mirror-filter (Security Forwarding Options)
Syntax
mirror-filter filter-name { destination-port port-number; destination-prefix destination-prefix; interface-in interface-name; interface-out interface-name; output (Security Forwarding Options) { destination-mac mac-address; interface interface-name; } protocol protocol; source-port port-number; source-prefix set source-prefix; }
Hierarchy Level
[edit security forwarding-options]
Description
Configure a mirror filter for filtering X2 packets to be mirrored and sent to a packet analyzer.
As a network operator, you need a way to monitor X2 traffic to debug any handover issues across eNodeBs. The mirror filter feature allows you to do that. Traffic coming out of an IPsec tunnel is decrypted, mirrored and analyzed, and then encrypted again to go into the outbound IPsec tunnel.
To use the mirror filter feature to monitor X2 traffic, you configure mirror filters. You can configure up to 15 different mirror filters to be used concurrently to filter for various kinds of traffic. Each mirror filter contains a set of parameters and their values against which traffic is matched.
The SRX Series mirror filter feature is bidirectional, much like a session. X2 traffic flowing through an IPSec VPN from devices that match the configured filter conditions is mirrored and analyzed.
Starting in Junos OS Release 18.4R1, if the output X2 interface of a mirror filter is configured for an st0 interface to filter traffic that you want to analyze, the packet is duplicated and encrypted by the IPsec tunnel bound to the st0 interface. This enhancement supports the SRX Series Firewalls to send traffic mirrored from a port on an IPsec tunnel.
In addition to the following parameters for a mirror filter, you specify the output interface and the MAC address of the packet analyzer as part of the configuration.
Although there is no minimum required number of parameters for a mirror filter, please be mindful that if you specify too few criteria or accidentally commit an incomplete filter, an over-proportional amount of traffic flow through the system could be mirrored.
destination IP address prefix
destination port
IP protocol
source IP address prefix
source port
incoming and outgoing interfaces
Options
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this in the configuration.
security-control—To add this to the configuration.
Release Information
Statement introduced in Junos OS Release 12.1X46-D10.