Table of Contents
Advertisement
JUNOSe 11.1.x Policy Management Configuration Guide
mirroring commands. For example, if you are using TACACS+, the mirror-enable
command is the only packet mirroring command that is sent to the TACACS+ server.
You can also use TACACS+ to prevent unauthorized individuals from modifying the
configuration of analyzed ports.
See chapter Passwords and Security in JUNOSe System Basics Configuration Guide for
more information about access levels. See chapter Configuring TACACS+ inJUNOSe
Broadband Access Configuration Guide for information about TACACS+ authorization.
Reloading a CLI-Based Packet-Mirroring Configuration
You can reload your packet mirroring configuration as part of a configuration file
(.cnf) reload operation or when you run a script file (.scr) that you have saved from
the show configuration command display. When you reload a .cnf file, the
packet-mirroring configuration is restored no additional steps are required.
For a .scr file operation, the mirror-enable command must be enabled both before
saving the scr. file from the show configuration display and also before you run the
script to reload the packet-mirroring configuration. If the mirror-enable command
is not enabled, the .scr file operation for the packet-mirroring configuration fails.
Using TACACS+ and Vty Access Lists to Secure Packet Mirroring
This procedure uses TACACS+ and vty access lists to manage the users who have
access to the mirror-enable command. An authorized user who issues the
mirror-enable command then gains access to the packet mirroring CLI commands
and information.
This technique enables you to restrict the visibility and use of packet mirroring
commands to a controlled, authorized group of users.
1.
2.
This procedure ensures that packet mirroring commands are never sent out of the
E Series router only the mirror-enable command is sent. The packet mirroring
configuration and all information about mirrored interfaces and subscribers are
available only to users who are authorized for the packet mirroring CLI commands
on the router.
Using Vty Access Lists to Secure Packet Mirroring
In this procedure, TACACS+ authorization is not used. However, you can still use
vty access lists to control access to the mirror-enable command, which enables you
to create isolation between the authorized packet mirroring users and unauthorized
network operators.
228
Reloading a CLI-Based Packet-Mirroring Configuration
Configure TACACS+ authorization for the access level of the mirror-enable
command (level 12 by default).
Configure the router either to allow or disallow authorization when the TACACS+
servers are not available.
Configure all vty lines and the console to use the TACACS+ authorization
configuration from Step 1 for access level 12 commands.
Advertisement
Table of Contents
Need help?
Do you have a question about the POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X and is the answer not in the manual?
Questions and answers