Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Passive Monitoring on QFX10000 Switches


This example shows how to configure passive monitoring on QFX10000 switches.


This example uses the following hardware and software components:

  • Two routers (R1 and R2).

  • One QFX10002 switch.

  • Two IDS servers, directly connected to the switch.

  • Junos OS Release 18.4R1 or later.


Passive monitoring allows you to load balance traffic between two points in any network, where both sides of the traffic flow is load balanced to IDS servers. When you configure an interface in passive monitoring mode, the Packet Forwarding Engine silently drops incoming packets and stops the Routing Engine from transmitting any packet from that interface. Firewall filters are used to mirror the packets to the IDS server connecting interfaces. Optionally, you can apply symmetric hashing over the passive monitor interfaces for load balancing traffic. This allows ingress and egress traffic of a same flow to be sent out through the same monitoring interface.

In Figure 1, et-0/0/2 and et-0/0/4 are explicitly configured as passive monitoring interfaces on the switch. Packets coming into network are exchanged between Router 1 (R1) and Router 2 (R2) in two directions (R1 to R2, R2 to R1) and are sent to the monitored interfaces. When traffic is received, the firewall filter transfers all packets to a routing instance and then forwards the packets to the IDS servers. An aggregated Ethernet bundle (ae0) bundle is configured on the interfaces and is used to distribute the traffic evenly to the IDS servers.


Figure 1: Passive Monitoring Topology with IDS Servers
Passive Monitoring Topology
with IDS Servers


The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring Passive Monitoring

Step-by-Step Procedure

To configure passive-monitoring:

  1. Configure passive-monitor mode on the switch interfaces:
  2. Configure a family inet firewall filter on the passive monitor interfaces to forward the traffic to a routing instance. Supported filter actions are accept, reject, count, routing-instance.
  3. Define a routing-instance with a static route that points to the IDS servers.
  4. Configure an AE bundle on the interfaces that connect to the IDS servers.
  5. (Optional) Configure symmetric hashing.


From configuration mode, confirm your configuration by entering the following show commands. If the command output does not display the intended configuration, repeat the instructions in this example to correct it.

If you are done configuring the interfaces, enter commit from configuration mode.


Confirm that the configuration is working properly

Verify the Passive Monitoring Configuration


Verify that passive monitoring is working on the interfaces. If the interface output shows No-receive and No-transmit, this indicates that passive monitoring is working fine.


From operational mode, enter the show interfaces command to view the passive monitoring interfaces.

user@host> show interfaces et-0/0/2
user@host show interfaces et-0/0/4

Verify Symmetric Hashing


Verify the output for symmetric hashing. The inet, inet6 and L2 fields should all be set to No.


From configuration mode, enter the show forwarding-options enhanced-hash-key command.