Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X Configuration Manual page 279

If the analyzer device is unreachable, then the mirror action in the secure policy is
disabled, and no packets are mirrored. The show secure policy-list command output
indicates that the mirror action is disabled and the analyzer device is unreachable.
The router tracks the analyzer device's IP address for any route changes within the
router. This tracking ability provides a degree of failure recovery by enabling you to
configure multiple analyzer interfaces to serve as redundant ports to reach the
analyzer device.
Using Multiple Triggers for CLI-Based Packet Mirroring
When you configure CLI-based packet mirroring, you can create multiple mirroring
rules for a particular subscriber. For example. you might create two rules; one rule
that uses IP address as the trigger that identifies the user and a second rule with the
subscriber's username as the trigger. You can also configure RADIUS-based mirroring
to use multiple methods to identify subscribers
To avoid conflicts between multiple mirroring rules, both CLI-based and RADIUS-based
mirroring operations assign a precedence to the subscriber identification triggers.
Subscriber information is examined for configured triggers according to the order
of precedence.
The following list indicates the order of precedence for the subscriber identification
triggers; Acct-Session-Id has the highest precedence. The keywords for the mirror
and mirror disable command are listed below with their associated RADIUS attributes.
1.
2.
3.
4.
5.
6.
7.
8.
For example, suppose you create the following three rules to trigger a packet mirroring
session.
Regardless of the order in which you configure the rules, the subscriber information
is first examined to determine whether the Acct-Session-Id matches the rule. If it
does, no further examination takes place and the subscriber's traffic is mirrored,
acct-session-id Acct-Session-Id, RADIUS attribute [44]
calling-station-id Calling-Station-Id, RADIUS attribute [31]
ip-address Framed-IP-Address, RADIUS attribute [8]; associated with the virtual
router where the subscriber logs in, RADIUS VSA [26-1]
username User-Name, RADIUS attribute [1]; associated with the virtual router
where the subscriber logs in, RADIUS VSA [26-1]
nas-port-id NAS-Port-Id, RADIUS attribute [87]
dhcp-option-82 DHCP-Option-82, RADIUS attribute [26–159], Vendor ID 4874
agent-circuit-id Agent-Circuit-ID, RADIUS attribute [26–1], Vendor ID 3561
agent-remote-id Agent-Remote-ID, RADIUS attribute [26–2], Vendor ID 3561
host1(config)#mirror ip-address 192.168.105.25 ip secure-policy-list securePolicyIp4
host1(config)#mirror username jwbooth@isptheatre.com ip secure-policy-list
securePolicyIp15
host1(config)#mirror acct-session-id atm 2/1.2:0.42:0001048579 ip secure-policy-list
securePolicyIp10
Chapter 13: Managing Packet Mirroring
Using Multiple Triggers for CLI-Based Packet Mirroring
253