[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring Session Mirroring

This topic includes the following tasks:

Setting Up Session Mirroring

Session mirroring commands are hidden by default. You must have a login with sufficient permission to configure session mirroring. The set system login class class-name permissions pgcp-session-mirroring-control command grants this permission.

To configure session mirroring:

  1. Access the configuration of the delivery function properties under session-mirroring.
    [edit services pgcp ]user@host# edit session-mirroring delivery-function df-1
  2. Configure the network operator ID. The BGF includes the network operator ID in the header of intercepted packets that it sends to the delivery function. It is used to identify the operator.
    [edit services pgcp session-mirroring delivery-function df-1]user@host# set network-operator-id ABCDE
  3. Configure the address of the delivery function to which the BGF sends session-mirroring information.
    [edit services pgcp session-mirroring delivery-function df-1]user@host# set destination-address 10.1.1.63
  4. Configure the port on the delivery function that receives session-mirroring information.
    [edit services pgcp session-mirroring delivery-function df-1]user@host# set destination-port 15000
  5. Configure the address of the interface on which the BGF sends session-mirroring data to the deliver function.
    [edit services pgcp session-mirroring delivery-function df-1]user@host# set source-address 10.1.1.43
  6. Configure the port on which the BGF sends session-mirroring data to the delivery function.
    [edit services pgcp session-mirroring delivery-function df-1]user@host# set source-port 10000

Configuring IPsec to Protect Mirrored Sessions in Tunnel Mode

Figure 1 shows a sample configuration that protects session mirroring call content (that is, the X3 interface) using IPsec tunnel mode.

Figure 1: Protecting Session Mirroring Call Content Using IPsec Tunnel Mode

Image g017438.gif

To configure IPsec to protect session mirroring call content as shown in Figure 1:

  1. Configure the service PIC that you want IPsec to use. IPsec can use the same service PIC that the BGF uses, or it can have a dedicated service PIC.

    Assign a logical interface for incoming traffic to the IPsec tunnel and a logical interface for outgoing traffic from the IPsec tunnel. For example:

    [edit interfaces sp-3/3/0]
    unit 0 {
        family inet;
    }
    unit 10 {
        family inet;
        service-domain inside;
    }
    unit 20 {
        family inet;
        service-domain outside;
    }
    unit 50 {
        description IPsec-tunnel-incoming;
        family inet;
        service-domain inside;
    }
    unit 60 {
        description IPsec-tunnel-outgoing;
        family inet;
        service-domain outside;
    }
    
  2. Configure a service set that has the following characteristics:

    • Next hop service that contains the inside and outside interfaces that you configured for IPsec.
    • The local IP address for IPsec traffic.
    • The IPsec rule or rule set applied to the tunnel. This is a rule or rule set that you configure at the [edit services ipsec-vpn] hierarchy level.
    [edit services service-set ipsec-tunnel-for-bgf]
    next-hop-service {
        inside-service-interface sp-3/3/0.50;
        outside-service-interface sp-3/3/0.60;
    }
    ipsec-vpn-options {
        local-gateway 192.168.10.1;
    }
    ipsec-vpn-rules rule-ike;
  3. Configure a static route to the mediation server with the IPsec interface as the next hop.
    [edit routing-options]
    static {
        route 10.0.0.150/32 next-hop sp-3/3/0.50;
    }
    

Disabling Session Mirroring

To disable session mirroring:

[edit services pgcp session-mirroring]user@host# delete disable-session-mirroring

Re-Enabling Session Mirroring

To re-enable session mirroring:

[edit services pgcp session-mirroring]user@host# delete disable-session-mirroring

Published: 2010-04-13

[an error occurred while processing this directive]