Enabling And Securing Cli-Based Packet Mirroring; Figure 19: Cli-Based Interface Mirroring - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual

JunosE 11.3.x Policy Management Configuration Guide

Enabling and Securing CLI-Based Packet Mirroring

220
Figure 19 on page 220 shows the traffic flow for ingress and egress IP interface mirroring.

Figure 19: CLI-Based Interface Mirroring

The JunosE Software enables you to create a secure environment for your packet-mirroring
operation by restricting access to the packet mirroring CLI commands and information.
For example, when dealing with a critical diagnostic or troubleshooting procedure, you
might want the packet-mirroring feature to be available and visible to a subset of your
network operations group. Or, if you are monitoring confidential traffic from a particular
user, you might want the configuration and results of the mirroring operation to be
available only to a unique group, such as the management group of the analyzer device.
By default, the packet mirroring configuration commands are hidden from all users. You
must use the mirror-enable command to make the commands visible, which then enables
you to configure the packet-mirroring environment. The command applies only to the
current CLI session. When you log out of the current session and then log in again, the
packet mirroring commands are no longer visible,
NOTE: The no mirror-enable command makes the packet mirroring
commands no longer visible. However, any active mirroring sessions are
unaffected and traffic continues to be mirrored.
To create a secure packet-mirroring environment, you use a combination of the JunosE
Software authorization methods and the mirror-enable command. You configure the
authorization method to control who can use the mirror-enable command. Authorized
users can then issue the mirror-enable command, making the packet mirroring commands
Copyright © 2010, Juniper Networks, Inc.