Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual page 249

Related
Documentation
Copyright © 2010, Juniper Networks, Inc.
packet mirroring. When you use this command to create a secure policy list,
statistics-related keywords are not supported.
The secure ip classifier-list command creates or modifies a secure IP classifier control
list, which can then be included in a secure policy list.
The secure ipv6 classifier-list command creates or modifies a secure IPv6 classifier
control list, which can then be included in a secure policy list.
NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk
is used as a wildcard for the classifier-group command.
Except for the following considerations, secure IP classifier lists are created and function
the same as standard IP classifier lists—see "Classifier Control Lists Overview" on page 7
for information:
The secure ip classifier-list and secure ipv6 classifier-list commands are visible only
to authorized users—the mirror-enable command must be enabled before using this
command.
Secure IP classifier lists and secure IPv6 classifier lists are the only types of classifier
lists allowed in secure policy lists
Secure IP classifier lists and secure IPv6 classifier lists cannot be used in non-secure
policy lists.
You can associate secure IP and secure IPv6 policy classifier lists with all secure IP and
secure IPv6 policies dynamically created by RADIUS. This allows you to selectively
identify and drop high load traffic, such as video.
The secure ip policy-list, secure ipv6 policy-list, and secure l2tp policy-list commands
create or modify a secure IP, IPv6, or L2TP policy list. These commands are visible only
to authorized users—the mirror-enable command must be enabled before using this
command. These commands enter Policy List Configuration mode, enabling you to specify
the parameters of the secure policy list. If you enter Policy List Configuration mode and
then type exit without specifying any parameters, the router creates a policy list with a
mirror disable rule. Attaching this policy list to an interface results in no packet mirroring.
Secure IP classifier lists are the only type of classifier lists allowed in secure IP policy lists.
Secure L2TP policies do not support classification. Therefore, the only classifier group
you can use for secure L2TP policies is classifier-group *. You cannot delete a secure
policy list that is currently attached to an interface.
classifier-group
ip analyzer
ip mirror
ip policy
mirror
Chapter 11: Configuring CLI-Based Packet Mirroring
225