[Contents] [Prev] [Next] [Index] [Report an Error]

Example: Configuring CLI-Based User-Specific Mirroring

This example shows the configuration of a CLI-based packet mirroring session for an L2TP user. The configuration uses the username and virtual router ID as the trigger to identify the user and start the mirroring session. The mirroring session replicates all traffic associated with the user, and then sends the replicated traffic through an IPSec tunnel to the analyzer device.

  1. Enable the visibility and use of the packet mirroring CLI commands.
    host1#mirror-enable
  2. Create the analyzer interface and the route to the analyzer device at address 192.168.99.2.
    host1(config)# interface tunnel ipsec:mirror3 transport-virtual-router default
    host1(config-if)#ip analyzer
    host1(config-if)#exit
    host1(config)#ip route 192.168.99.2 255.255.255.255 tunnel ipsec:mirror3
  3. Configure the secure L2TP policy that forwards the mirrored traffic to the analyzer device at 192.168.99.2, port 6500. The classifier-group command uses the default classifier list, which is indicated by the asterisk character (*).
    hosts1(config)#secure l2tp policy-list l2tp_toMirrorHQ
    host1(config-policy-list)#classifier-group *
    host1(config-policy-list-classifier-group)#mirror analyzer-ip-address 192.168.99.2 analyzer-virtual-router default analyzer-udp-port 6500 mirror-identifier 1 session-identifier 1
  4. Configure packet mirroring for the subscriber identified by username jwbooth@isptheatre.com for VR lac, and associate the secure policy with the user.
    host1(config)#virtual-router lac
    host1:lac(config)#mirror username jwbooth@isptheatre.com l2tp secure-policy-list l2tp_toMirrorHQ

    Now, when subscriber jwbooth@isptheatre.com logs in through virtual router lac, the packet mirroring session starts and the subscriber’s replicated traffic is sent through the secure IPSec tunnel to the remote analyzer device.

  5. Verify the packet-mirroring configuration. 
    host1# show mirror subscribers
Subscriber ID                  Subscriber ID       Secure Policy  Secure Policy List  Sessions 
                               Method              Type                               Mirrored
------------------             ------------------  -------------  ------------------  --------
lac:jwbooth@isptheatre.com     username            l2tp           l2tp_toMirrorHQ     1
  6. Verify the configuration of the secure L2TP policy. 
    host1# show secure policy-list name l2tp_toMirrorHQ
show secure policy-list name l2tp_toMirrorHQ                                  Policy Table
                                  ------ -----
Secure L2TP Policy l2tp_toMirrorHQ
 Administrative state: enable
 Reference count:      2
 Classifier control list: *
  mirror analyzer-ip-address 192.168.99.2 analyzer-virtual-router default analyzer-udp-port 6500 mirror-id 1 session-id 1 
 Referenced by interface(s): 
  TUNNEL l2tp:5/1/5  secure-input policy
  TUNNEL l2tp:5/1/5  secure-output policy

 

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.