Table of Contents
Advertisement
Application
The following list compares the different types of packet-mirroring methods:
CLI-based user-specific and RADIUS-based user-specific mirroring are also useful to
mirror L2TP traffic at the L2TP access concentrator (LAC). If the L2TP network server
(LNS) and the LAC belong to different service providers, mirroring at the LAC enables
mirroring to take place close to the user's domain.
CLI-based packet mirroring All packet mirroring commands are hidden by
default. You must execute the mirror-enable command to make the mirroring
commands visible. You can optionally configure authorization methods to control
access to the mirror-enable command, which makes the packet mirroring
commands available only to authorized users. The mirror-enable command is
in privilege level 12 by default and the mirroring commands are in privilege level
13 by default. You can change the privilege levels of these commands; however,
we recommend that you always put the mirror-enable command at a different
privilege level than the mirroring commands.
RADIUS-based packet mirroring Access to RADIUS-based mirroring functionality
is unrestricted. However, the display of mirroring functionality is restricted to
privilege level 13 users by default. In addition, the user must execute the
mirror-enable command to make the packet mirroring-related show commands
visible.
RADIUS-based mirroring uses dynamically created secure policies based on
certain RADIUS VSAs. You attach the secure policies to the interface used by the
mirrored user. The packet-mirroring VSAs that the RADIUS server sends to the
E Series router are MD5 salt-encrypted.
CLI-based packet mirroring Is useful when organizations want to provide
separation between the typical network operations personnel and the mirroring
operations personnel. For example, if security is essential, you might perform
the entire packet-mirroring configuration on the analyzer device, separate from
the normal network operations role. This way, only the authorized personnel on
the analyzer device are aware of the mirroring operation. If this level of security
is not required, authorized network operations personnel can perform the
configuration and management on the router as usual.
CLI-based interface-specific mirroring Can be useful in small networks with
few E Series routers and in static environments where a user typically logs
in to the same router through the same interface.
CLI-based user-specific mirroring Is useful in B-RAS environments, in which
users log in and log out frequently.
RADIUS-based user-specific mirroring Is triggered when needed, either when
the specified user logs in (user-initiated) or when the user is already logged in
and RADIUS-based mirroring is enabled or modified (RADIUS-initiated).
RADIUS-based mirroring also provides an excellent solution for B-RAS networks,
for example to troubleshoot traffic problems related to mobile users.
Comparing CLI-Based Mirroring and RADIUS-Based Mirroring
Chapter 10: Packet Mirroring Overview
221
Advertisement
Table of Contents
Need help?
Do you have a question about the POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X and is the answer not in the manual?
Questions and answers