Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  MX960 - L3 Port Mirroring

    Posted 04-01-2009 21:47

    Hi, i've got Layer 3 port mirroring enabled on a few select routed irb interfaces.  In the firewall-filter applied, can I filter out only the hosts that I want to see to limit the traffic that's spanned to my application analyzer?  Using JUNOS 9.4

    thanks!

     


    #Port
    #span
    #JUNOS
    #mirror
    #MX960


  • 2.  RE: MX960 - L3 Port Mirroring
    Best Answer

    Posted 04-26-2009 16:09

    JUNOS port-mirroring is driven by a firewall filter, and "port-mirror"  is the action that causes the packet to be mirrored.  Thus you can specify exactly the traffic you want to mirror based on standard firewall syntax. 

     

    Ex:  only mirror traffic from a specific source-address on ingress to ge-0/0/3:

     

    interfaces {

        ge-0/0/3 {
            unit 0 {
                family inet {
                    filter {
                        input mirror;
                    }
                    address 10.1.1.254/24;
                }
            }
        }

    }

        filter mirror {
            term term1 {
                from {
                    source-address {
                        10.1.1.1/32;
                    }
                }
                then {
                    port-mirror;
                    accept;
                }
            }
            term default {
                then accept;
            }
        }
    }

    forwarding-options {
        port-mirroring {
            input {
                rate 1;
                run-length 0;
            }
            family inet {
                output {
                    interface ge-0/0/0.0 {
                        next-hop 192.168.1.233;
                    }
                }
            }
        }
    }

     

    Any traffic not matching that source-address will be simply accepted by the default term and will not be mirrored.

    Message Edited by JNPRdbackman on 04-26-2009 04:08 PM


  • 3.  RE: MX960 - L3 Port Mirroring

    Posted 04-27-2009 07:16
    Thanks Dan, that worked out well.


  • 4.  RE: MX960 - L3 Port Mirroring

    Posted 11-29-2009 02:23

    Hi Can I have your configuration please?

     

    Do we need to configure the IP address to out put interface?

     

    What is the significance of "Next hop IP address".

     

    Please help me..

     

    Thanks

    Suresh



  • 5.  RE: MX960 - L3 Port Mirroring

    Posted 09-08-2010 05:21

    Hi Suresh

    Did you get this working?

    I'm having the same doubts than you...

    Moreover, what if what I had in the output interface was a level2  snnifer? Would I need to configure the next-hop on it?

    Thanks!



  • 6.  RE: MX960 - L3 Port Mirroring

    Posted 11-18-2011 13:37

    Hi all,

     

    I am testing the port mirror configuration on MX960, I used the first configuration and it works, now the customer have 2 analyzer.

    They want to mirror some interfaces to analyzer1 and others interfaces to analyzer2. I was thinking to use "next-hop-group" but when I configure booth only the first next-hop-group is working.

    I send my configuration:

     

    ge-7/0/0 {
        flexible-vlan-tagging;
        encapsulation flexible-ethernet-services;
        unit 45 {
            description to-P-WAS;
            vlan-id 45;
            family inet {
                filter {
                    input mirror1;
                }
                address 10.10.45.2/30;
            }
            family iso;
            family inet6;
            family mpls;
        }
        unit 50 {
            description to-P-MON;
            vlan-id 50;
            family inet {
                filter {
                    input mirror2;
                }
                address 10.10.50.2/30;
            }
            family iso;
            family inet6;
            family mpls;
        }
    }
    ge-7/0/5 {
        speed 100m;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            family inet {
                address 1.1.1.1/30 {
                    arp 1.1.1.2 mac 00:11:25:44:8d:87;
                }
            }                               
        }
    }
    ge-7/0/6 {
        speed 100m;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            family inet {
                address 1.1.1.5/30 {
                    arp 1.1.1.6 mac 00:26:9e:8c:df:26;
                }
            }
        }
    }
    firewall {
        filter mirror1 {
            term 1 {
                then {
                    count mirror1;
                    log;
                    port-mirror;
                    next-hop-group mirror1;
                }
            }
            term default {
                then accept;
            }
        }
        filter mirror2 {
            term 1 {
                then {
                    count mirror2;
                    log;
                    port-mirror;
                    next-hop-group mirror2;
                }
            }
            term default {
                then accept;
            }
        }
    }
    forwarding-options {
        port-mirroring {
            input {
                rate 1;
                run-length 0;
            }
        }
        next-hop-group mirror1 {
            group-type inet;
            interface ge-7/0/5.0 {
                next-hop 1.1.1.2;
            }
        }
        next-hop-group mirror2 {
            group-type inet;
            interface ge-7/0/6.0 {
                next-hop 1.1.1.6;
            }
        }
    }

     

    I don't know if necessary to set in the "port-mirroring family output" both interfaces again.

     

    Best regards,

     

    David.