Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] How to use 'family any firewall filter' to capture two-way traffic

0

0

Article ID: KB32201 KB Last Updated: 21 Nov 2017Version: 1.0
Summary:

This article provides an example for using 'family any firewall filter' to monitor traffic. KB29753 - [MX] When port mirroring on the MX is done on family bridge interface, only one-way traffic is seen at analyzer describes the caveat of using a regular firewall filter. It can only monitor one-way traffic. With 'family any firewall filter', it addresses this issue by allowing the user to monitor two-way traffic.

Symptoms:

Prior to Junos 13.3R6, before configuring port mirror traffic, you would need to know if the traffic is Layer 2 or Layer 3 traffic. The type of traffic decides on the different family firewall filter.  Starting with Junos 13.3R6, an MX device with MPC interface can use 'family any firewall filter' to monitor either Layer 2 traffic, Layer 3 traffic, or MPLS traffic.

Solution:

In the above diagram, IXIA port 1 send ping traffic to R1 IP through R2 interface et-12/1/0. R2 use port mirroring to monitor the traffic to interface et-12/0/1.

The following are the related configurations:

set interfaces et-12/1/0 description "IXIA Port01"
set interfaces et-12/1/0 flexible-vlan-tagging
set interfaces et-12/1/0 encapsulation flexible-ethernet-services
set interfaces et-12/1/0 unit 3004 encapsulation vlan-bridge
set interfaces et-12/1/0 unit 3004 vlan-id 3004

set interfaces et-12/0/1 description "IXIA Port02"
set interfaces et-12/0/1 flexible-vlan-tagging
set interfaces et-12/0/1 mtu 9192
set interfaces et-12/0/1 encapsulation flexible-ethernet-services
set interfaces et-12/0/1 unit 15 encapsulation vlan-bridge
set interfaces et-12/0/1 unit 15 vlan-id 15

set interfaces irb unit 3004 family inet address 30.0.0.3/24

set forwarding-options port-mirroring input rate 1
set forwarding-options port-mirroring input run-length 1
set forwarding-options port-mirroring family any output interface et-12/0/1.15

set bridge-domains analyzer1 domain-type bridge
set bridge-domains analyzer1 vlan-id 15
set bridge-domains analyzer1 interface et-12/0/1.15
set bridge-domains vlan3004 domain-type bridge
set bridge-domains vlan3004 vlan-id 3004
set bridge-domains vlan3004 interface et-12/1/0.3004
set bridge-domains vlan3004 routing-interface irb.3004

set firewall family any filter pm-any term 1 then port-mirror
set firewall family any filter pm-any term 1 then accept

This firewall filter can either apply to physical interface or apply to irb interface:

set interfaces et-12/1/0 unit 3004 filter input pm-any
set interfaces et-12/1/0 unit 3004 filter output pm-any

Or

set interfaces irb unit 3004 filter input pm-any
set interfaces irb unit 3004 filter output pm-any
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search