Configuring CLI-Based Packet Mirroring

To configure the CLI-based packet-mirroring environment, you must coordinate the mirroring operations of two devices in the network: the E Series router and the analyzer device. The configuration of the analyzer device is mentioned in this section for reference only. The actual configuration procedures depend on the policies and guidelines established by the responsible organizations.

The secure ip policy and secure ipv6 policy commands are visible only to authorized users; the mirror-enable command must be enabled before using secure ip policy or secure ipv6 policy command. If you enter the secure ip policy or secure ipv6 policy command and the policy list does not exist, the router creates a policy list with a default mirror rule that disables mirroring. If you attach this policy list to an interface, there is no packet mirroring. When you use this command to create a secure policy list, statistics-related keywords are not supported.

The secure ip classifier-list command creates or modifies a secure IP classifier control list, which can then be included in a secure policy list.

The secure ipv6 classifier-list command creates or modifies a secure IPv6 classifier control list, which can then be included in a secure policy list.

Note: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command.

Except for the following considerations, secure IP classifier lists are created and function the same as standard IP classifier lists—see Classifier Control Lists Overview for information:

• The secure ip classifier-list and secure ipv6 classifier-list commands are visible only to authorized users—the mirror-enable command must be enabled before using this command.
• Secure IP classifier lists and secure IPv6 classifier lists are the only types of classifier lists allowed in secure policy lists
• Secure IP classifier lists and secure IPv6 classifier lists cannot be used in non-secure policy lists.
• You can associate secure IP and secure IPv6 policy classifier lists with all secure IP and secure IPv6 policies dynamically created by RADIUS. This allows you to selectively identify and drop high load traffic, such as video.

The secure ip policy-list, secure ipv6 policy-list, and secure l2tp policy-list commands create or modify a secure IP, IPv6, or L2TP policy list. These commands are visible only to authorized users—the mirror-enable command must be enabled before using this command. These commands enter Policy List Configuration mode, enabling you to specify the parameters of the secure policy list. If you enter Policy List Configuration mode and then type exit without specifying any parameters, the router creates a policy list with a mirror disable rule. Attaching this policy list to an interface results in no packet mirroring.

Secure IP classifier lists are the only type of classifier lists allowed in secure IP policy lists. Secure L2TP policies do not support classification. Therefore, the only classifier group you can use for secure L2TP policies is classifier-group *. You cannot delete a secure policy list that is currently attached to an interface.