Creating a Firewall Filter on an M, MX or T Series Router to Split the Port-Mirrored Traffic into Different Instances
If you need to split the copy of the monitored traffic into separate groups and send these filtered packets to different analyzers, devise a firewall filter that selects some traffic for sampling and some traffic for discarding. In this case, UDP traffic is sent into one routing instance, TCP traffic is diverted into a second routing instance, and all other traffic is discarded. In a later step, you will define the filter-based forwarding routing instances specified in the then statements shown in this filter.
Applying the Firewall Filter to a Tunnel PIC Interface
Once the firewall filter is defined, apply it as an input filter on a tunnel interface. This is required if the firewall filter defines two or more types of traffic or export interfaces. However, if the firewall filter only specifies one type of traffic and one export interface, you can apply the filter directly to the export interface.
Using Filter-Based Forwarding to Export Monitored Traffic to Multiple Destinations
The firewall filter called tunnel-interface-filter sends UDP traffic into one filter-based forwarding routing instance called udp-routing-table, sends TCP traffic into a second filter-based forwarding routing instance called tcp-routing-table, and discards all other packets. Here you will configure the filter-based forwarding instances.
Configure an export interface for each of your routing instances by including a static next hop. To configure, include the route statement at the [edit routing-instances instance-name routing-options static] hierarchy level and specify a next-hop address or interface.