Using Multiple Triggers for CLI-Based Packet Mirroring

When you configure CLI-based packet mirroring, you can create multiple mirroring rules for a particular subscriber. For example. you might create two rules; one rule that uses IP address as the trigger that identifies the user and a second rule with the subscriber’s username as the trigger. You can also configure RADIUS-based mirroring to use multiple methods to identify subscribers

To avoid conflicts between multiple mirroring rules, both CLI-based and RADIUS-based mirroring operations assign a precedence to the subscriber identification triggers. Subscriber information is examined for configured triggers according to the order of precedence.

The following list indicates the order of precedence for the subscriber identification triggers; Acct-Session-Id has the highest precedence. The keywords for the mirror and mirror disable command are listed below with their associated RADIUS attributes.

  1. acct-session-id—Acct-Session-Id, RADIUS attribute [44]
  2. calling-station-id—Calling-Station-Id, RADIUS attribute [31]
  3. ip-address—Framed-IP-Address, RADIUS attribute [8]; associated with the virtual router where the subscriber logs in, RADIUS VSA [26-1]
  4. username—User-Name, RADIUS attribute [1]; associated with the virtual router where the subscriber logs in, RADIUS VSA [26-1]
  5. nas-port-id—NAS-Port-Id, RADIUS attribute [87]
  6. dhcp-option-82—DHCP-Option-82, RADIUS attribute [26–159], Vendor ID 4874
  7. agent-circuit-id—Agent-Circuit-ID, RADIUS attribute [26–1], Vendor ID 3561
  8. agent-remote-id—Agent-Remote-ID, RADIUS attribute [26–2], Vendor ID 3561

For example, suppose you create the following three rules to trigger a packet mirroring session.

host1(config)#mirror ip-address ip secure-policy-list securePolicyIp4 host1(config)#mirror username ip secure-policy-list securePolicyIp15host1(config)#mirror acct-session-id atm 2/1.2:0.42:0001048579 ip secure-policy-list securePolicyIp10

Regardless of the order in which you configure the rules, the subscriber information is first examined to determine whether the Acct-Session-Id matches the rule. If it does, no further examination takes place and the subscriber’s traffic is mirrored,

If the Acct-Session-Id does not match, then the subscriber information is next examined to determine whether the Calling-Station-Id matches the rule. This process continues for all configured rules.

If none of the trigger rules are matched, then that subscriber’s traffic is not mirrored.

If the packet mirroring request is a RADIUS-initiated session (a RADIUS-based packet mirroring session for a subscriber who is already logged in), the router verifies the validity of all of the mirroring rules related to the particular subscriber. If any of the rules fail (for example, the identification fields do not match), the packet mirroring request is denied.

The calling-station-id trigger is externally visible only for tunneled users (if there are no RADIUS overrides). If a case-sensitive username does not match a subscriber’s name or if the dynamic IP interface UID does not exist, the subscriber is disregarded.

Related Documentation