Comparing CLI-Based Mirroring and RADIUS-Based Mirroring

This section compares the characteristics of CLI-based and RADIUS-based mirroring techniques. You can use CLI-based mirroring for both interface-specific and user-specific mirroring; RADIUS-based mirroring is used for user-specific mirroring. This section highlights differences in configuration, security, and application of the CLI-based and RADIUS-based mirroring methods.

Configuration

This section describes differences in the configuration processes for CLI-based and RADIUS-based mirroring:

• CLI-based packet mirroring—You use CLI commands to configure and manage packet mirroring of specific interfaces and users. For interface-specific mirroring, you enable the static configuration after the IP interface is created. The interface method mirrors only the traffic on the specific interface.

  In user-specific mirroring, authentication, authorization, and accounting (AAA) uses RADIUS attributes as triggers to identify the user whose traffic is to be mirrored. The mirroring session starts when the user logs in. If the user is already logged in, AAA immediately starts the mirroring session when you enable packet mirroring.

• RADIUS-based packet mirroring—This dynamic method uses RADIUS and vendor-specific attributes (VSAs), rather than CLI commands, to identify a user whose traffic is to be mirrored and to trigger the mirroring session. A RADIUS administrator configures and enables the mirroring separate from the user’s session. You can use a single RADIUS server to provision packet-mirroring operations on multiple E-series routers in a service provider’s network.

  There are two variations of RADIUS-based packet mirroring. For both types, the mirroring feature is initiated without regard to the user location, router, interface, or type of traffic.

  • User-initiated mirroring—If the user is not currently logged in, the mirroring session starts when the user logs in and is authenticated by RADIUS. The user’s Acct-Session-Id is the identification trigger.
  • RADIUS-initiated mirroring—If the user is already logged in, the JUNOSe RADIUS dynamic-request server uses RADIUS-initiated change-of-authorization (CoA) messages to immediately start the mirroring session when the packet mirroring is enabled.

    Note: Packet mirroring is not supported on IPv6 interfaces.

Security

The following list highlights security features provided by CLI-based and RADIUS-based mirroring:

• CLI-based packet mirroring—All packet mirroring commands are hidden by default. You must execute the mirror-enable command to make the mirroring commands visible. You can optionally configure authorization methods to control access to the mirror-enable command, which makes the packet mirroring commands available only to authorized users. The mirror-enable command is in privilege level 12 by default and the mirroring commands are in privilege level 13 by default. You can change the privilege levels of these commands; however, we recommend that you always put the mirror-enable command at a different privilege level than the mirroring commands.
• RADIUS-based packet mirroring—Access to RADIUS-based mirroring functionality is unrestricted. However, the display of mirroring functionality is restricted to privilege level 13 users by default. In addition, the user must execute the mirror-enable command to make the packet mirroring-related show commands visible.

  RADIUS-based mirroring uses dynamically created secure policies based on certain RADIUS VSAs. You attach the secure policies to the interface used by the mirrored user. The packet-mirroring VSAs that the RADIUS server sends to the E-Series router are MD5 salt-encrypted.

Application

The following list compares the different types of packet-mirroring methods:

• CLI-based packet mirroring—Is useful when organizations want to provide separation between the typical network operations personnel and the mirroring operations personnel. For example, if security is essential, you might perform the entire packet-mirroring configuration on the analyzer device, separate from the normal network operations role. This way, only the authorized personnel on the analyzer device are aware of the mirroring operation. If this level of security is not required, authorized network operations personnel can perform the configuration and management on the router as usual.
  • CLI-based interface-specific mirroring—Can be useful in small networks with few E-series routers and in static environments where a user typically logs in to the same router through the same interface.
  • CLI-based user-specific mirroring—Is useful in B-RAS environments, in which users log in and log out frequently.
• RADIUS-based user-specific mirroring—Is triggered when needed, either when the specified user logs in (user-initiated) or when the user is already logged in and RADIUS-based mirroring is enabled or modified (RADIUS-initiated). RADIUS-based mirroring also provides an excellent solution for B-RAS networks, for example to troubleshoot traffic problems related to mobile users.

CLI-based user-specific and RADIUS-based user-specific mirroring are also useful to mirror L2TP traffic at the L2TP access concentrator (LAC). If the L2TP network server (LNS) and the LAC belong to different service providers, mirroring at the LAC enables mirroring to take place close to the user’s domain.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.