Supported Platforms
Configuring Support for Subscriber Secure Policy Mirroring
Subscriber secure policy runs on the radius-flow-tap service. This topic describes the steps to configure radius-flow-tap support for RADIUS-initiated and DTCP-initiated subscriber secure policy mirroring.
To configure the radius-flow-tap service to support subscriber secure policy mirroring:
- Configure the flow-tap service used for subscriber secure
policy mirroring. [edit services]user@host# edit radius-flow-tap
- Assign the tunnel interfaces that the radius-flow-tap
service uses. [edit services radius-flow-tap]user@host# set interfaces vt-1/1/0.0
If a currently used tunnel interface is deleted from the pool of interfaces, the active mirroring sessions are redistributed from the deleted interface to other tunnel interfaces in the pool. Also, when a new tunnel interface is added into the pool, the service adds the new interface to the list of interfaces available for new mirroring sessions or for existing sessions transferred from a failed interface.
- Specify the source IP address that the radius-flow-tap
service uses for mirroring. This address is used in the IP header
prepended to mirrored packets that are sent to the content destination
device.[edit services radius-flow-tap]user@host# set source-ipv4-address ipv4-address
- (Optional) Specify the forwarding class that is applied
to the mirrored packets sent to the mediation device.
If you do not specify a forwarding class, mirrored packets inherit the forwarding class from the original packet (which is the forwarding class set by default classification that CoS applies to the packet on the ingress interface).
[edit services radius-flow-tap]user@host# set forwarding-class class-name - (Optional) Specify the lawful intercept policy that determines
what traffic, if any, is not sent to the mediation device.
You can add or change a lawful intercept policy any time, but a changed policy does not apply to a currently enabled policy. To change a policy, add a policy with a new name, use DTCP DISABLE to turn off the current policy, and use DTCP ENABLE to point to the new policy name.
[edit services radius-flow-tap]user@host# set policy policy-name
