Reloading A Cli-Based Packet Mirroring Configuration - Juniper E320 Configuration Manual

Junose internet software for e-series routing platforms

Hide thumbs Also See for E320:

Hardware manual (144 pages)

Manual (83 pages)

Datasheet (6 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

page of 212

/ 212
Contents
Table of Contents
Bookmarks

Table of Contents

To create a secure packet mirroring environment, you use a combination of the

JUNOSe software's authorization methods and the mirror-enable command. You

configure the authorization method to control who can use the mirror-enable

command. Authorized users can then issue the mirror-enable command, making

the packet mirroring commands visible. However, the commands are still hidden

from unauthorized users.

Table 24

by the mirror-enable command.

Table 24: Commands Made Visible by the mirror-enable Command

ip policy { secure-input | secure-output }

clear mirror log

mirror acct-session-id

mirror analyzer-ip-address

mirror calling-station-id

mirror disable

mirror ip-address

mirror nas-port-id

mirror trap-enable

mirror username

To provide increased security, the mirror-enable command must be the only

command at its access level (level 12 by default) and it also must be at a different

privilege level than the other packet mirroring commands (level 13 by default) and

other regular JUNOSe CLI commands. This separation enables you to control

authorization to the mirror-enable command and to limit the visibility of packet

mirroring commands. For example, if you are using TACACS+, the mirror-enable

command is the only packet mirroring command that is sent to the TACACS+

server.

The following two examples describe techniques you might use to enable and

secure your CLI-based packet mirroring environment. Example 1 uses a

combination of TACACS+ authorization and virtual terminal (vty) access lists to

secure the packet mirroring environment. Example 2 uses only vty access lists.

See

JUNOSe System Basics Configuration Guide, Chapter 8, Passwords and Security

more information about access levels. See

Guide, Chapter 5, Configuring TACACS+

authorization.

Reloading a CLI-Based Packet Mirroring Configuration

You can reload your packet mirroring configuration as part of a configuration file

(.cnf) reload operation or when you run a script file (.scr) that you have saved from

the show configuration command display. When you reload a .cnf file, the packet

mirroring configuration is restored—no additional steps are required.

lists the commands whose visibility is controlled

secure policy-list

show mirror log

show mirror rules

show mirror trap

show mirror subscribers

show secure policy-list

show snmp trap (packet mirroring

information)

snmp-server secure-log

snmp-server enable traps (packetMirror

keyword)

snmp-server host (packetMirror keyword)

JUNOSe Broadband Access Configuration

for information about TACACS+

Configuring CLI-Based Packet Mirroring

Chapter 6: Packet Mirroring

for

153

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

This manual is also suitable for:

Erx-710 Erx-310 Erx-1440 Erx-1410 Erx-705

Reloading A Cli-Based Packet Mirroring Configuration - Juniper E320 Configuration Manual

Reloading a CLI-Based Packet Mirroring Configuration

Hide quick links:

Related Manuals for Juniper E320

Related Content for Juniper E320

This manual is also suitable for:

Table of Contents