Using Tacacs+ And Vty Access Lists To Secure Packet Mirroring; Using Vty Access Lists To Secure Packet Mirroring - Juniper E320 Configuration Manual

JUNOSe 7.2.x Policy Management Configuration Guide
Example 1
Example 2
154 !
Configuring CLI-Based Packet Mirroring
For a .scr file operation, the mirror-enable command must be enabled—both prior
to saving the scr. file from the show configuration display, and also before you run
the script to reload the packet mirroring configuration. If the mirror-enable
command is not enabled, the .scr file operation for the packet mirroring
configuration fails.

Using TACACS+ and Vty Access Lists to Secure Packet Mirroring

The following example describes a procedure that uses TACACS+ and vty access
lists to manage the users who have access to the mirror-enable command. An
authorized user who issues the mirror-enable command then gains access to the
packet mirroring CLI commands and information.
This technique enables you to restrict the visibility and use of packet mirroring
commands to a controlled, authorized group of users.
1. Configure TACACS+ authorization for the access level of the mirror-enable
command (level 12 by default).
Configure the router either to allow or disallow authorization when the
TACACS+ servers are not available.
2. Configure all vty lines and the console to use the TACACS+ authorization
configuration from step 1 for access level 12 commands.
This procedure ensures that packet mirroring commands are never sent out of the
E-series router—only the mirror-enable command is sent. The packet mirroring
configuration and all information about mirrored interfaces and subscribers are
available only to users who are authorized for the packet mirroring CLI commands
on the router.

Using Vty Access Lists to Secure Packet Mirroring

In this example, TACACS+ authorization is not used. However, you can still use vty
access lists to control access to the mirror-enable command, which enables you to
create isolation between the authorized packet mirroring users and unauthorized
network operators.
1. Configure TACACS+ authorization for the mirror-enable command privilege
level. Specify that authorization is denied if TACACS+ is not available. Because
TACACS+ is not being used, authorization always fails.
2. Configure the majority of the vty lines and the console to use the authorization
configuration from step 1. (Users who use Telnet on these lines are denied
access to the mirror-enable command.)
3. On the remaining vty lines (without the TACACS+ authorization) create an
access list that contains the IP addresses of the users that you want to grant
access to these vty lines—these users are granted access to the mirror-enable
command, and therefore, the packet mirroring feature.
This configuration grants access to the packet mirroring CLI commands to the users
from the specified IP addresses. The packet mirroring commands remain hidden
for all other users.