Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  MX port-mirroring

    Posted 11-16-2022 14:30

    Hi

    I'm curious how port-mirroring action  works on a filter on MX router.

    If I have the filter configured below with both accept and port-mirror action, will all traffic stop evaluation at that specific term or will it go on to subsequent terms.

    accept is a terminating action for a filter and port-mirror is a non-terminating action, but i don't know how these behave together. 

    term term1 {
    from {
    protocol tcp;
    destination-port 444;
    }
    then {
    discard;
    }
    }
    term mirror {
    then {
    port-mirror;
    accept;
    }
    }
    term term2 {
    from {
    source-address {
    1.1.1.1/32
    }
    destination-address {
    2.2.2.2/24
    }
    }
    then deny;
    }


    ------------------------------
    Radu Mohan
    ------------------------------


  • 2.  RE: MX port-mirroring

    Posted 11-17-2022 05:28
    term mirror is terminating, with or without the accept.
    non-terminating actions always have an implicit accept to them which terminates processing, with "next-term" available to override this. (firewall-filter-stateless-guidelines-for-configuring)
    term2 doesn't exist, other than in config, despite to config validation error.
    (note, I fixed the 2 errors in term2  to have it apply).

    mx01_cr1> show configuration firewall family inet filter radu
    term term1 {
     from {
      protocol tcp;
      destination-port 444;
     }
     then {
      discard;
     }
    }
    term mirror {
     then {
      port-mirror;
      accept;
     }
    }
    term term2 {
     from {
      source-address {
       1.1.1.1/32;
      }
      destination-address {
       2.2.2.0/24;
      }
     }
     then {
      discard;
     }
    }
    VMX-0(mx01_cr1 vty)# show firewall radu
    Term Filters:
    ------------
    Index Semantic Properties Name
    -------- ---------- -------- ------
    2 Classic - radu

    VMX-0(mx01_cr1 vty)# show filter index 2 program

    Filter index = 2
    Optimization flag: 0xf7
    Filter notify host id = 0
    Pfe Mask = 0xFFFFFFFF
    jnh inst = 0x0
    Filter properties: None
    Filter state = CONSISTENT
    term term1
    term priority 0
    protocol
    6
    false branch to match action in rule mirror
    destination-port
    444
    false branch to match action in rule mirror

    then
    discard
    term mirror
    term priority 0

    then
    accept
    port-mirror

    VMX-0(mx01_cr1 vty)#

    If I  set "next term" as an action, it replaces your (unnecessary) "accept".

    mx01_cr1# show firewall family inet filter radu
    term term1 {
    from {
    protocol tcp;
    destination-port 444;
    }
    then {
    discard;
    }
    }
    term mirror {
    then {
    port-mirror;
    next term;
    }
    }
    term term2 {
    from {
    source-address {
    1.1.1.1/32;
    }
    destination-address {
    2.2.2.0/24;
    }
    }
    then {
    discard;
    }
    }

    VMX-0(mx01_cr1 vty)# show filter index 2 program
    Filter index = 2
    Optimization flag: 0xf7
    Filter notify host id = 0
    Pfe Mask = 0xFFFFFFFF
    jnh inst = 0x0
    Filter properties: None
    Filter state = CONSISTENT
    term term1
    term priority 0
    protocol
    6
    false branch to match action in rule mirror
    destination-port
    444
    false branch to match action in rule mirror

    then
    discard
    term mirror
    term priority 0

    then
    continue
    port-mirror
    term term2
    term priority 0
    source-address
    1.1.1.1/32
    false branch to match action in rule junos-internal-1
    destination-address
    2.2.2/24
    false branch to match action in rule junos-internal-1

    then
    discard
    term junos-internal-1
    term priority 0

    then
    discard