Copying and Redirecting Traffic with Port Mirroring and Filter-Based Forwarding

This section discusses additional techniques you can use with the passive flow monitoring application:

• In addition to flow analysis, you can analyze a copy of the original traffic with a single packet analyzer. To implement this technique, divert traffic with a filter-based forwarding routing instance and send the monitored traffic through a physical interface to the packet analyzer.
• You can cluster the traffic into different groups and redirect this traffic to multiple packet analyzers. For example, you can break traffic flows into TCP groups and UDP groups and send these groups of packets to different analyzers. To accomplish this, you use port mirroring and send a copy of the original traffic to a Tunnel PIC. Then you can apply a firewall filter, split the traffic into your desired groups, and send these groups toward different exit interfaces leading to the packet analyzers. This technique provides maximum flexibility for traffic analysis.
• For secure transmission of the copied or grouped traffic, you can encrypt the diverted traffic with an ES PIC and send this traffic to a packet analyzer over an IP Security (IPSec) tunnel.

To implement the filter-based forwarding enhancement methods, see the following sections:

• Specifying Port Mirroring Input and Output
• Creating a Firewall Filter to Split the Port-Mirrored Traffic into Different Instances
• Applying the Firewall Filter to a Tunnel PIC Interface
• Using Filter-Based Forwarding to Export Monitored Traffic to Multiple Destinations
• Configuring a Routing Table Group to Add Interface Routes into the Forwarding Instance
• Option: Using an ES PIC to Send Traffic to a Packet Analyzer
• Option: Applying a Firewall Filter to an Output Interface

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.