Using Vty Access Lists to Secure Packet Mirroring

In this procedure, TACACS+ authorization is not used. However, you can still use vty access lists to control access to the mirror-enable command, which enables you to create isolation between the authorized packet mirroring users and unauthorized network operators.

1. Configure TACACS+ authorization for the mirror-enable command privilege level. Specify that authorization is denied if TACACS+ is not available. Because TACACS+ is not being used, authorization always fails.
2. Configure the majority of the vty lines and the console to use the authorization configuration from Step 1. (Users who use Telnet on these lines are denied access to the mirror-enable command.)
3. On the remaining vty lines (without the TACACS+ authorization) create an access list that contains the IP addresses of the users that you want to grant access to these vty lines—these users are granted access to the mirror-enable command, and therefore, the packet-mirroring feature.

This configuration grants access to the packet mirroring CLI commands to the users from the specified IP addresses. The packet mirroring commands remain hidden for all other users.