Defining a Firewall Filter on M, MX and T Series Routers to Select Traffic for Active Flow Monitoring
The first step in active flow monitoring is to
configure the match conditions for acceptable traffic or quarantined
traffic. Common match actions for active flow monitoring include sample, discard accounting, port-mirror, and accept. To configure, include the desired action statements
and a counter as part of the then statement in a firewall
filter and apply the filter to an interface.
In sampling, the router reviews a portion of the traffic and sends reports about this sample to the flow monitoring server. Discard accounting traffic is counted and monitored, but not forwarded out of the router. Port-mirrored traffic is copied and sent to another interface. Accepted traffic is forwarded to the intended destination.
Most of these match combinations are valid. However, you can either port-mirror or sample with the same traffic at the same time, but not perform more than one action simultaneously on the same packets.
[edit]
firewall {
family inet {
filter active_filter {
term quarantined_traffic {
from {
source-address {
10.36.1.2/32;
}
}
then {
count quarantined-counter;
sample;
discard accounting;
}
}
term copy_and_forward_the_rest {
then {
port-mirror;
accept;
}
}
}
}
}