Navigation
Supported Platforms
Configuring RADIUS-Initiated Subscriber Secure Policy Mirroring Overview
Before you configure subscriber secure policy traffic mirroring, note the following:
- Subscriber secure policy mirroring runs on the radius-flow-tap service infrastructure. To configure the subscriber secure policy service, you must have the same privileges that are required to configure the radius-flow-tap service.
- The subscriber secure policy feature requires some system resources while mirroring, encrypting, and sending traffic to the mediation device. For example, you might elect to use a 10-Gigabit Ethernet interface for the tunnel to the mediation device if you expect the amount of traffic you plan to mirror to approach 1 Gbps of actual user data.
To configure the subscriber secure policy service:
- Configure tunnel interfaces (vt interfaces) that are used
to send mirrored content to the mediation device.
See Configuring Tunnel Interfaces for Subscriber Secure Policy Mirroring.
- Configure radius-flow-tap service support for secure subscriber
policy. This support includes optional forwarding-class information
that the subscriber secure policy service uses to send mirrored traffic
to the content destination device.
See Configuring Support for Subscriber Secure Policy Mirroring.
- Configure an access profile that specifies the RADIUS-related
support for subscriber secure policy on the router, including a list
of one or more RADIUS authentication servers. The router uses the
list of specified servers for both authentication and dynamic request
operations. You must also configure the RADIUS dynamic request feature,
which provides the CoA message support used in-session traffic mirroring.
See Configuring RADIUS Server Support for Subscriber Secure Policy Mirroring.
Ensure that the following support is also configured:
- The RADIUS record of the mirrored subscriber must include the RADIUS attributes and VSAs required for subscriber secure policy mirroring. See RADIUS Attributes Used for Subscriber Secure Policy for descriptions of the supported attributes used in RADIUS Accept-Accept and CoA messages.
- The mediation device must be configured to accept the mirrored content.
- (Optional) Enable the mirroring of IPv4 multicast traffic
on the router.
See Enabling Subscriber Secure Policy Mirroring for IPv4 Multicast Traffic.
- (Optional) Configure SNMPv3 trap support to report mirroring-related
events to the mediation device.
See Configuring SNMPv3 Traps for Subscriber Secure Policy Mirroring.
To terminate an active subscriber mirroring session at any time.
See Terminating RADIUS-Initiated Subscriber Traffic Mirroring .
