Table of Contents
Advertisement
JUNOSe 11.1.x Policy Management Configuration Guide
1.
2.
3.
4.
5.
6.
Example: Configuring CLI-Based Interface-Specific Mirroring
This example shows the configuration of a CLI-based packet mirroring session for a
particular static IP interface. The configuration results in all traffic through the interface
being replicated and the replicated traffic then sent through an IPSec tunnel to the
analyzer device.
1.
2.
NOTE: If the analyzer interface is Ethernet-based, you must configure a static ARP
entry for the analyzer device.
3.
234
Example: Configuring CLI-Based Interface-Specific Mirroring
Configure the analyzer interface, the route to the analyzer device, and any static
ARP entries.
Allow authorized users to have access to the mirror-enable command. The users
can then make the packet mirroring CLI commands visible and perform the
following steps.
Configure the secure policy that forwards the mirrored traffic to the analyzer
device.
(Optional) For increased security, create an IPSec tunnel between the analyzer
interface and the analyzer device.
For interface-specific mirroring, attach the secure policy to the interface.
For user-specific mirroring, configure the trigger that identifies the user.
Enable the visibility and use of the packet mirroring CLI commands.
host1#mirror-enable
Configure the analyzer interface and a route to reach the analyzer device at
192.168.125.29.
host1(config)#virtual-router vr1
host1:vr1(config)#interface tunnel ipsec:Diag transport-virtual-router default
host1:vr1(config-if)#ip analyzer
host1:vr1(config-if)#exit
host1:vr1(config)#ip route 192.168.125.29 255.255.255.255 tunnel ipsec:Diag
Configure the secure IP policy that forwards the mirrored traffic to the analyzer
device at 192.168.125.29.
In this example, the configured mirror rule does not include the
analyzer-udp-port keyword. Therefore, the rule sets the mirror header to disable,
which means that the mirror header is not prepended to the mirrored packets.
See "Understanding the Prepended Header During a Packet Mirroring Session"
on page 249 for information about the prepended mirror header. The
classifier-group command uses a previously configured classifier list, secClassA.
host1:vr1(config)#secure ip policy-list secureIpPolicy1
host1:vr1(config-policy-list)#classifier-group secClassA
host1:vr1(config-policy-list-classifier-group)#mirror analyzer-ip-address
192.168.125.29 analyzer-virtual-router vr1
Advertisement
Table of Contents
Need help?
Do you have a question about the POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X and is the answer not in the manual?
Questions and answers