[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring a Layer 2 Port-Mirroring Firewall Filter

For the VPLS (family bridge or family vpls) traffic only, MX-series firewall filters can be configured to perform port mirroring if the packet matches the conditions configured in the firewall filter term. A firewall filter configured to perform port mirroring can be applied to input or output logical interfaces, including aggregated Ethernet logical interfaces, or to input to forwarding tables or input to flood tables of bridge domains or VPLS routing instances.

To configure a Layer 2 port-mirroring firewall filter, include the following statements:



[edit]
firewall {


family (bridge | vpls) {


filter pm-filter-name {


term term-name {


from { # Do not specify match conditions based on route
source address
}




then {

action; # Recommended action is ’accept’
port-mirror;
}


}


}


}


}

To configure a firewall filter, include the filter pm-filter-name statement at the [edit firewall family (bridge | vpls)] hierarchy level.

To configure a firewall filter term, include the term term-name statement at the [edit firewall family (bridge | vpls)] filter pm-filter-name] hierarchy level.

Under the [edit firewall family (bridge | vpls)] filter pm-filter-name term term-name] hierarchy level, do not include the optional from statement that specifies match conditions based on the route source address. Omit this statement so that all packets are considered to match and all actions specified in the then statement are taken.

To configure the actions to be taken on matching packets, include the then statement under the [edit firewall family (bridge | vpls)] filter pm-filter-name term term-name] hierarchy level. Within the term, specify an optional action and the port-mirror action modifier:

If you do not specify an action, all input packets are accepted. The recommended action is accept.
The port-mirror action modifier causes the firewall filter to use the input packet-sampling properties and address family-specific mirror destination properties configured for the Layer 2 port mirroring global instance of the same family (configured at the [edit forwarding-options port-mirroring] hierarchy level).

Because the port-mirror filter action modifier relies on the global port-mirroring properties, which are configured at the [edit forwarding-options port-mirroring] hierarchy level, the port-mirror filter action is not supported for logical systems.

For detailed information about configuring firewall filters in general (including in a Layer 3 environment), see the JUNOS Policy Framework Configuration Guide.

[Contents] [Prev] [Next] [Index] [Report an Error]