Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Defining a Port-Mirroring Firewall Filter

Starting with release 14.2, on routers containing an Internet Processor II application-specific integrated circuit (ASIC) or T Series Internet Processor, you can send a copy of an IP version 4 (IPv4) or IP version 6 (IPv6) packet from the router to an external host address or a packet analyzer for analysis. This is known as port mirroring.

Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the IPv4 header is sent to the Routing Engine. There, the key can be placed in a file, or cflowd packets based on the key can be sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through a next-hop interface.

You can configure simultaneous use of sampling and port mirroring, and set an independent sampling rate and run-length for port-mirrored packets. However, if a packet is selected for both sampling and port mirroring, only one action can be performed and port mirroring takes precedence. For example, if you configure an interface to sample every packet input to the interface and a filter also selects the packet to be port mirrored to another interface, only the port mirroring would take effect. All other packets not matching the explicit filter port-mirroring criteria continue to be sampled when forwarded to their final destination.

Firewall filters provide a means of protecting your router from excessive traffic transiting the router to a network destination or destined for the Routing Engine. Firewall filters that control local packets can also protect your router from external incidents.

You can configure a firewall filter to do the following:

  • Restrict traffic destined for the Routing Engine based on its source, protocol, and application.

  • Limit the traffic rate of packets destined for the Routing Engine to protect against flood, or denial-of-service (DoS) attacks.

  • Address special circumstances associated with fragmented packets destined for the Routing Engine. Because the device evaluates every packet against a firewall filter (including fragments), you must configure the filter to accommodate fragments that do not contain packet header information. Otherwise, the filter discards all but the first fragment of a fragmented packet.

For information about configuring firewall filters in general (including in a Layer 3 environment), see Stateless Firewall Filter Overview and How Standard Firewall Filters Evaluate Packets in the Routing Policies, Firewall Filters, and Traffic Policers User Guide.

To define a firewall filter with a port-mirroring action:

  1. Prepare traffic for port mirroring by including the filter statement at the [edit firewall family (inet | inet6)] hierarchy level.

    This filter at the [edit firewall family (inet | inet6)] hierarchy level selects traffic to be port-mirrored:

  2. Enable configuration of firewall filters.

    The value of the family option can be inet or inet6.

  3. Enable configuration of a firewall filter filter-name.
  4. Enable configuration of a firewall filter term filter-term-name.
  5. Specify the firewall filter match conditions based on the route source address to mirror a subset of the sampled packets.
  6. Enable configuration of the action and action-modifier to apply to the matching packets.
  7. Specify the actions to be taken on matching packets.

    The recommended value for the action is accept. If you do not specify an action, or if you omit the then statement entirely, all packets that match the conditions in the from statement are accepted.

  8. Specify port-mirror as the action-modifier.

    When the filter action is port-mirror, the packet is copied to a local interface for local or remote monitoring.

  9. Verify the minimum configuration of the firewall filter.
Release History Table
Release
Description
14.2
Starting with release 14.2, on routers containing an Internet Processor II application-specific integrated circuit (ASIC) or T Series Internet Processor, you can send a copy of an IP version 4 (IPv4) or IP version 6 (IPv6) packet from the router to an external host address or a packet analyzer for analysis.