Application - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual

Application

Copyright © 2010, Juniper Networks, Inc.
CLI-based packet mirroring—All packet mirroring commands are hidden by default.
You must execute the mirror-enable command to make the mirroring commands
visible. You can optionally configure authorization methods to control access to the
mirror-enable command, which makes the packet mirroring commands available only
to authorized users. The mirror-enable command is in privilege level 12 by default and
the mirroring commands are in privilege level 13 by default. You can change the privilege
levels of these commands; however, we recommend that you always put the
mirror-enable command at a different privilege level than the mirroring commands.
RADIUS-based packet mirroring—Access to RADIUS-based mirroring functionality is
unrestricted. However, the display of mirroring functionality is restricted to privilege
level 13 users by default. In addition, the user must execute the mirror-enable command
to make the packet mirroring-related show commands visible.
RADIUS-based mirroring uses dynamically created secure policies based on certain
RADIUS VSAs. You attach the secure policies to the interface used by the mirrored
user. The packet-mirroring VSAs that the RADIUS server sends to the E Series router
are MD5 salt-encrypted.
The following list compares the different types of packet-mirroring methods:
CLI-based packet mirroring—Is useful when organizations want to provide separation
between the typical network operations personnel and the mirroring operations
personnel. For example, if security is essential, you might perform the entire
packet-mirroring configuration on the analyzer device, separate from the normal
network operations role. This way, only the authorized personnel on the analyzer device
are aware of the mirroring operation. If this level of security is not required, authorized
network operations personnel can perform the configuration and management on the
router as usual.
CLI-based interface-specific mirroring—Can be useful in small networks with few
E Series routers and in static environments where a user typically logs in to the same
router through the same interface.
CLI-based user-specific mirroring—Is useful in B-RAS environments, in which users
log in and log out frequently.
RADIUS-based user-specific mirroring—Is triggered when needed, either when the
specified user logs in (user-initiated) or when the user is already logged in and
RADIUS-based mirroring is enabled or modified (RADIUS-initiated). RADIUS-based
mirroring also provides an excellent solution for B-RAS networks, for example to
troubleshoot traffic problems related to mobile users.
CLI-based user-specific and RADIUS-based user-specific mirroring are also useful to
mirror L2TP traffic at the L2TP access concentrator (LAC). If the L2TP network server
(LNS) and the LAC belong to different service providers, mirroring at the LAC enables
mirroring to take place close to the user's domain.
Chapter 10: Packet Mirroring Overview
215