Junos OS

Expand all | Collapse all

Port Mirroring and Filtering

Jump to Best Answer
  • 1.  Port Mirroring and Filtering

    Posted 12-16-2020 17:13

    Hi,

    I need to analyze traffic on an Aggregated Ethernet interface. There is too much traffic to send to my little server, so I need to filter what's sent first.

    I'm aware that this needs firewall filters. I haven't used them much, so I want to double-check I have this right, so I don't block traffic.

    (this is on an EX4600)

    Step 1: Configure the mirrored port

    set forwarding-options port-mirroring family inet output interface ge-0/0/18

    Step 2: Filter traffic to and from an IP address

    set firewall family inet filter PCAP term mirror-source from source-address 172.16.237.43 then port-mirror

    set firewall family inet filter PCAP term mirror-source from source-address 172.16.237.43 then accept

    set firewall family inet filter PCAP term mirror-destination from destination-address 172.16.237.43 then port-mirror

    set firewall family inet filter PCAP term mirror-destination from destination-address 172.16.237.43 then accept

    Step 3: Allow all other traffic (avoid dropping any other traffic)

    set firewall family inet filter PCAP term accept-all then accept

    Step 4: Apply to the interface

    set interfaces ae0 unit 0 family inet filter input PCAP

    Does it look like I've done this correctly? Am I right to put the 'allow-all' rule at the end of the firewall filter?

    Thanks



  • 2.  RE: Port Mirroring and Filtering
    Best Answer

     
    Posted 12-17-2020 09:10

    Hi Luke,

    Including the default allow-all at the end is necessary, otherwise, anything that does not match the SA or DA on the filter will be discarded. Your config looks correct to me.



    ------------------------------
    Juan Ospina
    ------------------------------



  • 3.  RE: Port Mirroring and Filtering

    Posted 12-17-2020 15:41

    Thanks, I can move ahead with confidence now!

    One quick follow up question... Is there a difference between an analyzer and port-mirror, or is it just ELS syntax?




  • 4.  RE: Port Mirroring and Filtering

     
    Posted 12-17-2020 16:03

    Hi Luke,

    Port mirroring is mostly used for MX as far as I know. On EX we regularly use the analyzer - ELS or not. You can also follow the guidelines here https://www.juniper.net/documentation/en_US/junos/topics/example/port-mirroring-local-qfx-series-els.html where analyzer is used instead of port-mirroring. I just caught that part on your config. 



    ------------------------------
    Juan Ospina
    ------------------------------