Subscriber secure policy provides RADIUS-initiated traffic mirroring on a per-subscriber basis. RADIUS-initiated mirroring creates secure policies based on certain RADIUS VSAs and uses RADIUS attributes to identify the subscriber whose traffic is to be mirrored. The traffic mirroring operation is triggered by the attributes received in RADIUS messages. Both the subscriber’s ingress and egress traffic are mirrored. The original traffic is sent to its intended destination and the mirrored traffic is sent to a mediation device for analysis.
There are two variations of RADIUS-initiated mirroring. For both types, the mirroring operation is initiated without regard to the subscriber location, router, interface, or type of traffic.
Configuration of RADIUS-based mirroring is independent of the actual mirroring session—you can configure the mirroring parameters at any time. Also, you can use a single RADIUS server to provision mirroring operations on multiple routers in a service provider’s network. To provide security, the ability to configure, access, and view the subscriber secure policy components and configuration is restricted to authorized users. The actual mirroring operation is transparent to subscribers whose traffic is being mirrored.
Traffic mirroring has many uses, such as debugging network problems, troubleshooting specific user issues, and lawful intercept. For example, you might use RADIUS-based mirroring when debugging network problems related to mobile users, who do not always log in to the same router. RADIUS-based mirroring is particularly useful for large networks, in which you can use a single RADIUS server to provision the mirroring operation.
Table 17 defines terms that are used in the discussion of subscriber secure policy.
Table 17: Subscriber Secure Policy Terms