 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
The following steps describe an example in which the global port-mirroring instance and a port-mirroring firewall filter are used to configure Layer 2 port mirroring for the input to a logical interface.
- [edit]
- bridge-domains {
-
- example-bd-with-analyzer { # Contains an external traffic
analyzer
- vlan-id 1000;
- interface ge-2/0/0.0; # External analyzer
- }
-
- example-bd-with-traffic { # Contains traffic input and
output interfaces
- vlan-id 1000;
- interface ge-2/0/6.0; # Traffic input port
- interface ge-3/0/1.2; # Traffic output port
- }
- }
Assume that logical interface ge-2/0/0.0 is associated with an external traffic analyzer that is to receive port-mirrored packets. Assume that logical interfaces ge-2/0/6.0 and ge-3/0/1.2 will be traffic input and output ports, respectively.
- [edit]
- forwarding-options {
-
- port-mirroring {
-
- input {
- rate 10;
- run-length 5;
- }
-
- family bridge {
-
- output {
- interface ge-2/0/0.0; # Mirror packets to the external
analyzer
- no-filter-check; # Allow filters on the mirror destination
interface
- }
- }
- }
- }
The input statement under the [edit forwarding-options port-mirroring] hierarchy level specifies that sampling begins every tenth packet and that each of the first five packets sampled are to be mirrored.
The output statement under the [edit forwarding-options port-mirroring family bridge] hierarchy level specifies the output mirror interface for Layer 2 packets in a bridging environment:
- firewall {
-
- family bridge {
-
- filter example-bridge-pm-filter {
-
- term example-filter-terms {
-
- then {
- accept;
- port-mirror;
- }
- }
- }
- }
- }
When this firewall filter is applied to the input or output of a logical interface for traffic in a bridging environment, Layer 2 port mirroring is performed according to the input packet-sampling properties and mirror destination properties configured for the Layer 2 port mirroring global instance. Because this firewall filter is configured with the single, default filter action accept, all packets selected by the input properties (rate = 10 and run-length = 5) match this filter.
- [edit]
- interfaces {
-
- ge-2/0/0 { # Define the interface to the external analyzer
- encapsulation ethernet-bridge;
-
- unit 0 {
- family bridge;
- }
- }
-
- ge-2/0/6 { # Define the traffic input port
- flexible-vlan-tagging;
- encapsulation extended-vlan-bridge;
-
- unit 0 {
- vlan-id 100;
-
- family bridge {
-
- filter {
- input example-bridge-pm-filter; # Apply the port-mirroring
firewall filter
- }
- }
- }
- }
-
- ge-3/0/1 { # Define the traffic output port
- flexible-vlan-tagging;
- encapsulation extended-vlan-bridge;
-
- unit 2 {
- vlan-tags outer 10 inner 20;
- family bridge;
- }
- }
- }
Packets received at logical interface ge-2/0/6.0 on bridge domain example-bd-with-traffic are evaluated by the port-mirroring firewall filter example-bridge-pm-filter. The firewall filter acts on the input traffic according to the filter actions configured in the firewall filter itself plus the input packet-sampling properties and mirror destination properties configured in the global port-mirroring instance:
If you configure the port-mirroring firewall filter example-bridge-pm-filter to take the discard action instead of the accept action, all original packets are discarded while copies of the packets selected using the global port-mirroring input properties are sent to the external analyzer.
| Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |