Comparing Cli-Based Mirroring And Radius-Based Mirroring; Configuration; Security - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual

JunosE 11.3.x Policy Management Configuration Guide

Comparing CLI-Based Mirroring and RADIUS-Based Mirroring

Configuration

Security

214
Packet mirroring is supported on ASIC-based modules. See ERX Module Guide, Appendix
A, Module Protocol Support for information about modules supported on ERX routers.
See E120 and E320 Module Guide, Appendix A, IOA Protocol Support for information about
modules supported on the E120 and E320 Broadband Services Routers.
This section compares the characteristics of CLI-based and RADIUS-based mirroring
techniques. You can use CLI-based mirroring for both interface-specific and user-specific
mirroring; RADIUS-based mirroring is used for user-specific mirroring. This section
highlights differences in configuration, security, and application of the CLI-based and
RADIUS-based mirroring methods.
This section describes differences in the configuration processes for CLI-based and
RADIUS-based mirroring:
CLI-based packet mirroring—You use CLI commands to configure and manage packet
mirroring of specific interfaces and users. For interface-specific mirroring, you enable
the static configuration after the IP interface is created. The interface method mirrors
only the traffic on the specific interface.
In user-specific mirroring, authentication, authorization, and accounting (AAA) uses
RADIUS attributes as triggers to identify the user whose traffic is to be mirrored. The
mirroring session starts when the user logs in. If the user is already logged in, AAA
immediately starts the mirroring session when you enable packet mirroring.
RADIUS-based packet mirroring—This dynamic method uses RADIUS and
vendor-specific attributes (VSAs), rather than CLI commands, to identify a user whose
traffic is to be mirrored and to trigger the mirroring session. A RADIUS administrator
configures and enables the mirroring separate from the user's session. You can use a
single RADIUS server to provision packet-mirroring operations on multiple E Series
routers in a service provider's network.
There are two variations of RADIUS-based packet mirroring. For both types, the mirroring
feature is initiated without regard to the user location, router, interface, or type of traffic.
User-initiated mirroring—If the user is not currently logged in, the mirroring session
starts when the user logs in and is authenticated by RADIUS. The user's
Acct-Session-Id is the identification trigger.
RADIUS-initiated mirroring—If the user is already logged in, the JunosE RADIUS
dynamic-request server uses RADIUS-initiated change-of-authorization (CoA)
messages to immediately start the mirroring session when the packet mirroring is
enabled.
The following list highlights security features provided by CLI-based and RADIUS-based
mirroring:
Copyright © 2010, Juniper Networks, Inc.