Configuring Input Interfaces, Monitoring Services Interfaces, and Export Interfaces on MX Series Routers
After creating the input filter, you need to configure the interfaces where traffic will enter the router.
Ethernet-based interfaces support both per-port passive monitoring and per-VLAN
passive
monitoring.
For Gigabit Ethernet interfaces, include the passive-monitor-mode
statement at the [edit interfaces
ge-fpc/pic/port]
hierarchy level. On Ethernet-based interfaces, passive monitor mode disables the
Routing Engine from receiving packets and prevents the routing table from
transmitting packets. You can verify this by the presence of the
No-receive
and
No-transmit
interface flags in the output of the show interfaces
ge-fpc/pic/port
command.
The following restrictions apply to passive flow monitoring on Ethernet-based interfaces:
-
No special encapsulation types are allowed, so you must configure Ethernet encapsulations only.
-
When you configure the
passive-monitor-modestatement, destination MAC address filters applied to incoming interfaces are disabled by default. -
The
flow-controlstatement at the[edit interfaces ge-fpc/pic/port gigether-options] hierarchy level does not work when passive flow monitoring is enabled.
In addition to passive monitor mode, apply the previously defined firewall filter to
the interface with the filter statement at the [edit
interfaces interface-name-fpc/pic/port
unit unit-number family inet] hierarchy
level:
[edit]
interfaces {
ge-2/0/0 {
description “Gigabit Ethernet input interface”;
passive-monitor-mode;
unit 0 {
family inet {
filter {
input input-monitoring-filter;
}
}
}
}
}
Configure the interfaces on the Monitoring Services PIC or Monitoring Services II PIC
with the family inet statement at the [edit interfaces
mo-fpc/pic/port
unit unit-number] hierarchy level. The statement
allows the interfaces to process IPv4 traffic received from the input
interfaces.
When you use VRF instances, you need to configure two logical interfaces. The first
(unit
0)
is part of the inet.0 routing table and sources the flow packets. The second
(unit
1)
is configured as part of the VRF instance so the monitoring services interface can
serve as a valid next hop for packets received in the instance.
You can also capture options packets and time-to-live (TTL) exceeded information when
the monitoring services interface processes flow records. To configure, include the
receive-options-packets
and
receive-ttl-exceeded statements at the [edit interfaces
mo-fpc/pic/port unit unit-number
family inet] hierarchy level:
[edit]
interfaces {
mo-4/0/0 {
unit 0 {
family inet {
receive-options-packets;
receive-ttl-exceeded;
}
}
unit 1 {
family inet;
}
}
mo-4/1/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
mo-4/2/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
mo-4/3/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
}
You must also configure the export interface where flow packets exit the monitoring station and are sent to the flow server.
On output interfaces, you can apply a firewall filter that leads to a filter-based
forwarding routing instance. This is useful if you want to port-mirror traffic to
multiple Monitoring Services PICs or flow collection services interfaces. To
configure, include the output statement at the [edit
interfaces interface-name unit
logical-unit-number family inet filter]
hierarchy level. For more information, see Using Filter-Based Forwarding to Export Monitored Traffic to Multiple
Destinations.
[edit]
interfaces
ge-3/0/0 {
description “export interface to flow server”;
unit 0 {
family inet;
address ip-address;
filter {
output output-filter-name;
}
}
}