Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Guidelines for troubleshooting Port Mirroring with Firewall Filters on the EX-Series Switch

0

0
Article ID: KB11047 KB Last Updated: 03 Mar 2017Version: 4.0 Summary:
Guidelines for using port mirroring with firewall filters on the EX-Series Switch.
Symptoms:

Solution:
Using firewall filters with port mirroring can have non-intuitive results. This KB describes some guidelines to follow.

NOTE: See Link URL below for additional information concerning port mirroring and applying filters.

Guidelines:

  1. Do not specify any input stanza for the analyzer, only output. The analyzer input is specified at the firewall filter then action line. If we specify an input on the analyzer, it will override the filter config and the filter will be ineffective.

  2. When monitoring a layer 2 source port we can only apply a filter in the inbound direction, so any filtering happens only for ingress traffic. Egress traffic on the source port will not be filtered, and will reach the analyzer output port.

  3. The analyzer action is enough in the filter then clause. "No accept" is needed since analyzer action will implicitly accept and send a copy to the analyzer output port.

  4. When we apply the input firewall filter to a source port or VLAN, the filter works like any normal filter.  Filtering action takes place as usual - this implies that any traffic that doesn't match any filter term, will be implicitly denied at the end of the filter. So this can block traffic if we do not catch all remaining traffic at the end and specify an accept action for it.

    term catch-all {
        then accept;
    }

  5. Mirroring high volume of traffic can be performance intensive for the switch. Therefore, you should disable it when you are not using it, and select specific input interfaces in preference to using the "all" keyword. You can also limit the amount of mirrored traffic with statistical sampling using the ratio keyword.

    [edit]
    juniper@3200-24-1# set ethernet-switching-options analyzer spy ratio ?
    Possible completions:
      <ratio>              Packet Ratio (0..2047)

  6. You can send copies of a sampling of packets to the analyzer port or VLAN by setting the ratio to 1:1 (every packet) through 1:2047 (one out of every 2047 packets). Default is 1:1.

  7. We can also specify the loss priority as low or high on the packets being monitored.

    [edit]
    juniper@3200-24-1# set ethernet-switching-options analyzer spy loss-priority ?                 
    Possible completions:
      high                 Loss priority high
      low                  Loss priority low

  8. If the analyzer output interface reaches capacity, packets are dropped. You should consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.

  9. Packets with physical-layer errors are filtered out and thus are not sent to the analyzer port or VLAN.

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search