JUNOSe 9.1.x Policy Management Configuration Guide > Managing Packet Mirroring > Using SNMP Secure Packet Mirroring Traps

Using SNMP Secure Packet Mirroring Traps

SNMP secure packet mirroring traps enable you to capture and report packet mirroring information to an external device; you can then view the secure information on the remote device. The secure packet mirroring traps feature is an extension of the router's standard SNMP implementation, and is only available to SNMPv3 users who are authorized to use packet mirroring.

You can also log mirror traps to local volatile memory for debugging purposes by enabling the SNMP secure log feature. See Capturing SNMP Secure Audit Logs for details of secure audit logging. Normal console and syslog audit logs for packet mirroring traps and packet Mirror-MIB accesses are suppressed due to security concerns.

NOTE: The contents of secure logs are not preserved across a reboot.

The mirror-enable command must be enabled to make packet mirroring-related commands, command options, and show command output visible.

NOTE: You must use the CLI to configure the secure packet mirroring trap category to allow transmission of secure packet mirroring traps through the router—you cannot use SNMP to configure the secure packet mirroring trap category. However, after you have configured the secure packet mirroring trap category using the CLI, you can then use SNMP (juniPacketMirrorMIB.mi2) to enable and disable secure packet mirroring traps.

Table 48 indicates the events that trigger secure packet-mirroring traps and lists the information sent in the trap for each event.

 Table 48:  Packet-Mirroring SNMP Traps 

 Trap Information Sent
 Event That Triggers the Trap 
 

 A secure policy failed during CoA-based or RADIUS-initiated packet mirroring
 A secure policy failed during CLI trigger or CLI-based packet mirroring
 An interface with secure policies attached is deleted
 An analyzer is unreachable

 Analyzer address

 –

 –

 –



 Application name



 –

 –


 Configuration source 




 –


 Date and time of event

 –





 Error cause



 –

 –


 Error string



 –

 –


 Mirror ID 


 –


 –


 Mirroring direction

 –

 –


 –


 Secure policy name

 –



 –


 Secure policy UID

 –



 –


 Session ID 


 –


 –


 Trigger event




 –


 Trigger type




 –


 Username 


 –

 –

 –


 Virtual router (0 for L2TP)







 

Additional Packet-Mirroring Traps for CALEA Compliance

You can use the packet-mirroring traps shown in Table 49 to help support compliance with the Communications Assistance for Law Enforcement Act (CALEA), which defines electronic surveillance guidelines for telecommunications companies. For example, a third-party vendor of mediation devices might receive packet mirroring traps from the router and convert the traps to messages that comply with CALEA, such as Lawfully Authorized Electronic Surveillance (LAES) for IP Network Access, American Nation Standard For Telecommunications messages. Individual traps might map to multiple LAES messages to provide additional compliance-related information.

 Table 49:  Packet-Mirroring Traps for CALEA Compliance 

 Trap
 Description

 juniPacketMirrorSessionStart

 A grant has been issued to a mirrored subscriber.


 juniPacketMirrorSessionEnd

 A mirrored session has been terminated; includes the termination reason.


 juniPacketMirrorInterfaceSessionActivated

 A secure policy has been attached to an existing interface or to an existing session.


 juniPacketMirrorInterfaceSessionDeactivated

 A secure policy has been detached from an interface, not including interface or session termination.


 juniPacketMirrorSessionReject

 A deny has been issued because the potential mirrored user was not allowed on the network for some reason. However, the user would have been mirrored if access to the network had been allowed.


 juniPacketMirrorSessionFailed

 The user session was terminated before the secure policy was attached. For example, no resources were available to create the interface. The termination reason is included.



 

Packet Mirroring Trap Severity Levels

Table 50 lists the default severity levels for packet mirroring traps. See Table 23 in JUNOSe System Basics Configuration Guide, Chapter 4, Configuring SNMP for descriptions of the severity levels.

 Table 50:  Packet Mirroring Trap Severity Levels 

 Trap
 Default Severity Level

 juniPacketMirrorAnalyzerUnreachable

 Warning


 juniPacketMirrorCliTriggerBasedMirroringFailure

 Error


 juniPacketMirrorInterfaceDeleted

 Notice


 juniPacketMirrorInterfaceSessionActivated

 Info


 juniPacketMirrorInterfaceSessionDeactivated

 Info


 juniPacketMirrorRadiusBasedMirroringFailure

 Error


 juniPacketMirrorSessionEnd

 Info


 juniPacketMirrorSessionFailed

 Info


 juniPacketMirrorSessionStart

 Info


 juniPacketMirrorSessionReject

 Info



 

Configuring SNMP Secure Packet Mirroring Traps

To configure SNMP secure traps support, perform the following tasks on your E-series router:

1. Enable packet mirroring support.
2. Configure the packet mirroring application to generate traps.
3. (Optional) Verify the packet mirroring trap configuration.
4. (Optional) Configure the SNMP server to support secure logs.
5. Configure the SNMP server to generate packet mirroring traps.
6. Configure the SNMPv3 user for whom packet mirroring traps are generated.
7. Configure the SNMP server to report packet mirroring traps to a remote host.
8. (Optional) Verify the SNMP server packet mirroring configuration.

The following example illustrates the procedure to configure SNMP secure packet mirroring traps support:

host1#mirror-enable

host1#configure terminal

host1(config)#mirror trap-enable 

host1(config)#show mirror trap

Traps are enabled

host1(config)#snmp-server secure-log

host1(config)#snmp-server user fredMirrorUser group mirror authentication md5 
fred-md5password privacy des fred-despassword

host1(config)#snmp-server enable traps packetMirror trapFilters notice

host1(config)#snmp-server host 192.168.57.103 version 3 fredMirrorUser 
cliSecurityAlert packetMirror trapFilters notice

host1(config)#show snmp trap

Enabled Categories: CliSecurity, PacketMirror, Sonet

SNMP authentication failure trap is disabled

Trap Source: FastEthernet 6/0, Trap Source Address:192.168.120.78

Trap Proxy: enabled

Global Trap Severity Level: 6 - informational

Address          Security String                   Ver  Port   Trap Categories

---------------  --------------------------------  ---  -----  ----------------

192.168.1.1      host1                             v1   162    Cli

192.168.57.103   fredMirrorUser                    v3   162    CliPacketMirror

192.168.57.162   host2                             v3   162    Sonet

Address         TrapSeverityFilter  Ping    Maximum    Queue    Queue Full

                                   TimeOut QueueSize DrainRate discrd methd

--------------- ------------------ ------- --------- --------- -------------

192.168.1.1     5 - notice         1       32        0         dropLastIn

192.168.57.103  5 - notice         1       32        0         dropLastIn

192.168.57.162  2 - critical       1       32        0         dropLastIn

Related Topics

• See JUNOSe System Basics Configuration Guide, Chapter 4, Configuring SNMP for information about JUNOSe software SNMP support.
• mirror trap-enable command
• snmp-server clear secure-log command
• snmp-server enable traps command
• snmp-server host command
• snmp-server secure-log command
• show mirror trap command
• show snmp secure-log command