[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring Session Mirroring

Session mirroring commands are hidden by default. You must have a login with sufficient permission to configure session mirroring. The set system login class class-name permissions pgcp-session-mirroring-control command grants this permission.

Step-by-Step Procedure

To configure session mirroring:

Access the configuration of the delivery function properties under session-mirroring.
[edit services pgcp ] user@host#edit session-mirroring delivery-function df-1
Configure the network operator ID. The BGF includes the network operator ID in the header of intercepted packets that it sends to the delivery function. It is used to identify the operator.
[edit services pgcp session-mirroring delivery-function df-1] user@host#set network-operator-id ABCDE
Configure the address of the delivery function to which the BGF sends session-mirroring information.
[edit services pgcp session-mirroring delivery-function df-1] user@host#set destination-address 10.1.1.63
Configure the port on the delivery function that receives session-mirroring information.
[edit services pgcp session-mirroring delivery-function df-1] user@host#set destination-port 15000
Configure the address of the interface on which the BGF sends session-mirroring data to the deliver function.
[edit services pgcp session-mirroring delivery-function df-1] user@host#set source-address 10.1.1.43
Configure the port on which the BGF sends session-mirroring data to the delivery function.
[edit services pgcp session-mirroring delivery-function df-1] user@host#set source-port 10000

Disabling Session Mirroring

To disable session mirroring:


            
               [edit services pgcp session-mirroring]
               user@host#set disable-session-mirroring

Re-Enabling Session Mirroring

To re-enable session mirroring:


            
               [edit services pgcp session-mirroring]
               user@host#delete disable-session-mirroring

Configuring IPSec for Mirrored Sessions

To protect mirrored traffic that is sent from the BGF to the delivery function, you can use IPSec. To have IPSec and the BGF on the same PIC, you create BGF and IPSec service sets and chain these service-sets using routing-options.

To create the service sets and routing options:

Configure a service set for the BGF. The NAT routes installed as part of BGF service direct PGCP traffic to sp-1/0/0.10 and sp-1/0/0.20.
[edit services service-set bgf-svc-set] user@host#set pgcp-rules bgf-rule user@host#set next-hop-service inside-service-interface sp-1/0/0.10 user@host#set next-hop-service outside-service-interface sp-1/0/0.20
Configure an IPSec service set on the same PIC.
[edit services service-set ipsec-svc-set] user@host#set next-hop-service inside-service-interface sp-1/0/0.30 user@host#set next-hop-service outside-service-interface sp-1/0/0.40 user@host#set ipsec-vpn-options local-gateway 1.0.0.1 user@host#set ipsec-vpn-rules ipsec1
Install a static route to the delivery function (1.0.0.3) with the next-hop address of the PIC. This route redirects mirrored packets to a unit of the same service PIC that is hosting the IPSec service.
[edit] user@host#set routing-options static route 1.0.0.3/32 next-hop sp-1/0/0.30

The mirrored packets that are generated on sp-1/0/0 have the destination address of the delivery function, which in this case is 1.0.0.3.

Configuring Session Mirroring

Disabling Session Mirroring

Re-Enabling Session Mirroring

Configuring IPSec for Mirrored Sessions

Related Topics