Configuring Session Mirroring

Session mirroring commands are hidden by default. You must have a login with sufficient permission to configure session mirroring. The set system login class class-name permissions pgcp-session-mirroring-control command grants this permission.

Step-by-Step Procedure

To configure session mirroring:

1. Access the configuration of the delivery function properties under session-mirroring.

   [edit services pgcp ]

   user@host#edit session-mirroring delivery-function df-1

2. Configure the network operator ID. The PG includes the network operator ID in the header of intercepted packets that it sends to the delivery function. It is used to identify the operator.

   [edit services pgcp session-mirroring delivery-function df-1]

   user@host#set network-operator-id ABCDE

3. Configure the address of the delivery function to which the PG sends session-mirroring information.

   [edit services pgcp session-mirroring delivery-function df-1]

   user@host#set destination-address 10.1.1.63

4. Configure the port on the delivery function that receives session-mirroring information.

   [edit services pgcp session-mirroring delivery-function df-1]

   user@host#set destination-port 15000

5. Configure the address of the interface on which the PG sends session-mirroring data to the deliver function.

   [edit services pgcp session-mirroring delivery-function df-1]

   user@host#set source-address 10.1.1.43

6. Configure the port on which the PG sends session-mirroring data to the delivery function.

   [edit services pgcp session-mirroring delivery-function df-1]

   user@host#set source-port 10000

Disabling Session Mirroring

To disable session mirroring:

Re-Enabling Session Mirroring

To re-enable session mirroring:

Configuring IPSec for Mirrored Sessions

To protect mirrored traffic that is sent from the PG to the delivery function, you can use IPSec. To have IPSec and PGCP performed on the same PIC, you create PGCP and IPSec service sets and chain these service-sets using routing-options.

To create the service sets and routing options:

1. Configure a PGCP service set. The NAT routes installed as part of PGCP service direct PGCP traffic to sp-1/0/0.10 and sp-1/0/0.20.

   [edit services service-set pgcp-svc-set]

   user@host#set pgcp-rules pgcp-rule

   user@host#set next-hop-service inside-service-interface sp-1/0/0.10

   user@host#set next-hop-service outside-service-interface sp-1/0/0.20

2. Configure an IPSec service set on the same PIC.

   [edit services service-set ipsec-svc-set]

   user@host#set next-hop-service inside-service-interface sp-1/0/0.30

   user@host#set next-hop-service outside-service-interface sp-1/0/0.40

   user@host#set ipsec-vpn-options local-gateway 1.0.0.1

   user@host#set ipsec-vpn-rules ipsec1

3. Install a static route to the delivery function (1.0.0.3) with the next-hop address of the PIC. This route redirects mirrored packets to a unit of the same service PIC that is hosting the IPSec service.

   [edit]

   user@host#set routing-options static route 1.0.0.3/32 next-hop sp-1/0/0.30

The mirrored packets that are generated on sp-1/0/0 have the destination address of the delivery function. In this case 1.0.0.3.

Related Topics

• Chapter 27, Summary of Packet Gateway Configuration Statements in JUNOS Services Interfaces Configuration Guide

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.