JUNOSe 9.1.x Policy Management Configuration Guide > Configuring CLI-Based Packet Mirroring > Configuring CLI-Based Mirroring

Configuring CLI-Based Mirroring

To configure the CLI-based packet mirroring environment, you must coordinate the mirroring operations of two devices in the network: the E-series router and the analyzer device. The configuration of the analyzer device is mentioned in this section for reference only. The actual configuration procedures depend on the policies and guidelines established by the responsible organizations.

The ip policy command is visible only to authorized users—the mirror-enable command must be enabled prior to using this command. If you enter the ip policy command with the secure-input or secure-output keyword and the policy list does not exist, the router creates a policy list with a default mirror rule that disables mirroring. If you attach this policy list to an interface, there is no packet mirroring. When you use this command to create a secure policy list, statistics-related keywords are not supported.

The secure ip classifier-list command creates or modifies a secure IP classifier control list, which can then be included in a secure policy list.

NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command.

Except for the following considerations, secure IP classifier lists are created and function the same as standard IP classifier lists—see the Chapter 2, Creating Classifier Control Lists for Policies for information:

• This command is visible only to authorized users—the mirror-enable command must be enabled prior to using this command.
• Secure IP classifier lists are the only type of classifier lists allowed in secure policy lists
• Secure IP classifier lists cannot be used in non-secure policy lists.

The secure ip policy-list and secure l2tp policy-list commands create or modify a secure IP or L2TP policy list. These commands are visible only to authorized users—the mirror-enable command must be enabled prior to using this command. These commands enter Policy List Configuration mode, enabling you to specify the parameters of the secure policy list. If you enter Policy List Configuration mode and then type exit without specifying any parameters, the router creates a policy list with a mirror disable rule. Attaching this policy list to an interface results in no packet mirroring. Secure IP classifier lists are the only type of classifier lists allowed in secure IP policy lists. Secure L2TP policies do not support classification. Therefore, the only classifier group you can use for secure L2TP policies is classifier-group *. You cannot delete a secure policy list that is currently attached to an interface.

Related Topics

• classifier-group command
• ip analyzer command
• ip mirror command
• ip policy command
• mirror command
• mirror analyzer-ip-address command
• mirror disable command
• mirror-enable command
• secure ip classifier-list command
• secure ip policy-list command
• secure l2tp policy-list command

Configuring the Analyzer Device

The analyzer device must be configured to receive the mirrored traffic from the E-series router's analyzer interface. You can use the default keyword to configure an interface as the virtual router's default analyzer interface; it is then used when an analyzer interface is not explicitly specified in the ip mirror command. You cannot configure multiaccess interfaces, such as IP over Ethernet, as default analyzer interfaces.

You can configure any type of IP interface on the E-series router as an analyzer interface, except for special interfaces such as SRP interfaces, null interfaces, and loopback interfaces. An interface cannot be both an analyzer interface and a mirrored interface at the same time. A single analyzer interface can serve multiple mirrored sessions.

The receive side of an analyzer interface is disabled; all traffic attempting to access the router through an analyzer interface is dropped. Analyzer interfaces drop all nonmirrored traffic.

Policies are not supported on analyzer interfaces. When you configure an analyzer interface, existing policies are disabled, and no new policies are accepted.

Configuring the E-series Router

To configure the router to support CLI-based packet mirroring:

1. Configure the analyzer interface, the route to the analyzer device, and any static ARP entries.
2. Allow authorized users to have access to the mirror-enable command. The users can then make the packet mirroring CLI commands visible and perform the following steps.
3. Configure the secure policy that forwards the mirrored traffic to the analyzer device.
4. (Optional) For increased security, create an IPSec tunnel between the analyzer interface and the analyzer device.
5. For interface-specific mirroring, attach the secure policy to the interface.
6. For user-specific mirroring, configure the trigger that identifies the user.