Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Support for Subscriber Secure Policy Mirroring

Subscriber secure policy runs on the radius-flow-tap service. This topic describes the steps to configure radius-flow-tap support for RADIUS-initiated and DTCP-initiated subscriber secure policy mirroring.

To configure the radius-flow-tap service to support subscriber secure policy mirroring:

  1. Configure the flow-tap service used for subscriber secure policy mirroring.
  2. Specify how the mirrored packets are forwarded to the mediation device.

    The actions in this step vary based on whether you're using extensible subscriber services manager (ESSM). When using ESSM you define a virtual tunnel (vt) interface that is placed into a routing instance. ESSM determines the routing instance for the flow tap based on this vt interface. When not using ESSM the routing instance used for the tap is explicitly configured under the services radius-flow-tap hierarchy.

    • If ESSM is used to managed the tapped subscriber interface:

      Define a vt interface. You only perform this action when the tapped interfaces are managed by extensible subscriber services manager (ESSM).

      If a currently used tunnel interface is deleted from the pool of interfaces, the active mirroring sessions are redistributed from the deleted interface to other tunnel interfaces in the pool. Also, when a new tunnel interface is added into the pool, the service adds the new interface to the list of interfaces available for new mirroring sessions or for existing sessions transferred from a failed interface.

    • If EESM is not used to manage the tapped subscriber interface:

      Specify the logical system and routing instance for the radius-flow-tap service. When not using EESM a vt interface is not required.

      You can specify a logical system and routing instance, or a routing instance without a logical system. If you do not specify a logical system, the router uses logical system default. If you do not specify either a logical system or routing instance, the router uses logical system default and routing instance default.

    Best Practice:

    Configure a routing instance to prevent a spoofed mediation device address from diverting traffic away from the device. When the mirrored customer flows are in the same routing instance as the mediation device, a malicious user might hijack the mediation device's route advertisement. By advertising a next hop to the hijacker’s network instead of to the device, the mirrored flows are captured and never reach the mediation device.

    If you configure the mirrored traffic to be forwarded to the mediation device by means of a routing instance, then the traffic is separated from the Internet. An external user is then unable to divert the mirrored traffic to the user’ s network.


    The interfaces statement applies only to ESSM-created interfaces and is ignored for flow-based interfaces. Similarly, the LS:RI configuration applies only to flow-based interfaces.

  3. Specify the source IP address that the radius-flow-tap service uses for mirroring. This address is used in the IP header prepended to mirrored packets that are sent to the content destination device.
  4. (Optional) Specify the forwarding class that is applied to the mirrored packets sent to the mediation device.

    If you do not specify a forwarding class, mirrored packets inherit the forwarding class from the original packet (which is the forwarding class set by default classification that CoS applies to the packet on the ingress interface).

  5. (Optional) Specify the subscriber secure policy that determines what traffic, if any, is not sent to the mediation device.

    You can add or change a subscriber secure policy any time, but a changed policy does not apply to a currently enabled policy. To change a policy:

    • Send a DTCP DELETE message to remove the current policy.

    • Modify the configuration with the new version of the policy.

    • Send a DTCP ADD message to add the policy.

    • Send a DTCP ENABLE message to enable the policy.

  6. (Optional) Specify the IP address for one or more target mediation devices to receive SNMPv3 trap notifications. Each target address must be configured separately.

    You must also configure SNMP so that only encrypted notifications are sent to target devices. Targets without privacy configured cannot receive the notifications. For information about the SNMP configuration for subscriber secure policy, see Configuring SNMPv3 Traps for Subscriber Secure Policy Mirroring.