Configuring DTCP-Initiated Subscriber Secure Policy Mirroring Overview
Before you configure subscriber secure policy traffic mirroring, note the following:
Subscriber secure policy mirroring runs on the radius-flow-tap service infrastructure. To configure the subscriber secure policy service, you need the same privileges that are required to configure the radius-flow-tap service.
The subscriber secure policy feature requires some system resources while mirroring, encrypting, and sending traffic to the mediation device. For example, you might elect to use a 10-Gigabit Ethernet interface for the tunnel and mediation device if you expect the amount of traffic you plan to mirror to approach 1 Gbps of actual user data.
To configure DTCP-initiated subscriber secure policy service:
- Configure the radius-flow-tap service support for secure subscriber policy. This support includes configuring the tunnels and optional forwarding-class information that the subscriber secure policy service uses to send mirrored traffic to the content destination device.
- Configure the mediation device as a user on the router. This user account allows the router to receive DTCP messages from the mediation device.
- Configure the mediation device to provision traffic mirroring on the router.
- Configure a DTCP-over-SSH connection to the mediation device.
- (Optional) Enable mirroring of IPv4 multicast traffic on the router.
- Configure SNMPv3 trap support to report mirroring information to an external device.
You can terminate an active subscriber mirroring session at any time.