Original Message:
Sent: 12-17-2020 15:41
From: Unknown User
Subject: Port Mirroring and Filtering
Thanks, I can move ahead with confidence now!
One quick follow up question... Is there a difference between an analyzer and port-mirror, or is it just ELS syntax?
Original Message:
Sent: 12-17-2020 09:09
From: Juan Ospina
Subject: Port Mirroring and Filtering
Hi Luke,
Including the default allow-all at the end is necessary, otherwise, anything that does not match the SA or DA on the filter will be discarded. Your config looks correct to me.
------------------------------
Juan Ospina
Original Message:
Sent: 12-16-2020 17:13
From: Unknown User
Subject: Port Mirroring and Filtering
Hi,
I need to analyze traffic on an Aggregated Ethernet interface. There is too much traffic to send to my little server, so I need to filter what's sent first.
I'm aware that this needs firewall filters. I haven't used them much, so I want to double-check I have this right, so I don't block traffic.
(this is on an EX4600)
Step 1: Configure the mirrored port
set forwarding-options port-mirroring family inet output interface ge-0/0/18
Step 2: Filter traffic to and from an IP address
set firewall family inet filter PCAP term mirror-source from source-address 172.16.237.43 then port-mirror
set firewall family inet filter PCAP term mirror-source from source-address 172.16.237.43 then accept
set firewall family inet filter PCAP term mirror-destination from destination-address 172.16.237.43 then port-mirror
set firewall family inet filter PCAP term mirror-destination from destination-address 172.16.237.43 then accept
Step 3: Allow all other traffic (avoid dropping any other traffic)
set firewall family inet filter PCAP term accept-all then accept
Step 4: Apply to the interface
set interfaces ae0 unit 0 family inet filter input PCAP
Does it look like I've done this correctly? Am I right to put the 'allow-all' rule at the end of the firewall filter?
Thanks