Configuring Session Mirroring
This topic includes the following tasks:
Setting Up Session Mirroring
Session mirroring commands are hidden by default. You must have a login with sufficient permission to configure session mirroring. The set system login class class-name permissions pgcp-session-mirroring-control command grants this permission.
To configure session mirroring:
- Access the configuration of the delivery function
properties under session-mirroring. [edit services pgcp ]user@host# edit session-mirroring delivery-function df-1
- Configure the network operator ID. The
BGF includes the network operator ID in the header of intercepted
packets that it sends to the delivery function. It is used to identify
the operator.[edit services pgcp session-mirroring delivery-function df-1]user@host# set network-operator-id ABCDE
- Configure the address of the delivery
function to which the BGF sends session-mirroring information.[edit services pgcp session-mirroring delivery-function df-1]user@host# set destination-address 10.1.1.63
- Configure the port on the delivery function
that receives session-mirroring information.[edit services pgcp session-mirroring delivery-function df-1]user@host# set destination-port 15000
- Configure the address of the interface
on which the BGF sends session-mirroring data to the deliver function. [edit services pgcp session-mirroring delivery-function df-1]user@host# set source-address 10.1.1.43
- Configure the port on which the BGF sends
session-mirroring data to the delivery function.[edit services pgcp session-mirroring delivery-function df-1]user@host# set source-port 10000
Configuring IPsec to Protect Mirrored Sessions in Tunnel Mode
Figure 1 shows a sample configuration that protects session mirroring call content (that is, the X3 interface) using IPsec tunnel mode.
Figure 1: Protecting Session Mirroring Call Content Using IPsec Tunnel Mode
To configure IPsec to protect session mirroring call content as shown in Figure 1:
- Configure the service PIC that you want IPsec
to use. IPsec can use the same service PIC that the BGF uses, or it
can have a dedicated service PIC.
Assign a logical interface for incoming traffic to the IPsec tunnel and a logical interface for outgoing traffic from the IPsec tunnel. For example:
[edit interfaces sp-3/3/0] unit 0 { family inet; } unit 10 { family inet; service-domain inside; } unit 20 { family inet; service-domain outside; } unit 50 { description IPsec-tunnel-incoming; family inet; service-domain inside; } unit 60 { description IPsec-tunnel-outgoing; family inet; service-domain outside; } Configure a service set that has the following characteristics:
- Next hop service that contains the inside and outside interfaces that you configured for IPsec.
- The local IP address for IPsec traffic.
- The IPsec rule or rule set applied to the tunnel. This is a rule or rule set that you configure at the [edit services ipsec-vpn] hierarchy level.
[edit services service-set ipsec-tunnel-for-bgf] next-hop-service { inside-service-interface sp-3/3/0.50; outside-service-interface sp-3/3/0.60; } ipsec-vpn-options { local-gateway 192.168.10.1; } ipsec-vpn-rules rule-ike;- Configure a static route to the mediation server
with the IPsec interface as the next hop.
[edit routing-options] static { route 10.0.0.150/32 next-hop sp-3/3/0.50; }
Disabling Session Mirroring
To disable session mirroring:
Re-Enabling Session Mirroring
To re-enable session mirroring:
