Avoiding Conflicts Between Multiple Packet Mirroring Configurations

The JUNOSe software gives you a great deal of flexibility in creating your packet mirroring environment by supporting both the CLI-based and the RADIUS-based configuration methods. However, a conflict might occur when you use both methods. For example, a given subscriber might be targeted by both a CLI-based configuration and a RADIUS-based configuration. The rival configurations might use the same trigger to identify the subscriber, or they might use different triggers.

The configuration method that is applied to the subscriber depends on several variables: the trigger, when the packet mirroring configuration is created, and when the subscriber logs in. The following considerations apply to multiple packet mirroring configurations.

• CLI-based and RADIUS CoA (RADIUS-initiated mirroring) configurations identify targeted subscribers according to the following configured criteria in the order given:
  1. Account session ID
  2. Calling station ID
  3. IP address associated with the virtual router where the subscriber logs in
  4. Username associated with the virtual router where the subscriber logs in
  5. NAS port ID
• A RADIUS log-in configuration always implicitly uses the Acct-Session-ID to identify the subscriber. This trigger has the highest priority of the five possible identification methods. For this reason, when a subscriber logs in, an existing RADIUS login configuration always takes effect over other packet mirroring configurations.
• A RADIUS CoA configuration affects only subscribers that are currently logged in. It does not create persistent rules. Subscribers that log in after the CoA request goes out are not mirrored by the configuration.

  If a subscriber that is mirrored by a RADIUS CoA configuration subsequently logs out and then logs back in, that subscriber is no longer mirrored by the configuration. However, that subscriber might now be mirrored by an existing RADIUS login or CLI-based configuration.

• A CLI-based configuration creates persistent rules. The configuration affects subscribers that are logged in when the configuration is created, and subscribers that log in thereafter.
• You can create a new configuration or modify an existing configuration to override a configuration that is currently mirroring subscribers. You must use the same subscriber selection criteria that were used by the current configuration. The overriding configuration can be either CLI-based or a RADIUS CoA configuration; it does not have to match the configuration source used by the current configuration.
• When a CLI-based or RADIUS CoA configuration identifies a targeted subscriber group, all members of the group are examined to determine whether any of these members is already mirrored using a different identification method. If that is the case, none of the group members is mirrored by the new configuration.
• Deletion of a CLI rule has no effect on subscribers that are currently being mirrored. They continue to be mirrored as before the deletion. These subscribers are not reevaluated against any remaining identification criteria when a CLI rule is deleted.
• When mirroring is disabled by RADIUS CoA, subscribers that were being mirrored are not evaluated against an existing CLI configuration.

Consider the following scenarios.

Scenario 1: When Configurations Use the Same Identification Criteria

1. Currently logged-in subscribers are not being mirrored. These subscribers include 20 subscribers with the username joe@example.com. Their subscriber access is through virtual router boston1.
2. You create a RADIUS CoA (RADIUS-initiated) configuration that targets subscribers that match joe@example.com logging in through virtual router boston1.
3. Mirroring begins for all 20 of these subscribers.
4. Ten more subscribers with the username joe@example.com log in through VR boston1. None of these new subscribers is mirrored because the RADIUS CoA configuration makes no persistent rules.
5. You create a CLI configuration to mirror subscribers with username joe@example.com logging in through VR boston1.
6. All 30 of these subscribers are now mirrored. The CLI configuration expands the RADIUS CoA configuration because both configurations use the same identification criteria. The original mirrored users continue to be mirrored based on the CoA configuration; the new users are mirrored based on the CLI configuration.
7. You delete the CLI configuration while the subscribers are still logged in and being mirrored. The deletion has no effect on these subscribers; mirroring continues as before the deletion.

Scenario 2: When Configurations Use Different Identification Criteria

1. Currently logged-in subscribers are not being mirrored. These subscribers include 20 subscribers with the username joe@example.com. Their subscriber access is through virtual router boston1.

   The subscribers have been assigned IP addresses 10.1.1.1 through 10.1.1.20.

2. You create a RADIUS CoA (RADIUS-initiated) configuration that targets the subscriber that matches IP address 10.1.1.5 and VR boston1.
3. This subscriber is mirrored.
4. You create a CLI configuration to mirror subscribers with username joe@example.com logging in through VR boston1.
5. No additional subscribers are mirrored because one subscriber that matches that group (username and VR) is already being mirrored by another identification criterion (IP address and VR).

Related Topics

• Using Multiple Triggers for CLI-Based Packet Mirroring

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.