Using Multiple Triggers For Cli-Based Packet Mirroring - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual

Using Multiple Triggers for CLI-Based Packet Mirroring

Copyright © 2010, Juniper Networks, Inc.
When you configure CLI-based packet mirroring, you can create multiple mirroring rules
for a particular subscriber. For example. you might create two rules; one rule that uses
IP address as the trigger that identifies the user and a second rule with the subscriber's
username as the trigger. You can also configure RADIUS-based mirroring to use multiple
methods to identify subscribers
To avoid conflicts between multiple mirroring rules, both CLI-based and RADIUS-based
mirroring operations assign a precedence to the subscriber identification triggers.
Subscriber information is examined for configured triggers according to the order of
precedence.
The following list indicates the order of precedence for the subscriber identification
triggers; Acct-Session-Id has the highest precedence. The keywords for the mirror and
mirror disable command are listed below with their associated RADIUS attributes.
acct-session-id—Acct-Session-Id, RADIUS attribute [44]
1.
calling-station-id—Calling-Station-Id, RADIUS attribute [31]
2.
ip-address—Framed-IP-Address, RADIUS attribute [8]; associated with the virtual
3.
router where the subscriber logs in, RADIUS VSA [26-1]
username—User-Name, RADIUS attribute [1]; associated with the virtual router where
4.
the subscriber logs in, RADIUS VSA [26-1]
nas-port-id—NAS-Port-Id, RADIUS attribute [87]
5.
dhcp-option-82—DHCP-Option-82, RADIUS attribute [26–159], Vendor ID 4874
6.
agent-circuit-id—Agent-Circuit-ID, RADIUS attribute [26–1], Vendor ID 3561
7.
agent-remote-id—Agent-Remote-ID, RADIUS attribute [26–2], Vendor ID 3561
8.
For example, suppose you create the following three rules to trigger a packet mirroring
session.
host1(config)#mirror ip-address 192.168.105.25 ip secure-policy-list securePolicyIp4
host1(config)#mirror username jwbooth@isptheatre.com ip secure-policy-list
securePolicyIp15
host1(config)#mirror acct-session-id atm 2/1.2:0.42:0001048579 ip secure-policy-list
securePolicyIp10
Regardless of the order in which you configure the rules, the subscriber information is
first examined to determine whether the Acct-Session-Id matches the rule. If it does, no
further examination takes place and the subscriber's traffic is mirrored,
If the Acct-Session-Id does not match, then the subscriber information is next examined
to determine whether the Calling-Station-Id matches the rule. This process continues
for all configured rules.
If none of the trigger rules are matched, then that subscriber's traffic is not mirrored.
Chapter 13: Managing Packet Mirroring
247