user@host#set next-hop-service inside-service-interface
sp-1/0/0.10
- user@host#set next-hop-service outside-service-interface
sp-1/0/0.20
- Configure an IPSec service set on the
same PIC.
- [edit services service-set ipsec-svc-set]
- user@host#set next-hop-service inside-service-interface
sp-1/0/0.30
- user@host#set next-hop-service inside-service-interface
sp-1/0/0.40
- user@host#set ipsec-vpn-options local-gateway
1.0.0.1
- user@host#set ipsec-vpn-rules ipsec1
- Install a static route to the delivery
function (1.0.0.3) with the next-hop address of the PIC. This route
redirects mirrored packets to a unit of the same service PIC that
is hosting the IPSec service.
- [edit]
- user@host#set routing-options static route
1.0.0.3/32 next-hop sp-1/0/0.30
The mirrored packets that are generated on sp-1/0/0 have the
destination address of the delivery function. In this case 1.0.0.3.
Related Topics
-
Chapter 27, Summary of Packet Gateway Configuration
Statements in JUNOS Services Interfaces Configuration
Guide.
[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]