Overview ! 149
Chapter 6: Packet Mirroring
! User-initiated mirroring—If the user is not currently logged in, the
mirroring session starts when the user logs on and is authenticated by
RADIUS.
! RADIUS-initiated mirroring—If the user is already logged in, the JUNOSe
RADIUS dynamic-request server uses RADIUS-initiated
change-of-authorization (CoA) messages to immediately start the mirroring
session when the packet mirroring is enabled.
Security
The following list highlights security features provided by CLI-based and
RADIUS-based mirroring:
! CLI-based packet mirroring—All packet mirroring commands are hidden by
default. You must execute the mirror-enable command to make the mirroring
commands visible. You can optionally configure authorization methods to
control access to the mirror-enable command, which makes the packet
mirroring commands available only to authorized users. The mirror-enable
command is in privilege level 12 by default and the mirroring commands are in
privilege level 13 by default. You can change the privilege levels of these
commands; however, we recommend that you always put the mirror-enable
command at a different privilege level than the mirroring commands.
! RADIUS-based packet mirroring—Access to RADIUS-based mirroring
functionality is unrestricted. However, the display of mirroring functionality is
restricted to privilege level 13 users by default. In addition, the user must
execute the mirror-enable command to make the packet mirroring-related
show commands visible.
RADIUS-based mirroring uses dynamically created secure policies based on
certain RADIUS VSAs. You attach the secure policies to the interface used by the
mirrored user. The packet mirroring VSAs that the RADIUS server sends to the
E-Series router are MD5 salt-encrypted.
Application
The following list compares the different types of packet mirroring methods:
! CLI-based packet mirroring—Is useful when organizations want to provide
separation between the typical network operations personnel and the mirroring
operations personnel. For example, if security is essential, you might perform
the entire packet-mirroring configuration on the mediation device, separate
from the normal network operations role. This way, only the authorized
personnel on the mediation device are aware of the mirroring operation. If this
level of security is not required, the network operations personnel can perform
the configuration and management on the router as usual.
NOTE: Packet mirroring is not supported on IPv6 interfaces.
To Next Page
Loading...
Need help?
General
