Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Example Configuration of port-mirroring in logical systems

0

0

Article ID: KB32566 KB Last Updated: 29 Apr 2018Version: 1.0
Summary:

This article provides an example of how to configure port-mirroring in logical systems.

Solution:
First, configure a port-mirroring instance:
 
# show forwarding-options
port-mirroring {
    instance {
        JTAC {
            input {
                rate 1;
                run-length 20;
                maximum-packet-length 9000;
            }
            family inet {
                output {
                    interface xe-1/0/0.10 { 
<-- The interface pointing to the collector must be in the main-instance, otherwise the PM instance will be down
                        next-hop 10.2.10.2;
                    }
                    no-filter-check;
                }
 

Once the instance is configured, map it to the FPC where the traffic will be received:
 
# show chassis
fpc 1 {  
<-- For example, if the traffic you want to mirror is received in interface xe-2/0/0, then map the instance to FPC2
    port-mirror-instance JTAC;

if you are using an MX80 or MX104, the instance must always be mapped to FPC0.

Once the instance is mapped, create a firewall filter to activate the port mirroring. This firewall filter must be configured in the main instance because the logical system do not support a filter with port-mirror actions:
 
# show firewall
filter PM {
    term 1 {
        then port-mirror-instance JTAC;
    }
 
After this, the filter is configured in the logical-system under the interface where the traffic will be received:
 
# show logical-systems R2
interfaces {
    xe-1/1/0 {
        unit 10 {
            vlan-id 10;
            family inet {
                filter {
                    input PM;
                    output PM;
                }
                address 10.1.10.2/30;
 
Be aware that having filters configured inside the logical systems will cause a resolution error in DFWD. This is explained in the document, References from a Nonfirewall Object in a Logical System to a Firewall Filter
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search