Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring DTCP-Initiated Subscriber Secure Policy Mirroring Overview


Before you configure subscriber secure policy traffic mirroring, note the following:

  • Subscriber secure policy mirroring runs on the radius-flow-tap service infrastructure. To configure the subscriber secure policy service, you need the same privileges that are required to configure the radius-flow-tap service.

  • The subscriber secure policy feature requires some system resources while mirroring, encrypting, and sending traffic to the mediation device. For example, you might elect to use a 10-Gigabit Ethernet interface for the tunnel and mediation device if you expect the amount of traffic you plan to mirror to approach 1 Gbps of actual user data.

To configure DTCP-initiated subscriber secure policy service:

  1. Configure the radius-flow-tap service support for secure subscriber policy. This support includes configuring the tunnels and optional forwarding-class information that the subscriber secure policy service uses to send mirrored traffic to the content destination device.

    See Configuring Support for Subscriber Secure Policy Mirroring.

  2. Configure the mediation device as a user on the router. This user account allows the router to receive DTCP messages from the mediation device.

    See Configuring the Mediation Device as a User on the Router.

  3. Configure the mediation device to provision traffic mirroring on the router.

    See Configuring the Mediation Device to Provision Traffic Mirroring.

  4. Configure a DTCP-over-SSH connection to the mediation device.

    See Configuring a DTCP-over-SSH Connection to the Mediation Device.

  5. (Optional) Enable mirroring of IPv4 multicast traffic on the router.

    See Enabling Subscriber Secure Policy Mirroring for IPv4 Multicast Traffic

  6. Configure SNMPv3 trap support to report mirroring information to an external device.

    See Configuring SNMPv3 Traps for Subscriber Secure Policy Mirroring.

You can terminate an active subscriber mirroring session at any time.

See Terminating DTCP-Initiated Subscriber Traffic Mirroring Sessions.