Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Passive Monitoring

 

Understanding Passive Monitoring

Passive monitoring is a type of network monitoring used to passively capture traffic from monitoring interfaces. When you enable passive monitoring, the device accepts and monitors traffic on the interface and forwards the traffic to monitoring tools like IDS servers and packet analyzers, or other devices such as routers or end node hosts.

  • Starting in Junos OS Release 18.4R1, passive monitoring is supported on QFX10000 switches.

  • Starting in Junos OS Evolved 19.4R1, passive monitoring is supported on PTX10003 routers.

Passive Monitoring Benefits

  • Provides filtering capabilities for monitoring ingress and egress traffic at the Internet point of presence (PoP) where security networks are attached.

Guidelines for Configuring Passive Monitoring

  • You can only configure passive monitoring at the interface level. Configuration per VLAN or logical interface is not supported.

  • A passive monitoring interface cannot be an aggregated Ethernet (AE) interface.

  • Monitoring tools or devices must be directly connected to the switch or router.

  • Packets with more than two MPLS labels and more than two VLAN tags are dropped.

  • Exception packets such as IP packet options, router alert, and TTL expiry packets are treated as regular traffic.

  • Ethernet encapsulation is not supported.

  • MPLS family filter configuration is not supported.

  • Link Aggregation Control Protocol (LACP) is not supported on the AE bundle connected to the monitoring tool or device.

Example: Configuring Passive Monitoring on QFX10000 Switches

This example shows how to configure passive monitoring on QFX10000 switches.

Requirements

This example uses the following hardware and software components:

  • Two routers (R1 and R2)

  • One QFX10002 switch

  • Two devices, directly connected to the switch

  • Junos OS Release 18.4R1 or later

Overview

This example describes how to configure passive monitoring on the switch.

In Figure 1, et-0/0/2 and et-0/0/4 are configured as passive monitoring interfaces. Packets coming into the network are exchanged between Router 1 (R1) and Router 2 (R2) in two directions (R1 to R2, R2 to R1) and are sent to the monitored interfaces. When traffic is received, a firewall filter transfers all packets to a routing instance and forwards the packets to the monitoring tools. The interfaces are then grouped into a single logical interface, known as a link aggregation group (LAG) or AE bundle. This enables the traffic to be evenly distributed across the monitoring tools effectively increasing the uplink bandwidth. If one interface fails, the bundle continues to carry traffic over the remaining interfaces.

Optionally, you can apply symmetric hashing over the passive monitor interfaces for load balancing traffic to the monitoring tools. This allows ingress and egress traffic of the same flow to be sent out through the same monitored interface. To configure symmetric hashing, include the no-incoming-port option under the [edit forwarding-options enhanced-hash-key] hierarchy. Symmetric hashing is enabled and disabled at the global level only. Per protocol hashing is not supported.

Topology

Figure 1: Passive Monitoring Topology
Passive Monitoring Topology

Configuration

The following example requires you to navigate various levels in the CLI hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring Passive Monitoring

Step-by-Step Procedure

To configure passive monitoring:

  1. Configure passive-monitor mode on the switch interfaces:
  2. Configure a family inet firewall filter on the passive monitor interfaces to forward the traffic to a routing instance. Supported filter actions are accept, reject, count, routing-instance.
  3. Create a routing-instance with a static route that points to the devices.
  4. Configure an AE bundle on the passive monitoring interfaces.
  5. (Optional) Configure symmetric hashing.
  6. From configuration mode, confirm your configuration by entering the show interfaces command. If the command output does not display the intended configuration, repeat the instructions in this example to correct it.
  7. If you are done configuring the interfaces, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verify the Passive Monitoring Configuration

Purpose

Verify that passive monitoring is working on the interfaces. If the interface output shows No-receive and No-transmit, this means that passive monitoring is working.

Action

From operational mode, enter the show interfaces command to view the passive monitoring interfaces.

user@host> show interfaces et-0/0/2
user@host show interfaces et-0/0/4

Verify Symmetric Hashing

Purpose

Verify the output for symmetric hashing. The incoming port fields for inet,inet6 and L2 should all be set to No.

Action

From configuration mode, enter the show forwarding-options enhanced-hash-key command.

Release History Table
Release
Description
Starting in Junos OS Release 18.4R1, passive monitoring is supported on QFX10000 switches.
Starting in Junos OS Evolved 19.4R1, passive monitoring is supported on PTX10003 routers.