[Contents] [Prev] [Next] [Index] [Report an Error]

Enabling and Securing CLI-Based Packet Mirroring

The JUNOSe software enables you to create a secure environment for your packet-mirroring operation by restricting access to the packet mirroring CLI commands and information. For example, when dealing with a critical diagnostic or troubleshooting procedure, you might want the packet-mirroring feature to be available and visible to a subset of your network operations group. Or, if you are monitoring confidential traffic from a particular user, you might want the configuration and results of the mirroring operation to be available only to a unique group, such as the management group of the analyzer device.

By default, the packet mirroring configuration commands are hidden from all users. You must use the mirror-enable command to make the commands visible, which then enables you to configure the packet-mirroring environment. The command applies only to the current CLI session. When you log out of the current session and then log in again, the packet mirroring commands are no longer visible,

Note: The no mirror-enable command makes the packet mirroring commands no longer visible. However, any active mirroring sessions are unaffected and traffic continues to be mirrored.

To create a secure packet-mirroring environment, you use a combination of the JUNOSe software authorization methods and the mirror-enable command. You configure the authorization method to control who can use the mirror-enable command. Authorized users can then issue the mirror-enable command, making the packet mirroring commands visible. However, the commands are still hidden from unauthorized users. Table 38 lists the commands whose visibility is controlled by the mirror-enable command.

Table 38: Commands Made Visible by the mirror-enable Command

  • ip policy { secure-input | secure-output }
  • show ip interface (packet mirroring information)
  • clear mirror log
  • show mirror log
  • mirror acct-session-id
  • show mirror rules
  • mirror analyzer-ip-address
  • show mirror trap
  • mirror calling-station-id
  • show mirror subscribers
  • mirror disable
  • show secure classifier-list
  • mirror ip-address
  • show secure policy-list
  • mirror nas-port-id
  • show snmp secure-log
  • mirror trap-enable
  • show snmp trap (packet mirroring information)
  • mirror username
  • snmp-server clear secure-log
  • secure ip classifier-list
  • snmp-server secure-log
  • secure ip policy-list
  • snmp-server enable traps (packetMirror keyword)
  • secure l2tp policy-list
  • snmp-server host (packetMirror keyword)

To provide increased security, the mirror-enable command must be the only command at its access level (level 12 by default) and it also must be at a different privilege level than the other packet mirroring commands (level 13 by default) and other regular JUNOSe CLI commands. This separation enables you to control authorization to the mirror-enable command and to limit the visibility of packet mirroring commands. For example, if you are using TACACS+, the mirror-enable command is the only packet mirroring command that is sent to the TACACS+ server. You can also use TACACS+ to prevent unauthorized individuals from modifying the configuration of analyzed ports.

See chapter Passwords and Security in JUNOSe System Basics Configuration Guide for more information about access levels. See chapter Configuring TACACS+ inJUNOSe Broadband Access Configuration Guide for information about TACACS+ authorization.

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.