[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

JUNOSe 9.1.x Policy Management Configuration Guide > Configuring CLI-Based Packet Mirroring > Configuring CLI-Based Interface-Specific Mirroring

Configuring CLI-Based Interface-Specific Mirroring

This example shows the configuration of a CLI-based packet mirroring session for a particular static IP interface. The configuration results in all traffic through the interface being replicated and the replicated traffic then sent through an IPSec tunnel to the analyzer device.

  1. Enable the visibility and use of the packet mirroring CLI commands. 
    2. host1#mirror-enable
  2. Configure the analyzer interface and a route to reach the analyzer device at 192.168.125.29.

    NOTE: If the analyzer interface is Ethernet-based, you must configure a static ARP entry for the analyzer device. 


    3. host1(config)#virtual-router vr1

    host1:vr1(config)#interface tunnel ipsec:Diag transport-virtual-router default

    host1:vr1(config-if)#ip analyzer

    host1:vr1(config-if)#exit

    host1:vr1(config)#ip route 192.168.125.29 255.255.255.255 tunnel ipsec:Diag
  3. Configure the secure IP policy that forwards the mirrored traffic to the analyzer device at 192.168.125.29.

In this example, the configured mirror rule does not include the analyzer-udp-port keyword. Therefore, the rule sets the mirror header to disable, which means that the mirror header is not prepended to the mirrored packets. See Understanding the Prepended Header During a Packet Mirroring Session for information about the prepended mirror header. The classifier-group command uses a previously configured classifier list, secClassA. 

host1:vr1(config)#secure ip policy-list secureIpPolicy1

host1:vr1(config-policy-list)#classifier-group secClassA

host1:vr1(config-policy-list-classifier-group)#mirror analyzer-ip-address 
192.168.125.29 analyzer-virtual-router vr1
  1. Attach the secure policy to the interfaces whose traffic you want to mirror. This example mirrors input traffic at interface ATM 5/0.1 and output traffic at interface ATM 5/0.2.
    2. host1:vr1(config)#interface atm 5/0.1

    host1:vr1(config-if)#ip policy secure-input secureIpPolicy1

    

    host1:vr1(config)#interface atm 5/0.2

    host1:vr1(config-if)#ip policy secure-output secureIpPolicy1
  2. Verify the secure policy configuration.
host1#show secure policy-list name secureIpPolicy1



                                  Policy Table

                                  ------ -----

Secure IP Policy secureIpPolicy1

 Administrative state: enable

 Reference count:      2

 Classifier control list: secClassA

  mirror analyzer-ip-address 192.168.125.29 analyzer-virtual-router vr1



 Referenced by interface(s): 

  ATM5/0.1  secure-input policy, virtual-router vr1

  ATM5/0.2  secure-output policy, virtual-router vr1
[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]