[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

JUNOSe 9.1.x Policy Management Configuration Guide > Managing Packet Mirroring > Using Multiple Triggers for CLI-Based Packet Mirroring

Using Multiple Triggers for CLI-Based Packet Mirroring

When you configure CLI-based packet mirroring, you can create multiple mirroring rules for a particular subscriber. For example. you might create two rules; one that uses IP address as the trigger that identifies the user and a second with the subscriber's username as the trigger. You can also configure RADIUS-based mirroring to use multiple methods to identify subscribers.

To avoid conflicts between multiple mirroring rules, both CLI-based and RADIUS based mirroring operations assign a precedence to the subscriber identification triggers. When multiple rules are configured for the same subscriber, the rule with the highest precedence is used to identify the subscriber.

The following list indicates the order of precedence for the subscriber identification triggers, with the acct-session-id having the highest precedence.

  1. acct-session-id
  2. calling-station-id
  3. ip-address (virtual router specific)
  4. nas-port-id
  5. username (virtual router specific)

For example, if you create the following three rules for a subscriber, the packet mirroring session uses the rule with the acct-session-id to identify the subscriber. When there are multiple rules, if the selected rule fails, the router denies the packet mirroring request and does not attempt to use the other rules. 

host1(config)#mirror acct-session-id atm 2/1.2:0.42:0001048579 ip 
secure-policy-list securePolicyIp10

host1(config)#mirror ip-address 192.168.105.25 ip secure-policy-list securePolicyIp4

host1(config)#mirror username jwbooth@isptheatre.com ip secure-policy-list 
securePolicyIp15

If the packet mirroring request is a RADIUS-initiated session (a RADIUS-based packet mirroring session for a subscriber who is already logged in), the router verifies the validity of all of the mirroring rules related to the particular subscriber. If any of the rules fail (for example, the identification fields do not match), the packet mirroring request is denied.

The calling-station-id trigger is externally visible only for tunneled users (if there are no RADIUS overrides). If a case-sensitive user name does not match a subscriber's name or if the dynamic IP interface UID does not exist, the subscriber is disregarded.

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]