Technical Documentation

Configuring DTCP-Initiated Subscriber Secure Policy Mirroring Overview

You can configure DTCP-initiated subscriber secure policy mirroring to mirror subscriber traffic.

Note: DTCP-initiated subscriber secure policy mirroring runs on the radius-flow-tap service infrastructure. To configure the subscriber secure policy service, you must have the same privileges that are required to configure the radius-flow-tap service.

To configure DTCP-initiated subscriber secure policy service:

  1. Configure the radius-flow-tap service support for secure subscriber policy. This support includes configuring the tunnels and optional forwarding-class information that the subscriber secure policy service uses to send mirrored traffic to the content destination device.

    See Configuring RADIUS-Flow-Tap Service Support for Subscriber Secure Policy Mirroring.

  2. Configure the DTCP support for subscriber secure policy. This support includes configuring the DTCP-over-SSH service that provides an extra level of security for DTCP transactions.

    See Configuring DTCP Support for Subscriber Secure Policy Mirroring.

  3. Ensure that the following support is also configured:

    • The DTCP ADD message of the mirrored interface must include the DTCP attributes required for subscriber secure policy mirroring. See DTCP Attributes Used for Subscriber Secure Policy for descriptions of the supported attributes used in DTCP messages.
    • The content destination device must be configured to accept the mirrored data from the mediation device.
    The descriptions of these configurations are beyond the scope of this document.
  4. (Optional) Configure SNMPv3 trap support to capture and report mirroring information to an external device.

    See Configuring SNMPv3 Traps for Subscriber Secure Policy MIrroring.

  5. You can terminate an active subscriber mirroring session at any time.

    See Terminating Subscriber Secure Policy Mirroring Sessions.

Note: The subscriber secure policy feature requires some system resources while mirroring, encrypting, and sending traffic to the mediation device. We recommend that you consider this requirement when you configure subscriber secure policy. For example, you might elect to use a 10-Gigabit Ethernet interface for the tunnel and mediation device if you expect the amount of traffic you plan to mirror to approach 1 Gbps of actual user data.


Published: 2010-04-15