The following example sends port-mirrored traffic to multiple cflowd servers or packet analyzers:
- [edit interfaces]
- ge-1/0/0 { # This is the input interface where packets
enter the router.
-
- unit 0 {
-
- family inet {
-
- filter {
- input mirror_pkts; # Here is where you apply the first
filter.
- }
- address 10.11.0.1/24;
- }
- }
- }
- ge-1/1/0 { # This is an exit interface for HTTP packets.
-
- unit 0 {
-
- family inet {
- address 10.12.0.1/24;
- }
- }
- }
- ge-1/2/0 { # This is an exit interface for HTTP packets.
-
- unit 0 {
-
- family inet {
- address 10.13.0.1/24;
- }
- }
- }
- so-0/3/0 { # This is an exit interface for FTP packets.
-
- unit 0 {
-
- family inet {
- address 10.1.1.1/30;
- }
- }
- }
- so-4/3/0 { # This is an exit interface for FTP packets.
-
- unit 0 {
-
- family inet {
- address 10.2.2.2/30;
- }
- }
- }
- so-7/0/0 { # This is an exit interface for all remaining
packets.
-
- unit 0 {
-
- family inet {
- address 10.5.5.5/30;
- }
- }
- }
- so-7/0/1 { # This is an exit interface for all remaining
packets.
-
- unit 0 {
-
- family inet {
- address 10.6.6.6/30;
- }
- }
- }
- vt-3/3/0 { # The tunnel interface is where you send the
port mirrored traffic.
-
- unit 0 {
- family inet;
- }
-
- unit 1 {
-
- family inet {
-
- filter {
- input collect_pkts; # This is where you apply the second
firewall filter.
- }
- }
- }
- }
- [edit forwarding-options]
- port-mirroring { # This is required when you configure
next-hop groups.
-
- input {
- rate 1; # This rate port mirrors one packet for every one
received (1:1 = all
- # packets).
- }
-
- family inet {
-
- output { # This sends traffic to a tunnel interface to
prepare for multiport mirroring.
-
- interface vt-3/3/0.1;
- no-filter-check;
- }
- }
- }
- next-hop-group ftp-traffic { # Point-to-point interfaces
require you to specify the interface
- # name only.
- interface so-4/3/0.0;
- interface so-0/3/0.0;
- }
- next-hop-group http-traffic { # You need to configure a
next hop for multipoint interfaces
- # (Ethernet).
-
- interface ge-1/1/0.0 {
- next-hop 10.12.0.2;
- }
-
- interface ge-1/2/0.0 {
- next-hop 10.13.0.2;
- }
- }
- next-hop-group default-collect {
- interface so-7/0/0.0;
- interface so-7/0/1.0;
- }
- [edit firewall]
- family inet {
-
- filter mirror_pkts { # Apply this filter to the input interface.
-
- term catch_all {
-
- then {
- count input_mirror_pkts;
- port-mirror; # This action sends traffic to be copied and
port mirrored.
- accept;
- }
- }
- }
-
- filter collect_pkts { # Apply this filter to the tunnel
interface.
-
- term ftp-term { # This term sends FTP traffic to an FTP
next-hop group.
-
- from {
- protocol ftp;
- }
- then next-hop-group ftp-traffic;
- }
-
- term http-term {# This term sends HTTP traffic to an HTTP
next-hop group.
-
- from {
- protocol http;
- }
- then next-hop-group http-traffic;
- }
-
- term default {# This term sends all remaining traffic to
a final next-hop group.
- then next-hop-group default-collectors;
- }
- }
- }
The following example demonstrates configuration of filter-based forwarding at the output interface. In this example, the packet flow follows this path:
- [edit interfaces]
- so-0/0/3 {
-
- unit 0 {
-
- family inet {
-
- filter {
- output fbf;
- }
- address 10.50.10.2/25;
- }
- }
- }
- fe-1/2/0 {
-
- unit 0 {
-
- family inet {
- address 10.50.50.2/25;
- }
- }
- }
- so-2/0/0 {
-
- unit 0 {
-
- family inet {
- address 10.50.20.2/25;
- }
- }
- }
- [edit firewall]
- filter fbf {
-
- term 0 {
-
- from {
-
- source-address {
- 10.50.200.0/25;
- }
- }
- then routing-instance fbf;
- }
-
- term d {
- then count d;
- }
- }
- [edit routing-instances]
- fbf {
- instance-type forwarding;
-
- routing-options {
-
- static {
- route 10.50.100.0/25 next-hop so-2/0/0.0;
- }
- }
- }
- [edit routing-options]
- interface-routes {
- rib-group inet fbf-group;
- }
- static {
- route 10.50.100.0/25 next-hop 10.50.10.1;
- }
- rib-groups {
-
- fbf-group {
- import-rib [ inet.0 fbf.inet.0 ];
- }
- }