JUNOSe 9.1.x Policy Management Configuration Guide > Configuring CLI-Based Packet Mirroring > Configuring CLI-Based User-Specific Mirroring

Configuring CLI-Based User-Specific Mirroring

In user-specific packet mirroring, you use triggers to identify the user whose traffic you want to mirror and to start the mirroring session. The triggers are similar to the RADIUS attributes used in RADIUS-based mirroring. However, for CLI-based mirroring, AAA can use any supported authentication method, including RADIUS.

NOTE: An E-series router supports a maximum of 100 mirror trigger rules.

You can use the following triggers to identify users:

• Username (virtual router specific)
• IP address (virtual router specific)
• Calling station ID
• Account session ID

The following considerations apply to trigger rules:

• A new trigger rule is not applied to matching connected subscribers if any of the subscribers is mirrored by another rule.
• When you remove a rule, mirroring is terminated for all affected subscribers.
• CLI-initiated mirroring per account session ID creates a rule that continues to exist after the subscriber logs out.
• RADIUS CoA messages do not create rules and affect only currently connected subscribers.

This example shows the configuration of a CLI-based packet mirroring session for an L2TP user. The configuration uses the username as the trigger to identify the user and start the mirroring session. The mirroring session replicates all traffic associated with the user, and then sends the replicated traffic through an IPSec tunnel to the analyzer device.

1. Enable the visibility and use of the packet mirroring CLI commands.

host1#mirror-enable

2. Create the analyzer interface and the route to the analyzer device at address 192.168.99.2.

host1(config)# interface tunnel ipsec:mirror3 transport-virtual-router default

host1(config-if)#ip analyzer

host1(config-if)#exit

host1(config)#ip route 192.168.99.2 255.255.255.255 tunnel ipsec:mirror3

3. Configure the secure L2TP policy that forwards the mirrored traffic to the analyzer device at 192.168.99.2, port 6500. The classifier-group command uses the default classifier list, which is indicated by the asterisk character (*).

hosts1(config)#secure l2tp policy-list l2tp_toMirrorHQ

host1(config-policy-list)#classifier-group *

host1(config-policy-list-classifier-group)#mirror analyzer-ip-address 192.168.99.2 
analyzer-virtual-router default analyzer-udp-port 6500 mirror-identifier 1 
session-identifier 1

4. Configure packet mirroring for the subscriber identified by username jwbooth@isptheatre.com and associate the secure policy with the user.

host1(config)#virtual-router lac 

host1:lac(config)#mirror username jwbooth@isptheatre.com l2tp 
secure-policy-list l2tp_toMirrorHQ

Now, when subscriber jwbooth@isptheatre.com logs in, the packet mirroring session starts and the subscriber's replicated traffic is sent through the secure IPSec tunnel to the remote analyzer device.

5. Verify the packet mirroring configuration.

host1#show mirror subscribers

Subscriber ID                  Subscriber ID       Secure Policy  Secure Policy List  Sessions 

                               Method              Type                               Mirrored

------------------             ------------------  -------------  ------------------  --------

lac:jwbooth@isptheatre.com     username            l2tp           l2tp_toMirrorHQ     1

6. Verify the configuration of the secure L2TP policy.

host1#show secure policy-list name l2tp_toMirrorHQ

                                  Policy Table

                                  ------ -----

Secure L2TP Policy l2tp_toMirrorHQ

 Administrative state: enable

 Reference count:      2

 Classifier control list: *

  mirror analyzer-ip-address 192.168.99.2 analyzer-virtual-router default 
analyzer-udp-port 6500 mirror-id 1 session-id 1 

 Referenced by interface(s): 

  TUNNEL l2tp:5/1/5  secure-input policy

  TUNNEL l2tp:5/1/5  secure-output policy