Enabling and Securing CLI-Based Packet Mirroring

The JunosE Software enables you to create a secure environment for your packet-mirroring operation by restricting access to the packet mirroring CLI commands and information. For example, when dealing with a critical diagnostic or troubleshooting procedure, you might want the packet-mirroring feature to be available and visible to a subset of your network operations group. Or, if you are monitoring confidential traffic from a particular user, you might want the configuration and results of the mirroring operation to be available only to a unique group, such as the management group of the analyzer device.

By default, the packet mirroring configuration commands are hidden from all users. You must use the mirror-enable command to make the commands visible, which then enables you to configure the packet-mirroring environment. The command applies only to the current CLI session. When you log out of the current session and then log in again, the packet mirroring commands are no longer visible,

Note: The no mirror-enable command makes the packet mirroring commands no longer visible. However, any active mirroring sessions are unaffected and traffic continues to be mirrored.

To create a secure packet-mirroring environment, you use a combination of the JunosE Software authorization methods and the mirror-enable command. You configure the authorization method to control who can use the mirror-enable command. Authorized users can then issue the mirror-enable command, making the packet mirroring commands visible. However, the commands are still hidden from unauthorized users. Table 49 lists the commands whose visibility is controlled by the mirror-enable command.

Table 49: Commands Made Visible by the mirror-enable Command

  • ip policy { secure-input | secure-output }
  • secure ipv6 policy-list
  • show ip interface (packet mirroring information)
  • ipv6 policy { secure-input | secure-output }
  • clear mirror log
  • show ipv6 interface (packet mirroring information)
  • mirror acct-session-id
  • show mirror log
  • mirror agent-circuit-id
  • show mirror rules
  • mirror agent-remote-id
  • show mirror trap
  • mirror analyzer-ip-address
  • show mirror subscribers
  • mirror calling-station-id
  • show secure classifier-list
  • mirror dhcp-option-82
  • show secure policy-list
  • mirror disable
  • show snmp secure-log
  • mirror ip-address
  • show snmp trap (packet mirroring information)
  • mirror nas-port-id
  • snmp-server clear secure-log
  • mirror trap-enable
  • snmp-server secure-log
  • mirror username
  • snmp-server enable traps (packetMirror keyword)
  • secure ip classifier-list
  • snmp-server host (packetMirror keyword)
  • secure ip policy-list
  • secure ipv6 classifier-list
  • secure l2tp policy-list
 

To provide increased security, the mirror-enable command must be the only command at its access level (level 12 by default) and it also must be at a different privilege level than the other packet mirroring commands (level 13 by default) and other regular JunosE CLI commands. This separation enables you to control authorization to the mirror-enable command and to limit the visibility of packet mirroring commands. For example, if you are using TACACS+, the mirror-enable command is the only packet mirroring command that is sent to the TACACS+ server. You can also use TACACS+ to prevent unauthorized individuals from modifying the configuration of analyzed ports.

See the Passwords and Security chapter in the JunosE System Basics Configuration Guide for more information about access levels and the Configuring TACACS+ chapter in the JunosE Broadband Access Configuration Guide for information about TACACS+ authorization.

Related Documentation