Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring CLI-Based User-Specific Packet Mirroring

    This example shows the configuration of a CLI-based packet mirroring session for subscribers. The mirroring session replicates all traffic associated with each user, and then sends the replicated traffic to the analyzer device.

    1. Enable the visibility and use of the packet mirroring CLI commands.
      host1#mirror-enable
    2. Create the analyzer interface and the route to the analyzer device.
      • For L2TP subscribers:
        host1(config)# interface tunnel ipsec:mirror3 transport-virtual-router default host1(config-if)#ip analyzer host1(config-if)#exit host1(config)#ip route 192.168.99.2 255.255.255.255 tunnel ipsec:mirror3
      • For DHCP and PPP subscribers:
        host1(config)# interface atm 4/0.1 host1(config-if)#ip address 19.0.0.2 255.255.255.0 host1(config-if)#ip analyzer host1(config-if)#exit host1(config)#ip route 19.0.0.2 255.255.255.255 101.101.101.2
    3. Configure the secure policy that forwards the mirrored traffic to the analyzer device. The classifier-group command uses the default classifier list, which is indicated by the asterisk character (*).
      • For L2TP subscribers:
        host1(config)#secure l2tp policy-list l2tp_toMirrorHQ host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#mirror analyzer-ip-address 192.168.99.2 analyzer-virtual-router default analyzer-udp-port 6500 mirror-identifier 1 session-identifier 1
      • For DHCP and PPP subscribers:
        host1(config)#secure ip policy-list secure-ipv4-policy host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#mirror analyzer-ip-address 19.0.0.2 analyzer-virtual-router default analyzer-udp-port 2500 mirror-identifier 1 session-identifier 1
    4. Configure packet mirroring for the subscriber and associate the secure policy with the user.
      • For L2TP subscribers:
        host1(config)#virtual-router lac host1:lac(config)#mirror username jwbooth@isptheatre.com l2tp secure-policy-list l2tp_toMirrorHQ
      • For DHCP and PPP subscribers:
        host1(config)#mirror dhcp-option-82 agent-circuit-id "x:12000004:circuit id:45" agent-remote-id "y:12000004:remote id:89" ip secure-policy-list secure-ipv4-policy host1(config)#mirror agent-circuit-id "x:12000001:pppoe agent circuit id:47" ip secure-policy-list secure-ipv4-policyhost1(config)#mirror agent-remote-id hex 79:3a:02:00:00:02:3a:72:65:6d:6f:74:65:20:69:64:3a:35 ip secure-policy-list secure-ipv4-policy

      Now, when the subscriber logs in, the packet mirroring session starts and the subscriber’s replicated traffic is sent to the remote analyzer device.

    5. Verify the packet-mirroring configuration.
      host1# show mirror subscribers
      Subscriber ID                                          ID         Secure       Secure         Mirrored
                                                           Method       Policy Type  Policy List    Sessions                
      ------------------                                 ----------   -----------  ----------------  --------
      lac:jwbooth@isptheatre.com                            username         l2tp   l2tp_toMirrorHQ    1
      x:12000004:circuit id:45.y:12000004:remote id:89      dhcp-option-82   IP     secure-ipv4-policy 1
      x:12000001:pppoe agent circuit id:47                  agent-circuit-id IP     secure-ipv4-policy 1
      79:3a:02:00:00:02:3a:72:65:6d:6f:74:65:20:69:64:3a:35 agent-remote-id  IP     secure-ipv4-policy 1
      
      
    6. Verify the configuration of the secure policy.
      host1# show secure policy-list 
                                        Policy Table
                                        ------ -----
      Secure L2TP Policy l2tp_toMirrorHQ
       Administrative state: enable
       Reference count:      2
       Classifier control list: *
        mirror analyzer-ip-address 192.168.99.2 analyzer-virtual-router default analyzer-udp-port 6500 mirror-id 1 session-id 1 
       Referenced by interface(s): 
        TUNNEL l2tp:5/1/5  secure-input policy
        TUNNEL l2tp:5/1/5  secure-output policy
      
      Secure IP Policy secure-ipv4-policy
        Administrative state: enable
        Reference count:      6
        Classifier control list: *
      mirror analyzer-ip-address 19.0.0.2 analyzer-virtual-router default analyzer-udp-port 2500 mirror-identifier 1 session-identifier 1
      Referenced by interface(s):
       ip100.1.1.3  secure-input policy, statistics disabled, virtual-router default
       ip100.1.1.3  secure-output policy, statistics disabled, virtual-router default

     

    Published: 2014-08-14