[Contents] [Prev] [Next] [Index] [Report an Error]

Examples: Configuring Port Mirroring

The following example sends port-mirrored traffic to multiple cflowd servers or packet analyzers:

[edit interfaces]
ge-1/0/0 { # This is the input interface where packets enter the router.
unit 0 {
family inet {
filter {
input mirror_pkts; # Here is where you apply the first filter.
}
address 10.11.0.1/24;
}
}
}
ge-1/1/0 { # This is an exit interface for HTTP packets.
unit 0 {
family inet {
address 10.12.0.1/24;
}
}
}
ge-1/2/0 { # This is an exit interface for HTTP packets.
unit 0 {
family inet {
address 10.13.0.1/24;
}
}
}
so-0/3/0 { # This is an exit interface for FTP packets.
unit 0 {
family inet {
address 10.1.1.1/30;
}
}
}
so-4/3/0 { # This is an exit interface for FTP packets.
unit 0 {
family inet {
address 10.2.2.2/30;
}
}
}
so-7/0/0 { # This is an exit interface for all remaining packets.
unit 0 {
family inet {
address 10.5.5.5/30;
}
}
}
so-7/0/1 { # This is an exit interface for all remaining packets.
unit 0 {
family inet {
address 10.6.6.6/30;
}
}
}
vt-3/3/0 { # The tunnel interface is where you send the port mirrored traffic.
unit 0 {
family inet;
}
unit 1 {
family inet {
filter {
input collect_pkts; # This is where you apply the second firewall filter.
}
}
}
}
[edit forwarding-options]
port-mirroring { # This is required when you configure next-hop groups.
input {
family inet {
rate 1; # This rate port mirrors one packet for every one received (1:1 = all
     # packets).
}
}
output { # This sends traffic to a tunnel interface to prepare for multiport mirroring.
interface vt-3/3/0.1;
no-filter-check;
}
}
next-hop-group ftp-traffic { # Point-to-point interfaces require you to specify the interface
     # name only.
interface so-4/3/0.0;
interface so-0/3/0.0;
}
next-hop-group http-traffic { # You need to configure a next hop for multipoint interfaces
     # (Ethernet).
interface ge-1/1/0.0 {
next-hop 10.12.0.2;
}
interface ge-1/2/0.0 {
next-hop 10.13.0.2;
}
}
next-hop-group default-collect {
interface so-7/0/0.0;
interface so-7/0/1.0;
}
[edit firewall]
family inet {
filter mirror_pkts { # Apply this filter to the input interface.
term catch_all {
then {
count input_mirror_pkts;
port-mirror; # This action sends traffic to be copied and port mirrored.
accept;
}
}
}
filter collect_pkts { # Apply this filter to the tunnel interface.
term ftp-term { # This term sends FTP traffic to an FTP next-hop group.
from {
protocol ftp;
}
then next-hop-group ftp-traffic;
}
term http-term {# This term sends HTTP traffic to an HTTP next-hop group.
from {
protocol http;
}
then next-hop-group http-traffic;
}
term default {# This term sends all remaining traffic to a final next-hop group.
then next-hop-group default-collectors;
}
}
}

The following example demonstrates configuration of filter-based forwarding at the output interface. In this example, the packet flow follows this path:

  1. A packet arrives at interface fe-1/2/0.0 with source and destination addresses 10.50.200.1 and 10.50.100.1, respectively.
  2. The route lookup in routing table inet.0 points to the egress interface so-0/0/3.0.
  3. The output filter installed at so-0/0/3.0 redirects the packet to routing table fbf.inet.0.
  4. The packet matches the entry 10.50.100.0/25, and finally leaves the router from interface so-2/0/0.0.
    [edit interfaces]
    so-0/0/3 {
    unit 0 {
    family inet {
    filter {
    output fbf;
    }
    address 10.50.10.2/25;
    }
    }
    }
    fe-1/2/0 {
    unit 0 {
    family inet {
    address 10.50.50.2/25;
    }
    }
    }
    so-2/0/0 {
    unit 0 {
    family inet {
    address 10.50.20.2/25;
    }
    }
    }
    [edit firewall]
    filter fbf {
    term 0 {
    from {
    source-address {
    10.50.200.0/25;
    }
    }
    then routing-instance fbf;
    }
    term d {
    then count d;
    }
    }
    [edit routing-instances]
    fbf {
    instance-type forwarding;
    routing-options {
    static {
    route 10.50.100.0/25 next-hop so-2/0/0.0;
    }
    }
    }
    [edit routing-options]
    interface-routes {
    rib-group inet fbf-group;
    }
    static {
    route 10.50.100.0/25 next-hop 10.50.10.1;
    }
    rib-groups {
    fbf-group {
    import-rib [ inet.0 fbf.inet.0 ];
    }
    }
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.