Comparing Cli-Based Mirroring And Radius-Based Mirroring; Configuration - Juniper E320 Configuration Manual

JUNOSe 7.2.x Policy Management Configuration Guide

Comparing CLI-Based Mirroring and RADIUS-Based Mirroring

148 !
Overview
! RADIUS-based packet mirroring—A RADIUS administrator uses RADIUS
attributes to configure packet mirroring of a particular user's traffic. The router
creates dynamic secure policies for the mirroring operation.
In both the CLI-based and the RADIUS-based packet mirroring methods, the original
traffic is sent to its intended destination and the mirrored traffic is sent to an
analyzer (the mediation device). The mirroring operations are transparent to the
user whose traffic is being mirrored.
Packet mirroring operations require some system resources. To avoid
NOTE:
performance degradation, limit the amount of mirrored traffic to a maximum of 5
percent of the E-series router's total traffic.
Packet mirroring is supported on ASIC-based modules. See ERX Module Guide,
Appendix A, Module Protocol Support for information about modules supported on
ERX routers. See E320 Module Guide, Appendix A, IOA Protocol Support for
information about modules supported on the E320 router.
This section compares the characteristics of CLI-based and RADIUS-based mirroring
techniques. You can use CLI-based mirroring for both interface-specific and
user-specific mirroring; RADIUS-based mirroring is used for user-specific mirroring.
This section highlights differences in configuration, security, and application of the
CLI-based and RADIUS-based mirroring methods.

Configuration

This section describes differences in the configuration processes for CLI-based and
RADIUS-based mirroring:
CLI-based packet mirroring—You use CLI commands to configure and manage
!
packet mirroring of specific interfaces and users. For interface-specific
mirroring, you enable the static configuration after the IP interface is created.
The interface method mirrors only the traffic on the specific interface.
In user-specific mirroring, authentication, authorization, and accounting (AAA)
uses RADIUS attributes as triggers to identify the user whose traffic is to be
mirrored. The mirroring session starts when the user logs on. If the user is
already logged in, AAA immediately starts the mirroring session when you
enable packet mirroring.
RADIUS-based packet mirroring—This dynamic method uses RADIUS and
!
vendor-specific attributes (VSAs), rather than CLI commands, to identify a user
whose traffic is to be mirrored and to trigger the mirroring session. A RADIUS
administrator configures and enables the mirroring separate from the user's
session. You can use a single RADIUS server to provision packet mirroring
operations on multiple E-series routers in a service provider's network.
There are two variations of RADIUS-based packet mirroring. For both types, the
mirroring feature is initiated without regard to the user location, router,
interface, or type of traffic.