I need to analyze traffic on an Aggregated Ethernet interface. There is too much traffic to send to my little server, so I need to filter what's sent first.
I'm aware that this needs firewall filters. I haven't used them much, so I want to double-check I have this right, so I don't block traffic.
(this is on an EX4600)
Step 1: Configure the mirrored port
set forwarding-options port-mirroring family inet output interface ge-0/0/18
Step 2: Filter traffic to and from an IP address
set firewall family inet filter PCAP term mirror-source from source-address 172.16.237.43 then port-mirror
set firewall family inet filter PCAP term mirror-source from source-address 172.16.237.43 then accept
set firewall family inet filter PCAP term mirror-destination from destination-address 172.16.237.43 then port-mirror
set firewall family inet filter PCAP term mirror-destination from destination-address 172.16.237.43 then accept
Step 3: Allow all other traffic (avoid dropping any other traffic)
set firewall family inet filter PCAP term accept-all then accept
Step 4: Apply to the interface
set interfaces ae0 unit 0 family inet filter input PCAP
Does it look like I've done this correctly? Am I right to put the 'allow-all' rule at the end of the firewall filter?
Including the default allow-all at the end is necessary, otherwise, anything that does not match the SA or DA on the filter will be discarded. Your config looks correct to me.
Thanks, I can move ahead with confidence now!
One quick follow up question... Is there a difference between an analyzer and port-mirror, or is it just ELS syntax?
Port mirroring is mostly used for MX as far as I know. On EX we regularly use the analyzer - ELS or not. You can also follow the guidelines here https://www.juniper.net/documentation/en_US/junos/topics/example/port-mirroring-local-qfx-series-els.html where analyzer is used instead of port-mirroring. I just caught that part on your config.