Configuring CLI-Based Packet Mirroring ! 163
Chapter 6: Packet Mirroring
! This command is supported only on an LNS.
! Use the ip keyword to specify an IP subscriber.
! Example
host1(config)#mirror calling-station-id 5551212 ip secure-policy-list
securePolicyIp4
! Use the no version to disable packet mirroring and remove the trigger
configuration that is based on the subscriber’s Calling-Station-ID.
mirror-enable
! Use to enable the use of the secure packet mirroring commands by making the
commands visible in the CLI.
! The mirror-enable command is at access level 12 by default. To provide extra
security, we recommend that you always keep this command at a different
privilege level than the other packet mirroring commands (level 13 by default)
and the standard JUNOSe CLI commands.
For example, if you are using TACACS+ and you have all commands at the
same level, a user looking at the TACACS+ server log is able to view packet
mirroring-related commands and see which users are being mirrored. However,
if you specify that level 12 commands, but not level 13, are sent to the
TACACS+ server, only the mirror-enable command is sent to the TACACS+
server—the other packet mirroring-related commands are not sent to the
server, and they do not appear in the server log.
! This command pertains to the current CLI session; when the session ends, the
secure commands are no longer visible.
! You can control access to this command through the use of authorization
techniques, such as TACACS+ and simple access-list restrictions on vty lines.
! Example
host1#mirror-enable
! Use the no version to disable this command—the packet mirroring commands
are no longer visible. However, active mirroring sessions are not affected, and
continue to be mirrored.
mirror ip-address
! Use to configure a packet mirroring session that is based on an IP subscriber’s
IP address (RADIUS attribute 8), and to specify the secure policy to attach to the
subscriber’s interface.
! This command is visible only to authorized users—the mirror-enable
command must be enabled prior to using this command.
NOTE: The CLI enables you to specify the L2TP keyword for this command;
however, the Calling Station ID attribute is not available to packet mirroring
triggers on the LAC.
To Next Page
Loading...
Need help?
General
