Services on the QFX Series - Juniper.net
Services on the QFX Series - Juniper.net
Services on the QFX Series - Juniper.net
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
Release<br />
13.2<br />
Published: 2013-11-21<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
<strong>Juniper</strong> Networks, Inc.<br />
1194 North Mathilda Avenue<br />
Sunnyvale, California 94089<br />
USA<br />
408-745-2000<br />
www.juniper.<strong>net</strong><br />
<strong>Juniper</strong> Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of <strong>Juniper</strong> Networks, Inc. in <strong>the</strong> United<br />
States and o<strong>the</strong>r countries. The <strong>Juniper</strong> Networks Logo, <strong>the</strong> Junos logo, and JunosE are trademarks of <strong>Juniper</strong> Networks, Inc. All o<strong>the</strong>r<br />
trademarks, service marks, registered trademarks, or registered service marks are <strong>the</strong> property of <strong>the</strong>ir respective owners.<br />
<strong>Juniper</strong> Networks assumes no resp<strong>on</strong>sibility for any inaccuracies in this document. <strong>Juniper</strong> Networks reserves <strong>the</strong> right to change, modify,<br />
transfer, or o<strong>the</strong>rwise revise this publicati<strong>on</strong> without notice.<br />
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
13.2<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
All rights reserved.<br />
The informati<strong>on</strong> in this document is current as of <strong>the</strong> date <strong>on</strong> <strong>the</strong> title page.<br />
YEAR 2000 NOTICE<br />
<strong>Juniper</strong> Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitati<strong>on</strong>s through <strong>the</strong><br />
year 2038. However, <strong>the</strong> NTP applicati<strong>on</strong> is known to have some difficulty in <strong>the</strong> year 2036.<br />
END USER LICENSE AGREEMENT<br />
The <strong>Juniper</strong> Networks product that is <strong>the</strong> subject of this technical documentati<strong>on</strong> c<strong>on</strong>sists of (or is intended for use with) <strong>Juniper</strong> Networks<br />
software. Use of such software is subject to <strong>the</strong> terms and c<strong>on</strong>diti<strong>on</strong>s of <strong>the</strong> End User License Agreement (“EULA”) posted at<br />
http://www.juniper.<strong>net</strong>/support/eula.html. By downloading, installing or using such software, you agree to <strong>the</strong> terms and c<strong>on</strong>diti<strong>on</strong>s of<br />
that EULA.<br />
ii<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Table of C<strong>on</strong>tents<br />
About <strong>the</strong> Documentati<strong>on</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi<br />
Documentati<strong>on</strong> and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi<br />
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi<br />
Using <strong>the</strong> Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi<br />
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii<br />
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii<br />
Documentati<strong>on</strong> C<strong>on</strong>venti<strong>on</strong>s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii<br />
Documentati<strong>on</strong> Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv<br />
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv<br />
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xv<br />
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi<br />
Part 1<br />
Overview<br />
Chapter 1 Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
Understanding Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
Port Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
Port-Mirroring Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4<br />
Port Mirroring C<strong>on</strong>straints and Limitati<strong>on</strong>s . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
Local and Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
Remote Port Mirroring Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
Understanding Layer 3 Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
Chapter 2 DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
DHCP and BOOTP Relay Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
Part 2<br />
C<strong>on</strong>figurati<strong>on</strong><br />
Chapter 3 C<strong>on</strong>figurati<strong>on</strong> Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis . . . . . . . . . . . . . . . . . . . . . . 13<br />
Example: C<strong>on</strong>figuring Port Mirroring for Remote Analysis . . . . . . . . . . . . . . . . . . . . 17<br />
Chapter 4 C<strong>on</strong>figurati<strong>on</strong> Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
C<strong>on</strong>figuring Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
C<strong>on</strong>figuring Port Mirroring for Local Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
C<strong>on</strong>figuring Port Mirroring for Remote Analysis . . . . . . . . . . . . . . . . . . . . . . . . 24<br />
Filtering <strong>the</strong> Traffic Entering an Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
C<strong>on</strong>figuring DHCP and BOOTP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26<br />
C<strong>on</strong>figuring a DHCP and BOOTP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . 26<br />
C<strong>on</strong>figuring DHCP Smart Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
iii
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
Chapter 5 C<strong>on</strong>figurati<strong>on</strong> Statements for Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30<br />
egress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31<br />
e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32<br />
ingress (e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34<br />
input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35<br />
interface (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
ip-address (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38<br />
vlan (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
Chapter 6 C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41<br />
au<strong>the</strong>nticati<strong>on</strong>-key-chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42<br />
cache-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43<br />
cache-timeout-negative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
ca-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45<br />
certificati<strong>on</strong>-authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<br />
crl (Encrypti<strong>on</strong> Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<br />
encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
enrollment-retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
enrollment-url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48<br />
file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48<br />
key (Au<strong>the</strong>nticati<strong>on</strong> Keychain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49<br />
key-chain (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50<br />
ldap-url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51<br />
local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52<br />
maximum-certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
path-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54<br />
security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55<br />
ssh-known-hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56<br />
start-time (Au<strong>the</strong>nticati<strong>on</strong> Key Transmissi<strong>on</strong>) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57<br />
traceopti<strong>on</strong>s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59<br />
Chapter 7 C<strong>on</strong>figurati<strong>on</strong> Statements for DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
apply-sec<strong>on</strong>dary-as-giaddr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
bootp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62<br />
broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
client-resp<strong>on</strong>se-ttl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
descripti<strong>on</strong> (Forwarding Opti<strong>on</strong>s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64<br />
interface (BOOTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65<br />
maximum-hop-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66<br />
minimum-wait-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66<br />
no-listen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
server (DHCP and BOOTP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
iv<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Table of C<strong>on</strong>tents<br />
Part 3<br />
Administrati<strong>on</strong><br />
Chapter 8 M<strong>on</strong>itoring Commands for Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71<br />
show analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72<br />
Part 4<br />
Troubleshooting<br />
Chapter 9 Troubleshooting Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
Troubleshooting Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
Port Mirroring C<strong>on</strong>straints and Limitati<strong>on</strong>s . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
Local and Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
Remote Port Mirroring Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79<br />
Egress Port Mirroring with VLAN Translati<strong>on</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . 79<br />
Egress Port Mirroring with Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
v
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
vi<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
List of Figures<br />
Part 2<br />
C<strong>on</strong>figurati<strong>on</strong><br />
Chapter 3 C<strong>on</strong>figurati<strong>on</strong> Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Figure 1: Network Topology for Local Port Mirroring Example . . . . . . . . . . . . . . . . . 14<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
vii
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
viii<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
List of Tables<br />
About <strong>the</strong> Documentati<strong>on</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi<br />
Table 1: Notice Ic<strong>on</strong>s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii<br />
Table 2: Text and Syntax C<strong>on</strong>venti<strong>on</strong>s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii<br />
Part 1<br />
Overview<br />
Chapter 1 Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
Table 3: Port Mirroring Terms and Definiti<strong>on</strong>s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4<br />
Part 3<br />
Administrati<strong>on</strong><br />
Chapter 8 M<strong>on</strong>itoring Commands for Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71<br />
Table 4: show analyzer Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
ix
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
x<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
About <strong>the</strong> Documentati<strong>on</strong><br />
Documentati<strong>on</strong> and Release Notes<br />
• Documentati<strong>on</strong> and Release Notes <strong>on</strong> page xi<br />
• Supported Platforms <strong>on</strong> page xi<br />
• Using <strong>the</strong> Examples in This Manual <strong>on</strong> page xi<br />
• Documentati<strong>on</strong> C<strong>on</strong>venti<strong>on</strong>s <strong>on</strong> page xiii<br />
• Documentati<strong>on</strong> Feedback <strong>on</strong> page xiv<br />
• Requesting Technical Support <strong>on</strong> page xv<br />
Supported Platforms<br />
To obtain <strong>the</strong> most current versi<strong>on</strong> of all <strong>Juniper</strong> Networks ® technical documentati<strong>on</strong>,<br />
see <strong>the</strong> product documentati<strong>on</strong> page <strong>on</strong> <strong>the</strong> <strong>Juniper</strong> Networks website at<br />
http://www.juniper.<strong>net</strong>/techpubs/.<br />
If <strong>the</strong> informati<strong>on</strong> in <strong>the</strong> latest release notes differs from <strong>the</strong> informati<strong>on</strong> in <strong>the</strong><br />
documentati<strong>on</strong>, follow <strong>the</strong> product Release Notes.<br />
<strong>Juniper</strong> Networks Books publishes books by <strong>Juniper</strong> Networks engineers and subject<br />
matter experts. These books go bey<strong>on</strong>d <strong>the</strong> technical documentati<strong>on</strong> to explore <strong>the</strong><br />
nuances of <strong>net</strong>work architecture, deployment, and administrati<strong>on</strong>. The current list can<br />
be viewed at http://www.juniper.<strong>net</strong>/books.<br />
For <strong>the</strong> features described in this document, <strong>the</strong> following platforms are supported:<br />
• <strong>QFX</strong> <strong>Series</strong> standal<strong>on</strong>e switches<br />
Using <strong>the</strong> Examples in This Manual<br />
If you want to use <strong>the</strong> examples in this manual, you can use <strong>the</strong> load merge or <strong>the</strong> load<br />
merge relative command. These commands cause <strong>the</strong> software to merge <strong>the</strong> incoming<br />
c<strong>on</strong>figurati<strong>on</strong> into <strong>the</strong> current candidate c<strong>on</strong>figurati<strong>on</strong>. The example does not become<br />
active until you commit <strong>the</strong> candidate c<strong>on</strong>figurati<strong>on</strong>.<br />
If <strong>the</strong> example c<strong>on</strong>figurati<strong>on</strong> c<strong>on</strong>tains <strong>the</strong> top level of <strong>the</strong> hierarchy (or multiple<br />
hierarchies), <strong>the</strong> example is a full example. In this case, use <strong>the</strong> load merge command.<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
xi
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
Merging a Full Example<br />
If <strong>the</strong> example c<strong>on</strong>figurati<strong>on</strong> does not start at <strong>the</strong> top level of <strong>the</strong> hierarchy, <strong>the</strong> example<br />
is a snippet. In this case, use <strong>the</strong> load merge relative command. These procedures are<br />
described in <strong>the</strong> following secti<strong>on</strong>s.<br />
To merge a full example, follow <strong>the</strong>se steps:<br />
1. From <strong>the</strong> HTML or PDF versi<strong>on</strong> of <strong>the</strong> manual, copy a c<strong>on</strong>figurati<strong>on</strong> example into a<br />
text file, save <strong>the</strong> file with a name, and copy <strong>the</strong> file to a directory <strong>on</strong> your routing<br />
platform.<br />
For example, copy <strong>the</strong> following c<strong>on</strong>figurati<strong>on</strong> to a file and name <strong>the</strong> file ex-script.c<strong>on</strong>f.<br />
Copy <strong>the</strong> ex-script.c<strong>on</strong>f file to <strong>the</strong> /var/tmp directory <strong>on</strong> your routing platform.<br />
system {<br />
scripts {<br />
commit {<br />
file ex-script.xsl;<br />
}<br />
}<br />
}<br />
interfaces {<br />
fxp0 {<br />
disable;<br />
unit 0 {<br />
family i<strong>net</strong> {<br />
address 10.0.0.1/24;<br />
}<br />
}<br />
}<br />
}<br />
2. Merge <strong>the</strong> c<strong>on</strong>tents of <strong>the</strong> file into your routing platform c<strong>on</strong>figurati<strong>on</strong> by issuing <strong>the</strong><br />
load merge c<strong>on</strong>figurati<strong>on</strong> mode command:<br />
[edit]<br />
user@host# load merge /var/tmp/ex-script.c<strong>on</strong>f<br />
load complete<br />
Merging a Snippet<br />
To merge a snippet, follow <strong>the</strong>se steps:<br />
1. From <strong>the</strong> HTML or PDF versi<strong>on</strong> of <strong>the</strong> manual, copy a c<strong>on</strong>figurati<strong>on</strong> snippet into a text<br />
file, save <strong>the</strong> file with a name, and copy <strong>the</strong> file to a directory <strong>on</strong> your routing platform.<br />
For example, copy <strong>the</strong> following snippet to a file and name <strong>the</strong> file<br />
ex-script-snippet.c<strong>on</strong>f. Copy <strong>the</strong> ex-script-snippet.c<strong>on</strong>f file to <strong>the</strong> /var/tmp directory<br />
<strong>on</strong> your routing platform.<br />
commit {<br />
file ex-script-snippet.xsl; }<br />
2. Move to <strong>the</strong> hierarchy level that is relevant for this snippet by issuing <strong>the</strong> following<br />
c<strong>on</strong>figurati<strong>on</strong> mode command:<br />
xii<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
About <strong>the</strong> Documentati<strong>on</strong><br />
[edit]<br />
user@host# edit system scripts<br />
[edit system scripts]<br />
3. Merge <strong>the</strong> c<strong>on</strong>tents of <strong>the</strong> file into your routing platform c<strong>on</strong>figurati<strong>on</strong> by issuing <strong>the</strong><br />
load merge relative c<strong>on</strong>figurati<strong>on</strong> mode command:<br />
[edit system scripts]<br />
user@host# load merge relative /var/tmp/ex-script-snippet.c<strong>on</strong>f<br />
load complete<br />
Documentati<strong>on</strong> C<strong>on</strong>venti<strong>on</strong>s<br />
For more informati<strong>on</strong> about <strong>the</strong> load command, see <strong>the</strong> CLI User Guide.<br />
Table 1: Notice Ic<strong>on</strong>s<br />
Table 1 <strong>on</strong> page xiii defines notice ic<strong>on</strong>s used in this guide.<br />
Ic<strong>on</strong><br />
Meaning<br />
Descripti<strong>on</strong><br />
Informati<strong>on</strong>al note<br />
Indicates important features or instructi<strong>on</strong>s.<br />
Cauti<strong>on</strong><br />
Indicates a situati<strong>on</strong> that might result in loss of data or hardware damage.<br />
Warning<br />
Alerts you to <strong>the</strong> risk of pers<strong>on</strong>al injury or death.<br />
Laser warning<br />
Alerts you to <strong>the</strong> risk of pers<strong>on</strong>al injury from a laser.<br />
Table 2: Text and Syntax C<strong>on</strong>venti<strong>on</strong>s<br />
Table 2 <strong>on</strong> page xiii defines <strong>the</strong> text and syntax c<strong>on</strong>venti<strong>on</strong>s used in this guide.<br />
C<strong>on</strong>venti<strong>on</strong><br />
Descripti<strong>on</strong><br />
Examples<br />
Bold text like this<br />
Represents text that you type.<br />
To enter c<strong>on</strong>figurati<strong>on</strong> mode, type <strong>the</strong><br />
c<strong>on</strong>figure command:<br />
user@host> c<strong>on</strong>figure<br />
Fixed-width text like this<br />
Represents output that appears <strong>on</strong> <strong>the</strong><br />
terminal screen.<br />
user@host> show chassis alarms<br />
No alarms currently active<br />
Italic text like this<br />
• Introduces or emphasizes important<br />
new terms.<br />
• Identifies guide names.<br />
• Identifies RFC and Inter<strong>net</strong> draft titles.<br />
• A policy term is a named structure<br />
that defines match c<strong>on</strong>diti<strong>on</strong>s and<br />
acti<strong>on</strong>s.<br />
• Junos OS CLI User Guide<br />
• RFC 1997, BGP Communities Attribute<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
xiii
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
Table 2: Text and Syntax C<strong>on</strong>venti<strong>on</strong>s (c<strong>on</strong>tinued)<br />
C<strong>on</strong>venti<strong>on</strong><br />
Descripti<strong>on</strong><br />
Examples<br />
Italic text like this<br />
Represents variables (opti<strong>on</strong>s for which<br />
you substitute a value) in commands or<br />
c<strong>on</strong>figurati<strong>on</strong> statements.<br />
C<strong>on</strong>figure <strong>the</strong> machine’s domain name:<br />
[edit]<br />
root@# set system domain-name<br />
domain-name<br />
Text like this<br />
Represents names of c<strong>on</strong>figurati<strong>on</strong><br />
statements, commands, files, and<br />
directories; c<strong>on</strong>figurati<strong>on</strong> hierarchy levels;<br />
or labels <strong>on</strong> routing platform<br />
comp<strong>on</strong>ents.<br />
• To c<strong>on</strong>figure a stub area, include <strong>the</strong><br />
stub statement at <strong>the</strong> [edit protocols<br />
ospf area area-id] hierarchy level.<br />
• The c<strong>on</strong>sole port is labeled CONSOLE.<br />
< > (angle brackets)<br />
Encloses opti<strong>on</strong>al keywords or variables.<br />
stub ;<br />
| (pipe symbol)<br />
Indicates a choice between <strong>the</strong> mutually<br />
exclusive keywords or variables <strong>on</strong> ei<strong>the</strong>r<br />
side of <strong>the</strong> symbol. The set of choices is<br />
often enclosed in paren<strong>the</strong>ses for clarity.<br />
broadcast | multicast<br />
(string1 | string2 | string3)<br />
# (pound sign)<br />
Indicates a comment specified <strong>on</strong> <strong>the</strong><br />
same line as <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong> statement<br />
to which it applies.<br />
rsvp { # Required for dynamic MPLS <strong>on</strong>ly<br />
[ ] (square brackets)<br />
Encloses a variable for which you can<br />
substitute <strong>on</strong>e or more values.<br />
community name members [<br />
community-ids ]<br />
Indenti<strong>on</strong> and braces ( { } )<br />
; (semicol<strong>on</strong>)<br />
Identifies a level in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong><br />
hierarchy.<br />
Identifies a leaf statement at a<br />
c<strong>on</strong>figurati<strong>on</strong> hierarchy level.<br />
[edit]<br />
routing-opti<strong>on</strong>s {<br />
static {<br />
route default {<br />
nexthop address;<br />
retain;<br />
}<br />
}<br />
}<br />
GUI C<strong>on</strong>venti<strong>on</strong>s<br />
Bold text like this<br />
Represents graphical user interface (GUI)<br />
items you click or select.<br />
• In <strong>the</strong> Logical Interfaces box, select<br />
All Interfaces.<br />
• To cancel <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>, click<br />
Cancel.<br />
> (bold right angle bracket)<br />
Separates levels in a hierarchy of menu<br />
selecti<strong>on</strong>s.<br />
In <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong> editor hierarchy,<br />
select Protocols>Ospf.<br />
Documentati<strong>on</strong> Feedback<br />
We encourage you to provide feedback, comments, and suggesti<strong>on</strong>s so that we can<br />
improve <strong>the</strong> documentati<strong>on</strong>. You can send your comments to<br />
techpubs-comments@juniper.<strong>net</strong>, or fill out <strong>the</strong> documentati<strong>on</strong> feedback form at<br />
xiv<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
About <strong>the</strong> Documentati<strong>on</strong><br />
https://www.juniper.<strong>net</strong>/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include<br />
<strong>the</strong> following informati<strong>on</strong> with your comments:<br />
• Document or topic name<br />
• URL or page number<br />
• Software release versi<strong>on</strong> (if applicable)<br />
Requesting Technical Support<br />
Technical product support is available through <strong>the</strong> <strong>Juniper</strong> Networks Technical Assistance<br />
Center (JTAC). If you are a customer with an active J-Care or JNASC support c<strong>on</strong>tract,<br />
or are covered under warranty, and need post-sales technical support, you can access<br />
our tools and resources <strong>on</strong>line or open a case with JTAC.<br />
• JTAC policies—For a complete understanding of our JTAC procedures and policies,<br />
review <strong>the</strong> JTAC User Guide located at<br />
http://www.juniper.<strong>net</strong>/us/en/local/pdf/resource-guides/7100059-en.pdf.<br />
• Product warranties—For product warranty informati<strong>on</strong>, visit<br />
http://www.juniper.<strong>net</strong>/support/warranty/.<br />
• JTAC hours of operati<strong>on</strong>—The JTAC centers have resources available 24 hours a day,<br />
7 days a week, 365 days a year.<br />
Self-Help Online Tools and Resources<br />
For quick and easy problem resoluti<strong>on</strong>, <strong>Juniper</strong> Networks has designed an <strong>on</strong>line<br />
self-service portal called <strong>the</strong> Customer Support Center (CSC) that provides you with <strong>the</strong><br />
following features:<br />
• Find CSC offerings: http://www.juniper.<strong>net</strong>/customers/support/<br />
• Search for known bugs: http://www2.juniper.<strong>net</strong>/kb/<br />
• Find product documentati<strong>on</strong>: http://www.juniper.<strong>net</strong>/techpubs/<br />
• Find soluti<strong>on</strong>s and answer questi<strong>on</strong>s using our Knowledge Base: http://kb.juniper.<strong>net</strong>/<br />
• Download <strong>the</strong> latest versi<strong>on</strong>s of software and review release notes:<br />
http://www.juniper.<strong>net</strong>/customers/csc/software/<br />
• Search technical bulletins for relevant hardware and software notificati<strong>on</strong>s:<br />
https://www.juniper.<strong>net</strong>/alerts/<br />
• Join and participate in <strong>the</strong> <strong>Juniper</strong> Networks Community Forum:<br />
http://www.juniper.<strong>net</strong>/company/communities/<br />
• Open a case <strong>on</strong>line in <strong>the</strong> CSC Case Management tool: http://www.juniper.<strong>net</strong>/cm/<br />
To verify service entitlement by product serial number, use our Serial Number Entitlement<br />
(SNE) Tool: https://tools.juniper.<strong>net</strong>/SerialNumberEntitlementSearch/<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
xv
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
Opening a Case with JTAC<br />
You can open a case with JTAC <strong>on</strong> <strong>the</strong> Web or by teleph<strong>on</strong>e.<br />
• Use <strong>the</strong> Case Management tool in <strong>the</strong> CSC at http://www.juniper.<strong>net</strong>/cm/.<br />
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in <strong>the</strong> USA, Canada, and Mexico).<br />
For internati<strong>on</strong>al or direct-dial opti<strong>on</strong>s in countries without toll-free numbers, see<br />
http://www.juniper.<strong>net</strong>/support/requesting-support.html.<br />
xvi<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
PART 1<br />
Overview<br />
• Port Mirroring <strong>on</strong> page 3<br />
• DHCP Relay <strong>on</strong> page 9<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
1
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
2<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
CHAPTER 1<br />
Port Mirroring<br />
Understanding Port Mirroring<br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• Understanding Layer 3 Logical Interfaces <strong>on</strong> page 7<br />
• Port Mirroring Overview <strong>on</strong> page 3<br />
• Port-Mirroring Terminology <strong>on</strong> page 4<br />
• Port Mirroring C<strong>on</strong>straints and Limitati<strong>on</strong>s <strong>on</strong> page 5<br />
Port Mirroring Overview<br />
Port mirroring copies packets entering or exiting a port or entering a VLAN and sends <strong>the</strong><br />
copies to a local interface for local m<strong>on</strong>itoring or to a VLAN for remote m<strong>on</strong>itoring. Use<br />
port mirroring to send traffic to applicati<strong>on</strong>s that analyze traffic for purposes such as<br />
m<strong>on</strong>itoring compliance, enforcing policies, detecting intrusi<strong>on</strong>s, m<strong>on</strong>itoring and predicting<br />
traffic patterns, correlating events, and so <strong>on</strong>.<br />
Port mirroring is needed for traffic analysis <strong>on</strong> a switch because a switch normally sends<br />
packets <strong>on</strong>ly to <strong>the</strong> port to which <strong>the</strong> destinati<strong>on</strong> device is c<strong>on</strong>nected. You c<strong>on</strong>figure port<br />
mirroring <strong>on</strong> <strong>the</strong> switch to send copies of unicast traffic to a local interface or a VLAN<br />
and run an analyzer applicati<strong>on</strong> <strong>on</strong> a device c<strong>on</strong>nected to <strong>the</strong> interface or VLAN. You<br />
c<strong>on</strong>figure port mirroring by using <strong>the</strong> analyzer statement.<br />
Keep performance in mind when c<strong>on</strong>figuring port mirroring. For example, If you mirror<br />
traffic from multiple ports, <strong>the</strong> mirrored traffic may exceed <strong>the</strong> capacity of <strong>the</strong> output<br />
interface. We recommend that you limit <strong>the</strong> amount of copied traffic by selecting specific<br />
interfaces instead of using <strong>the</strong> all keyword. You can also limit <strong>the</strong> amount of mirrored<br />
traffic by using a firewall filter. Mirroring <strong>on</strong>ly <strong>the</strong> necessary packets reduces <strong>the</strong> possibility<br />
of a performance impact.<br />
You can use port mirroring to copy any of <strong>the</strong> following:<br />
• All packets entering or exiting an interface (in any combinati<strong>on</strong>)—For example, you<br />
can send copies of <strong>the</strong> packets entering some interfaces and <strong>the</strong> packets exiting o<strong>the</strong>r<br />
interfaces to <strong>the</strong> same local interface or VLAN. If you c<strong>on</strong>figure port mirroring to copy<br />
packets exiting an interface, traffic that originates <strong>on</strong> that switch or Node device (in a<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
3
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
QFabric system) is not copied when it egresses. Only switched traffic is copied <strong>on</strong><br />
egress. (See <strong>the</strong> limitati<strong>on</strong> <strong>on</strong> egress mirroring below.)<br />
• All packets entering a VLAN—You cannot use port mirroring to copy packets exiting a<br />
VLAN.<br />
• Firewall-filtered sample—Sample of packets entering a port or VLAN. C<strong>on</strong>figure a<br />
firewall filter to select certain packets for mirroring.<br />
NOTE: Firewall filters are not supported <strong>on</strong> egress ports; <strong>the</strong>refore, you<br />
cannot specify policy-based sampling of packets exiting an interface.<br />
Port-Mirroring Terminology<br />
Table 3 <strong>on</strong> page 4 lists <strong>the</strong> terms used in <strong>the</strong> documentati<strong>on</strong> about port mirroring and<br />
provides definiti<strong>on</strong>s.<br />
Table 3: Port Mirroring Terms and Definiti<strong>on</strong>s<br />
Term<br />
Analyzer<br />
Descripti<strong>on</strong><br />
Port-mirroring c<strong>on</strong>figurati<strong>on</strong>. The analyzer includes a name, source interfaces or source<br />
VLAN, and a destinati<strong>on</strong> for mirrored packets (ei<strong>the</strong>r a local access interface or a VLAN).<br />
Output interface (also known as<br />
m<strong>on</strong>itor interface)<br />
Access interface to which packet copies are sent and to which a device running an analyzer<br />
applicati<strong>on</strong> is c<strong>on</strong>nected.<br />
The following limitati<strong>on</strong>s apply to an output interface:<br />
• Cannot also be a source port.<br />
• Cannot be used for switching.<br />
• Cannot be an aggregated E<strong>the</strong>r<strong>net</strong> interface (LAG).<br />
• Does not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP).<br />
• Loses any existing VLAN associati<strong>on</strong>s when you c<strong>on</strong>figure it as an analyzer output<br />
interface.<br />
If <strong>the</strong> capacity of <strong>the</strong> output interface is insufficient to handle <strong>the</strong> traffic from <strong>the</strong> source<br />
ports, overflow packets are dropped.<br />
Output IP address<br />
IP address of <strong>the</strong> device running an analyzer applicati<strong>on</strong>. The device can be <strong>on</strong> a remote<br />
<strong>net</strong>work. When you use this feature, <strong>the</strong> mirrored packets are GRE-encapsulated. The<br />
analyzer device must be able to de-encapsulate GRE-encapsulated packets, or <strong>the</strong><br />
GRE-encapsulated packets must be de-encapsulated before reaching <strong>the</strong> analyzer device.<br />
(You can use a <strong>net</strong>work sniffer to de-encapsulate <strong>the</strong> packets.)<br />
• An output IP address cannot be in <strong>the</strong> same sub<strong>net</strong>work as any of <strong>the</strong> switch’s<br />
management interfaces.<br />
• If you create virtual routing instances and also create an analyzer c<strong>on</strong>figurati<strong>on</strong> that<br />
includes an output IP address, <strong>the</strong> output address bel<strong>on</strong>gs to <strong>the</strong> default virtual routing<br />
instance (i<strong>net</strong>.0 routing table).<br />
4<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 1: Port Mirroring<br />
Table 3: Port Mirroring Terms and Definiti<strong>on</strong>s (c<strong>on</strong>tinued)<br />
Output VLAN (also known as<br />
m<strong>on</strong>itor or analyzer VLAN)<br />
VLAN to which copies are sent and to which a device running an analyzer applicati<strong>on</strong> is<br />
c<strong>on</strong>nected. The analyzer VLAN can span multiple switches.<br />
The following limitati<strong>on</strong>s apply to an output VLAN:<br />
• Cannot be a private VLAN or VLAN range.<br />
• Cannot be shared by multiple analyzer statements.<br />
• An output VLAN interface cannot be a member of any o<strong>the</strong>r VLAN.<br />
• An output VLAN interface cannot be an aggregated E<strong>the</strong>r<strong>net</strong> interface (LAG).<br />
• On <strong>the</strong> source (m<strong>on</strong>itored) switch, <strong>on</strong>ly <strong>on</strong>e interface can be a member of <strong>the</strong> analyzer<br />
VLAN.<br />
Input interface (also known as<br />
mirrored or m<strong>on</strong>itored interface)<br />
Interface that provides traffic to be mirrored. This traffic can be entering or exiting <strong>the</strong><br />
interface. (Ingress or egress traffic can be mirrored.) An input interface cannot also be an<br />
output interface for an analyzer.<br />
M<strong>on</strong>itoring stati<strong>on</strong><br />
Computer running an analyzer applicati<strong>on</strong>.<br />
Local port mirroring<br />
Port-mirroring c<strong>on</strong>figurati<strong>on</strong> in which <strong>the</strong> mirrored packets are sent to an interface <strong>on</strong> <strong>the</strong><br />
same switch.<br />
Remote port mirroring<br />
Flooding mirrored packets to an analyzer VLAN that you create to receive mirror traffic or<br />
sending <strong>the</strong> mirrored packets to a remote IP address. (You cannot send mirrored packets<br />
to a remote IP address <strong>on</strong> a QFabric system.)<br />
Policy-based mirroring<br />
Mirroring of packets that match <strong>the</strong> match a firewall filter term. The acti<strong>on</strong> analyzer<br />
analyzer-name is used in <strong>the</strong> firewall filter to send <strong>the</strong> packets to <strong>the</strong> analyzer.<br />
Port Mirroring C<strong>on</strong>straints and Limitati<strong>on</strong>s<br />
• Local and Remote Port Mirroring <strong>on</strong> page 5<br />
• Remote Port Mirroring Only <strong>on</strong> page 7<br />
Local and Remote Port Mirroring<br />
The following c<strong>on</strong>straints and limitati<strong>on</strong>s apply to local and remote port mirroring with<br />
<strong>the</strong> <strong>QFX</strong> <strong>Series</strong>:<br />
• You can create a total of four port-mirroring c<strong>on</strong>figurati<strong>on</strong>s <strong>on</strong> a <strong>QFX</strong> <strong>Series</strong> standal<strong>on</strong>e<br />
switch.<br />
• You can create a total of four port-mirroring c<strong>on</strong>figurati<strong>on</strong>s <strong>on</strong> each Node group in a<br />
QFabric system, subject to <strong>the</strong> following c<strong>on</strong>straints:<br />
• As many as four of <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>s can be for local port mirroring.<br />
• As many as three of <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>s can be for remote port mirroring.<br />
• Regardless of whe<strong>the</strong>r you are c<strong>on</strong>figuring a standal<strong>on</strong>e switch or a Node group, <strong>the</strong><br />
following limits apply:<br />
• There can be no more than two c<strong>on</strong>figurati<strong>on</strong>s that mirror ingress traffic. (If you<br />
c<strong>on</strong>figure a firewall filter to send traffic to a port mirror—that is, you use <strong>the</strong> analyzer<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
5
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
acti<strong>on</strong> modifier in a filter term—this counts as an ingress mirroring c<strong>on</strong>figurati<strong>on</strong> for<br />
switch or Node group <strong>on</strong> which <strong>the</strong> filter is applied.)<br />
• There can be no more than two c<strong>on</strong>figurati<strong>on</strong>s that mirror egress traffic.<br />
NOTE: On QFabric systems, <strong>the</strong>re is no system-wide limit <strong>on</strong> <strong>the</strong> total number<br />
of mirror sessi<strong>on</strong>s.<br />
• You can c<strong>on</strong>figure no more than <strong>on</strong>e type of output in <strong>on</strong>e port-mirroring c<strong>on</strong>figurati<strong>on</strong>.<br />
That is, you can use no more than <strong>on</strong>e of <strong>the</strong> following to complete a set analyzer name<br />
output statement:<br />
• interface<br />
• ip-address<br />
• vlan<br />
• If you c<strong>on</strong>figure Junos OS to mirror egress packets, do not c<strong>on</strong>figure more than 2000<br />
VLANs <strong>on</strong> a <strong>QFX</strong>3500 device or QFabric system. If you do so, some VLAN packets<br />
might c<strong>on</strong>tain incorrect VLAN IDs. This applies to any VLAN packets—not <strong>on</strong>ly <strong>the</strong><br />
mirrored copies.<br />
• The ratio and loss-priority opti<strong>on</strong>s are not supported.<br />
• Packets with physical layer errors are filtered out and are not sent to <strong>the</strong> output port<br />
or VLAN.<br />
• If you use sFlow m<strong>on</strong>itoring to sample traffic, it does not sample <strong>the</strong> mirror copies<br />
when <strong>the</strong>y exit from <strong>the</strong> output interface.<br />
• You cannot mirror packets exiting or entering <strong>the</strong> following ports:<br />
• Dedicated Virtual Chassis interfaces<br />
• Management interfaces (me0 or vme0)<br />
• Fibre Channel interfaces<br />
• Routed VLAN interfaces<br />
• An aggregated E<strong>the</strong>r<strong>net</strong> interface cannot be an output interface.<br />
• Do not include an 802.1Q subinterface that has a unit number o<strong>the</strong>r than 0 in a port<br />
mirroring c<strong>on</strong>figurati<strong>on</strong>. Port mirroring does not work with subinterfaces if <strong>the</strong>ir unit<br />
number is not 0. (You c<strong>on</strong>figure 802.1Q subinterfaces using <strong>the</strong> vlan-tagging statement.)<br />
• When packet copies are sent out <strong>the</strong> output interface, <strong>the</strong>y are not modified for any<br />
changes that are normally applied <strong>on</strong> egress, such as CoS rewriting.<br />
• An interface can be <strong>the</strong> input interface for <strong>on</strong>ly <strong>on</strong>e mirroring c<strong>on</strong>figurati<strong>on</strong>. Do not use<br />
<strong>the</strong> same interface as <strong>the</strong> input interface for multiple mirroring c<strong>on</strong>figurati<strong>on</strong>s.<br />
6<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 1: Port Mirroring<br />
• CPU-generated packets (such as ARP or ICMP packets) cannot be mirrored <strong>on</strong> egress.<br />
• (QFabric systems <strong>on</strong>ly) If you c<strong>on</strong>figure a QFabric analyzer to mirror egress traffic and<br />
<strong>the</strong> input and output interfaces are <strong>on</strong> different Node devices, <strong>the</strong> mirrored copies have<br />
incorrect VLAN IDs. This limitati<strong>on</strong> does not apply if you c<strong>on</strong>figure a QFabric analyzer<br />
to mirror egress traffic and <strong>the</strong> input and output interfaces are <strong>on</strong> <strong>the</strong> same Node device.<br />
In this case <strong>the</strong> mirrored copies have <strong>the</strong> correct VLAN IDs (as l<strong>on</strong>g as you do not<br />
c<strong>on</strong>figure more than 2000 VLANs <strong>on</strong> <strong>the</strong> QFabric system).<br />
Remote Port Mirroring Only<br />
The following c<strong>on</strong>straints and limitati<strong>on</strong>s apply to remote port mirroring with <strong>the</strong> <strong>QFX</strong><br />
<strong>Series</strong>:<br />
• If you c<strong>on</strong>figure an output IP address, <strong>the</strong> address cannot be in <strong>the</strong> same sub<strong>net</strong>work<br />
as any of <strong>the</strong> switch’s management interfaces.<br />
• If you create virtual routing instances and also create an analyzer c<strong>on</strong>figurati<strong>on</strong> that<br />
includes an output IP address, <strong>the</strong> output address bel<strong>on</strong>gs to <strong>the</strong> default virtual routing<br />
instance (i<strong>net</strong>.0 routing table).<br />
• An output VLAN cannot be a private VLAN or VLAN range.<br />
• An output VLAN cannot be shared by multiple analyzer statements.<br />
• An output VLAN interface cannot be a member of any o<strong>the</strong>r VLAN.<br />
• An output VLAN interface cannot be an aggregated E<strong>the</strong>r<strong>net</strong> interface.<br />
• On <strong>the</strong> source (m<strong>on</strong>itored) switch, <strong>on</strong>ly <strong>on</strong>e interface can be a member of <strong>the</strong> analyzer<br />
VLAN.<br />
Related<br />
Documentati<strong>on</strong><br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Remote Analysis <strong>on</strong> page 17<br />
• Troubleshooting Port Mirroring <strong>on</strong> page 77<br />
Understanding Layer 3 Logical Interfaces<br />
A Layer 3 logical interface is a logical divisi<strong>on</strong> of a physical interface that operates at <strong>the</strong><br />
<strong>net</strong>work level and <strong>the</strong>refore can receive and forward 802.1Q VLAN tags. You can use<br />
Layer 3 logical interfaces to route traffic am<strong>on</strong>g multiple VLANs al<strong>on</strong>g a single trunk line<br />
that c<strong>on</strong>nects a <strong>Juniper</strong> Networks <strong>QFX</strong>3500 Switch to a Layer 2 switch. Only <strong>on</strong>e physical<br />
c<strong>on</strong>necti<strong>on</strong> is required between <strong>the</strong> switches. You can also use Layer 3 logical interfaces<br />
to provide alternative gateway addresses for smart DHCP relay.<br />
To create Layer 3 logical interfaces <strong>on</strong> a switch, enable VLAN tagging, partiti<strong>on</strong> <strong>the</strong><br />
physical interface into logical partiti<strong>on</strong>s, and bind <strong>the</strong> VLAN ID to <strong>the</strong> logical interface.<br />
We recommend that you use <strong>the</strong> VLAN ID as <strong>the</strong> logical interface number when you<br />
c<strong>on</strong>figure <strong>the</strong> logical interface. <strong>QFX</strong> <strong>Series</strong> systems support a maximum of 4089 VLANs,<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
7
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
which includes <strong>the</strong> default VLAN. You can, however, assign a VLAN ID in <strong>the</strong> range of 1<br />
to 4094, but five of <strong>the</strong>se VLAN IDs are reserved for internal use.<br />
VLAN tagging places <strong>the</strong> VLAN ID in <strong>the</strong> frame header, allowing each physical interface<br />
to handle multiple VLANs. Double-tagging, which is assigning more than <strong>on</strong>e VLAN ID in<br />
<strong>the</strong> frame header, is not supported. When you c<strong>on</strong>figure multiple VLANs <strong>on</strong> an interface,<br />
you must also enable tagging <strong>on</strong> that interface. Junos OS <strong>on</strong> switches supports a subset<br />
of <strong>the</strong> 802.1Q standard for receiving and forwarding routed or bridged E<strong>the</strong>r<strong>net</strong> frames<br />
with single VLAN tags and running Virtual Router Redundancy Protocol (VRRP) over<br />
802.1Q-tagged interfaces.<br />
Related<br />
Documentati<strong>on</strong><br />
• Interfaces Overview<br />
• C<strong>on</strong>figuring a Layer 3 Logical Interface<br />
• C<strong>on</strong>figuring DHCP and BOOTP Relay <strong>on</strong> page 26<br />
• Junos OS Network Interfaces Library for Routing Devices<br />
8<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
CHAPTER 2<br />
DHCP Relay<br />
DHCP and BOOTP Relay Overview<br />
• DHCP and BOOTP Relay Overview <strong>on</strong> page 9<br />
You can c<strong>on</strong>figure a <strong>Juniper</strong> Networks switch to act as a Dynamic Host C<strong>on</strong>figurati<strong>on</strong><br />
Protocol (DHCP) or Bootstrap Protocol (BOOTP) relay agent. This means that if <strong>the</strong><br />
switch receives a broadcast DHCP or BOOTP request from a locally attached host (client),<br />
it relays <strong>the</strong> message to a specified DHCP or BOOTP server. You should c<strong>on</strong>figure <strong>the</strong><br />
switch to be a DHCP/BOOTP relay agent if you have locally attached hosts and a distant<br />
DHCP or BOOTP server.<br />
If you c<strong>on</strong>figure a switch to be a DHCP relay agent, you can also enable smart DHCP<br />
relay, which enables you to c<strong>on</strong>figure alternative gateway addresses for a DHCP server<br />
so that if <strong>the</strong> server fails to reply to <strong>the</strong> requests sent to <strong>the</strong> primary gateway address,<br />
<strong>the</strong> switch can resend <strong>the</strong> requests to <strong>the</strong> alternative gateway addresses. To use this<br />
feature, you must c<strong>on</strong>figure a routed VLAN interface or Layer 3 subinterface with multiple<br />
IP addresses and c<strong>on</strong>figure that interface to be a relay agent.<br />
NOTE: Because DHCP and BOOTP messages are broadcast and are not<br />
directed to a specific server, switch, or router, <strong>Juniper</strong> switches cannot functi<strong>on</strong><br />
as both a DHCP server and a DHCP/BOOTP relay agent at <strong>the</strong> same time.<br />
The Junos operating system (Junos OS) generates a commit error if both<br />
opti<strong>on</strong>s are c<strong>on</strong>figured at <strong>the</strong> same time, and <strong>the</strong> commit operati<strong>on</strong> does not<br />
succeed until <strong>on</strong>e of <strong>the</strong> opti<strong>on</strong>s is removed.<br />
Related<br />
Documentati<strong>on</strong><br />
• C<strong>on</strong>figuring DHCP and BOOTP Relay <strong>on</strong> page 26<br />
• bootp <strong>on</strong> page 62<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
9
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
10<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
PART 2<br />
C<strong>on</strong>figurati<strong>on</strong><br />
• C<strong>on</strong>figurati<strong>on</strong> Examples <strong>on</strong> page 13<br />
• C<strong>on</strong>figurati<strong>on</strong> Tasks <strong>on</strong> page 23<br />
• C<strong>on</strong>figurati<strong>on</strong> Statements for Port Mirroring <strong>on</strong> page 29<br />
• C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong> <strong>on</strong> page 41<br />
• C<strong>on</strong>figurati<strong>on</strong> Statements for DHCP Relay <strong>on</strong> page 61<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
11
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
12<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
CHAPTER 3<br />
C<strong>on</strong>figurati<strong>on</strong> Examples<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Remote Analysis <strong>on</strong> page 17<br />
Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis<br />
Use port mirroring to send traffic to applicati<strong>on</strong>s that analyze traffic for purposes such<br />
as m<strong>on</strong>itoring compliance, enforcing policies, detecting intrusi<strong>on</strong>s, m<strong>on</strong>itoring and<br />
predicting traffic patterns, correlating events, and so <strong>on</strong>. Port mirroring copies packets<br />
entering or exiting an interface or entering a VLAN and sends <strong>the</strong> copies to a local interface<br />
for local m<strong>on</strong>itoring.<br />
This example describes how to c<strong>on</strong>figure port mirroring to copy traffic sent by employee<br />
computers to a switch to an access interface <strong>on</strong> <strong>the</strong> same switch.<br />
• Requirements <strong>on</strong> page 13<br />
• Overview and Topology <strong>on</strong> page 13<br />
• Mirroring All Employee Traffic for Local Analysis <strong>on</strong> page 14<br />
• Mirroring Employee-to-Web Traffic for Local Analysis <strong>on</strong> page 15<br />
• Verificati<strong>on</strong> <strong>on</strong> page 17<br />
Requirements<br />
This example uses <strong>the</strong> following hardware and software comp<strong>on</strong>ents:<br />
• Junos OS Release 11.1<br />
• A switch<br />
Overview and Topology<br />
This topic includes two related examples that describe how to mirror traffic entering<br />
interfaces <strong>on</strong> <strong>the</strong> switch to an access interface <strong>on</strong> <strong>the</strong> same switch. The first example<br />
shows how to mirror all traffic sent by employee computers to <strong>the</strong> switch. The sec<strong>on</strong>d<br />
example includes a filter to mirror <strong>on</strong>ly <strong>the</strong> employee traffic going to <strong>the</strong> Web.<br />
In this example, xe-0/0/0 and xe-0/0/6 serve as c<strong>on</strong>necti<strong>on</strong>s for employee computers.<br />
Interface xe-0/0/47 is c<strong>on</strong>nected to a device running an analyzer applicati<strong>on</strong>.<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
13
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
NOTE: Multiple ports mirrored to <strong>on</strong>e interface can cause buffer overflow<br />
and dropped packets.<br />
Figure 1 <strong>on</strong> page 14 shows <strong>the</strong> <strong>net</strong>work topology for this example.<br />
Figure 1: Network Topology for Local Port Mirroring Example<br />
xe-0/0/47 xe-0/0/6 xe-0/0/0<br />
Server running traffic analyzer<br />
Employee computers<br />
g040596<br />
Mirroring All Employee Traffic for Local Analysis<br />
To c<strong>on</strong>figure port mirroring for all traffic sent by employee computers for local analysis,<br />
perform <strong>the</strong> tasks explained in this secti<strong>on</strong>.<br />
CLI Quick<br />
C<strong>on</strong>figurati<strong>on</strong><br />
To quickly c<strong>on</strong>figure local port mirroring for ingress traffic to <strong>the</strong> two ports c<strong>on</strong>nected to<br />
employee computers, copy <strong>the</strong> following commands and paste <strong>the</strong>m into a switch<br />
terminal window:<br />
[edit]<br />
set interfaces xe-0/0/0 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching<br />
set interfaces xe-0/0/6 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching<br />
set interfaces xe-0/0/47 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching<br />
set e<strong>the</strong>r<strong>net</strong>-switching opti<strong>on</strong>s analyzer employee-m<strong>on</strong>itor input ingress interface xe-0/0/0.0<br />
set e<strong>the</strong>r<strong>net</strong>-switching opti<strong>on</strong>s analyzer employee-m<strong>on</strong>itor input ingress interface xe-0/0/6.0<br />
set e<strong>the</strong>r<strong>net</strong>-switching opti<strong>on</strong>s analyzer employee-m<strong>on</strong>itor output interface xe-0/0/47.0<br />
Step-by-Step<br />
Procedure<br />
To c<strong>on</strong>figure an analyzer called employee-m<strong>on</strong>itor and specify <strong>the</strong> input (source) interfaces<br />
and <strong>the</strong> output interface:<br />
1. C<strong>on</strong>figure <strong>the</strong> interfaces c<strong>on</strong>nected to employee computers as input interfaces for<br />
<strong>the</strong> port-mirror analyzer employee-m<strong>on</strong>itor:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer employee-m<strong>on</strong>itor input ingress interface xe–0/0/0.0<br />
user@switch# set analyzer employee-m<strong>on</strong>itor input ingress interface xe–0/0/6.0<br />
2. C<strong>on</strong>figure <strong>the</strong> output analyzer interface for <strong>the</strong> employee-m<strong>on</strong>itor analyzer. This will<br />
be <strong>the</strong> destinati<strong>on</strong> interface for <strong>the</strong> mirrored packets:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer employee-m<strong>on</strong>itor output interface xe-0/0/47.0<br />
Results<br />
Check <strong>the</strong> results of <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>:<br />
[edit]<br />
14<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 3: C<strong>on</strong>figurati<strong>on</strong> Examples<br />
user@switch# show e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s<br />
analyzer employee-m<strong>on</strong>itor {<br />
input {<br />
ingress {<br />
interface xe-0/0/0.0;<br />
interface xe-0/0/6.0;<br />
}<br />
}<br />
output {<br />
interface {<br />
xe-0/0/47.0;<br />
}<br />
}<br />
}<br />
}<br />
Mirroring Employee-to-Web Traffic for Local Analysis<br />
To mirror <strong>on</strong>ly traffic sent by employees to <strong>the</strong> Web for local analysis, perform <strong>the</strong> tasks<br />
explained in this secti<strong>on</strong>.<br />
CLI Quick<br />
C<strong>on</strong>figurati<strong>on</strong><br />
To quickly c<strong>on</strong>figure local port mirroring of traffic from employee computers that is<br />
destined for <strong>the</strong> Web, copy <strong>the</strong> following commands and paste <strong>the</strong>m into a switch terminal<br />
window:<br />
[edit]<br />
set e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer employee–web–m<strong>on</strong>itor output interface xe-0/0/47.0<br />
set firewall family e<strong>the</strong>r<strong>net</strong>-switching filter watch-employee term employee-to-corp from<br />
destinati<strong>on</strong>-address 192.0.2.16/28<br />
set firewall family e<strong>the</strong>r<strong>net</strong>-switching filter watch-employee term employee-to-corp from<br />
source-address 192.0.2.16/28<br />
set firewall family e<strong>the</strong>r<strong>net</strong>-switching filter watch-employee term employee-to-corp <strong>the</strong>n accept<br />
set firewall family e<strong>the</strong>r<strong>net</strong>-switching filter watch-employee term employee-to-web from<br />
destinati<strong>on</strong>-port 80<br />
set firewall family e<strong>the</strong>r<strong>net</strong>-switching filter watch-employee term employee-to-web <strong>the</strong>n analyzer<br />
employee-web-m<strong>on</strong>itor<br />
set interfaces xe-0/0/0 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching filter input watch-employee<br />
set interfaces xe-0/0/6 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching filter input watch-employee<br />
Step-by-Step<br />
Procedure<br />
To c<strong>on</strong>figure local port mirroring of employee-to-web traffic from <strong>the</strong> two ports c<strong>on</strong>nected<br />
to employee computers:<br />
1. C<strong>on</strong>figure <strong>the</strong> output interface:<br />
[edit interfaces]<br />
user@switch# set xe-0/0/47 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching<br />
2. C<strong>on</strong>figure <strong>the</strong> employee-web-m<strong>on</strong>itor analyzer output. (C<strong>on</strong>figure <strong>on</strong>ly <strong>the</strong><br />
output—<strong>the</strong> input comes from <strong>the</strong> filter.)<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer employee-web-m<strong>on</strong>itor output interface xe-0/0/47.0<br />
3. C<strong>on</strong>figure a firewall filter called watch-employee that includes a term to match<br />
traffic sent to <strong>the</strong> Web and send it to <strong>the</strong> analyzer employee-web-m<strong>on</strong>itor. Traffic<br />
to and from <strong>the</strong> corporate sub<strong>net</strong> (destinati<strong>on</strong> or source address of 192.0.2.16/28)<br />
does not need to be copied, so create ano<strong>the</strong>r term to accept that traffic before it<br />
reaches <strong>the</strong> term that sends Web traffic to <strong>the</strong> analyzer:<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
15
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
[edit firewall family e<strong>the</strong>r<strong>net</strong>-switching]<br />
user@switch# set filter watch-employee term employee-to-corp from destinati<strong>on</strong>-address<br />
192.0.2.16/28<br />
user@switch# set filter watch-employee term employee-to-corp from source-address<br />
192.0.2.16/28<br />
user@switch# set filter watch-employee term employee-to-corp <strong>the</strong>n accept<br />
user@switch# set filter watch-employee term employee-to-web from destinati<strong>on</strong>-port 80<br />
user@switch# set filter watch-employee term employee-to-web <strong>the</strong>n analyzer<br />
employee-web-m<strong>on</strong>itor<br />
4. Apply <strong>the</strong> firewall filter to <strong>the</strong> appropriate interfaces as an ingress filter (egress<br />
filters do not allow analyzers):<br />
[edit interfaces]<br />
user@switch# set xe-0/0/0 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching filter input watch-employee<br />
user@switch# set xe-0/0/6 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching filter input watch-employee<br />
Results<br />
Check <strong>the</strong> results of <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>:<br />
[edit]<br />
user@switch# show e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s<br />
analyzer employee-web-m<strong>on</strong>itor {<br />
output {<br />
interface xe-0/0/47.0;<br />
}<br />
}<br />
}<br />
...<br />
firewall family e<strong>the</strong>r<strong>net</strong>-switching {<br />
filter watch-employee {<br />
term employee-to-web {<br />
from {<br />
destinati<strong>on</strong>-port 80;<br />
}<br />
<strong>the</strong>n analyzer employee-web-m<strong>on</strong>itor;<br />
}<br />
}<br />
}<br />
...<br />
interfaces {<br />
xe-0/0/0 {<br />
unit 0 {<br />
family e<strong>the</strong>r<strong>net</strong>-switching {<br />
filter {<br />
input watch-employee;<br />
}<br />
}<br />
}<br />
}<br />
xe-0/0/6 {<br />
family e<strong>the</strong>r<strong>net</strong>-switching {<br />
filter {<br />
input watch-employee;<br />
}<br />
}<br />
}<br />
}<br />
16<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 3: C<strong>on</strong>figurati<strong>on</strong> Examples<br />
Verificati<strong>on</strong><br />
Verifying That <strong>the</strong> Analyzer Has Been Correctly Created<br />
Purpose<br />
Verify that <strong>the</strong> analyzer named employee-m<strong>on</strong>itor or employee-web-m<strong>on</strong>itor has been<br />
created <strong>on</strong> <strong>the</strong> switch with <strong>the</strong> appropriate input interfaces and appropriate output<br />
interface.<br />
Acti<strong>on</strong><br />
You can verify that <strong>the</strong> port mirror analyzer has been c<strong>on</strong>figured as expected using <strong>the</strong><br />
show analyzer command.<br />
user@switch> show analyzer<br />
Analyzer name<br />
: employee-m<strong>on</strong>itor<br />
Output interface<br />
: xe-0/0/47.0<br />
Mirror ratio : 1<br />
Loss priority<br />
: Low<br />
Ingress m<strong>on</strong>itored interfaces : xe-0/0/0.0<br />
Ingress m<strong>on</strong>itored interfaces : xe-0/0/6.0<br />
Egress m<strong>on</strong>itored interfaces : N<strong>on</strong>e<br />
Meaning<br />
This output shows that <strong>the</strong> employee-m<strong>on</strong>itor analyzer:<br />
• Has a ratio of 1 (mirroring every packet, <strong>the</strong> default setting)<br />
• Has a loss priority of low (set this opti<strong>on</strong> to high <strong>on</strong>ly when <strong>the</strong> analyzer output is to a<br />
VLAN)<br />
• Is mirroring <strong>the</strong> traffic entering <strong>the</strong> xe-0/0/0 and xe-0/0/6 interfaces<br />
• Is sending <strong>the</strong> mirrored traffic to <strong>the</strong> xe-0/0/47 interface<br />
Related<br />
Documentati<strong>on</strong><br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
Example: C<strong>on</strong>figuring Port Mirroring for Remote Analysis<br />
Use port mirroring to send traffic to applicati<strong>on</strong>s that analyze traffic for purposes such<br />
as m<strong>on</strong>itoring compliance, enforcing policies, detecting intrusi<strong>on</strong>s, m<strong>on</strong>itoring and<br />
predicting traffic patterns, correlating events, and so <strong>on</strong>. Port mirroring copies packets<br />
entering or exiting an interface or entering a VLAN and sends <strong>the</strong> copies ei<strong>the</strong>r to a local<br />
interface for local m<strong>on</strong>itoring or to a VLAN for remote m<strong>on</strong>itoring. This example describes<br />
how to c<strong>on</strong>figure port mirroring for remote analysis.<br />
• Requirements <strong>on</strong> page 18<br />
• Overview and Topology <strong>on</strong> page 18<br />
• Mirroring All Employee Traffic for Remote Analysis <strong>on</strong> page 18<br />
• Mirroring Employee-to-Web Traffic for Remote Analysis <strong>on</strong> page 19<br />
• Verificati<strong>on</strong> <strong>on</strong> page 21<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
17
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
Requirements<br />
This example uses <strong>the</strong> following hardware and software comp<strong>on</strong>ents:<br />
• Junos OS Release 12.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
• A switch<br />
Overview and Topology<br />
This topic includes two related examples that describe how to mirror traffic entering<br />
ports <strong>on</strong> <strong>the</strong> switch to an analyzer VLAN so that you can perform analysis using a remote<br />
device. The first example shows how to mirror all traffic sent by employee computers to<br />
<strong>the</strong> switch. The sec<strong>on</strong>d example includes a filter to mirror <strong>on</strong>ly <strong>the</strong> employee traffic going<br />
to <strong>the</strong> Web.<br />
In this example:<br />
• Interfaces ge-0/0/0 and ge-0/0/1 are Layer 2 interfaces that c<strong>on</strong>nect to employee<br />
computers.<br />
• Interface ge-0/0/10 is a Layer 2 interface that c<strong>on</strong>nects to ano<strong>the</strong>r switch.<br />
• VLAN remote-analyzer is c<strong>on</strong>figured <strong>on</strong> all switches in <strong>the</strong> topology to carry <strong>the</strong> mirrored<br />
traffic.<br />
NOTE: In additi<strong>on</strong> to performing <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong> steps described here, you<br />
must also c<strong>on</strong>figure <strong>the</strong> analyzer VLAN (remote-analyzer in this example) <strong>on</strong><br />
<strong>the</strong> o<strong>the</strong>r switches that are used to c<strong>on</strong>nect <strong>the</strong> source switch (<strong>the</strong> <strong>on</strong>e in<br />
this c<strong>on</strong>figurati<strong>on</strong>) to <strong>the</strong> <strong>on</strong>e that <strong>the</strong> m<strong>on</strong>itoring stati<strong>on</strong> is c<strong>on</strong>nected to.<br />
Mirroring All Employee Traffic for Remote Analysis<br />
CLI Quick<br />
C<strong>on</strong>figurati<strong>on</strong><br />
To quickly c<strong>on</strong>figure this secti<strong>on</strong> of <strong>the</strong> example, copy <strong>the</strong> following commands, paste<br />
<strong>the</strong>m into a text file, remove any line breaks, change any details necessary to match your<br />
<strong>net</strong>work c<strong>on</strong>figurati<strong>on</strong>, and <strong>the</strong>n copy and paste <strong>the</strong> commands into <strong>the</strong> CLI at <strong>the</strong> edit<br />
hierarchy level:<br />
[edit]<br />
set vlans remote-analyzer vlan-id 999<br />
set interfaces ge-0/0/10 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching port-mode trunk<br />
set interfaces ge-0/0/10 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching vlan members 999<br />
set e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer employee-m<strong>on</strong>itor input ingress interface ge-0/0/0.0<br />
set e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer employee-m<strong>on</strong>itor input ingress interface ge-0/0/1.0<br />
set e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer employee-m<strong>on</strong>itor output vlan remote-analyzer<br />
18<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 3: C<strong>on</strong>figurati<strong>on</strong> Examples<br />
Step-by-Step<br />
Procedure<br />
To c<strong>on</strong>figure basic remote port mirroring:<br />
1. C<strong>on</strong>figure <strong>the</strong> analyzer VLAN (called remote-analyzer in this example):<br />
[edit vlans]<br />
user@switch# set vlans remote-analyzer vlan-id 999<br />
2. C<strong>on</strong>figure <strong>the</strong> interface c<strong>on</strong>nected to ano<strong>the</strong>r switch for trunk mode and associate<br />
it with <strong>the</strong> remote-analyzer VLAN:<br />
[edit interfaces]<br />
user@switch# set ge-0/0/10 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching port-mode trunk<br />
user@switch# set ge-0/0/10 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching vlan members 999<br />
3. C<strong>on</strong>figure <strong>the</strong> employee-m<strong>on</strong>itor analyzer:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer employee–m<strong>on</strong>itor<br />
user@switch# set analyzer employee-m<strong>on</strong>itor input ingress interface ge-0/0/0.0<br />
user@switch# set analyzer employee-m<strong>on</strong>itor input ingress interface ge-0/0/1.0<br />
user@switch# set analyzer employee-m<strong>on</strong>itor output vlan remote-analyzer<br />
4. C<strong>on</strong>figure <strong>the</strong> remote-analyzer VLAN <strong>on</strong> <strong>the</strong> switches that c<strong>on</strong>nect this switch to<br />
<strong>the</strong> m<strong>on</strong>itoring workstati<strong>on</strong>.<br />
Results<br />
Check <strong>the</strong> results of <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>:<br />
[edit]<br />
user@switch# show<br />
e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s {<br />
analyzer employee-m<strong>on</strong>itor {<br />
input {<br />
ingress {<br />
interface ge-0/0/0.0;<br />
interface ge-0/0/1.0;<br />
}<br />
}<br />
output {<br />
vlan {<br />
remote-analyzer;<br />
}<br />
}<br />
}<br />
}<br />
Mirroring Employee-to-Web Traffic for Remote Analysis<br />
CLI Quick<br />
C<strong>on</strong>figurati<strong>on</strong><br />
To quickly c<strong>on</strong>figure this secti<strong>on</strong> of <strong>the</strong> example, copy <strong>the</strong> following commands, paste<br />
<strong>the</strong>m into a text file, remove any line breaks, change any details necessary to match your<br />
<strong>net</strong>work c<strong>on</strong>figurati<strong>on</strong>, and <strong>the</strong>n copy and paste <strong>the</strong> commands into <strong>the</strong> CLI at <strong>the</strong> edit<br />
hierarchy level:<br />
[edit]<br />
set vlans remote-analyzer vlan-id 999<br />
set interfaces ge-0/0/10 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching port mode trunk<br />
set interfaces ge-0/0/10 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching vlan members 999set<br />
e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer employee-web-m<strong>on</strong>itor loss-priority high output vlan 999<br />
set firewall family e<strong>the</strong>r<strong>net</strong>-switching filter watch-employee term employee-to-web from<br />
destinati<strong>on</strong>-port 80<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
19
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
set firewall family e<strong>the</strong>r<strong>net</strong>-switching filter watch-employee term employee-to-web <strong>the</strong>n analyzer<br />
employee-web-m<strong>on</strong>itor<br />
set ge-0/0/0 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching filter input watch-employee<br />
set interfaces ge-0/0/1 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching filter input watch-employee<br />
Step-by-Step<br />
Procedure<br />
1. C<strong>on</strong>figure <strong>the</strong> analyzer VLAN (called remote-analyzer in this example):<br />
[edit vlans]<br />
user@switch# set remote-analyzer vlan-id 999<br />
2. C<strong>on</strong>figure an interface to associate it with <strong>the</strong> remote-analyzer VLAN:<br />
[edit interfaces]<br />
user@switch# set interfaces ge-0/0/10 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching port mode trunk<br />
user@switch# set ge-0/0/10 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching vlan members 999<br />
3. C<strong>on</strong>figure <strong>the</strong> employee-web-m<strong>on</strong>itor analyzer. (C<strong>on</strong>figure <strong>on</strong>ly <strong>the</strong> output—<strong>the</strong><br />
input comes from <strong>the</strong> filter.)<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>sanalyzer employee-web-m<strong>on</strong>itor output<br />
vlan 999<br />
4. C<strong>on</strong>figure a firewall filter called watch-employee to match traffic sent to <strong>the</strong> Web<br />
and send it to <strong>the</strong> analyzer employee-web-m<strong>on</strong>itor:<br />
[edit firewall family e<strong>the</strong>r<strong>net</strong>-switching]<br />
user@switch# set filter watch-employee term employee-to-web from destinati<strong>on</strong>-port 80<br />
user@switch# set filter watch-employee term employee-to-web <strong>the</strong>n analyzer<br />
employee-web-m<strong>on</strong>itor<br />
5. Apply <strong>the</strong> firewall filter to <strong>the</strong> appropriate interfaces as an ingress filter:<br />
[edit interfaces]<br />
user@switch# set ge-0/0/0 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching filterinput watch-employee<br />
user@switch# set ge-0/0/1 unit 0 family e<strong>the</strong>r<strong>net</strong>-switching filter input watch-employee<br />
6. C<strong>on</strong>figure <strong>the</strong> remote-analyzer VLAN <strong>on</strong> <strong>the</strong> switches that c<strong>on</strong>nect this switch to<br />
<strong>the</strong> m<strong>on</strong>itoring workstati<strong>on</strong>.<br />
Results<br />
Check <strong>the</strong> results of <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>:<br />
[edit]<br />
user@switch# show<br />
interfaces {<br />
...<br />
ge-0/0/10 {<br />
unit 0 {<br />
family e<strong>the</strong>r<strong>net</strong>-switching {<br />
port-mode trunk;<br />
vlan {<br />
members remote-analyzer;<br />
}<br />
}<br />
}<br />
}<br />
ge-0/0/0 {<br />
unit 0 {<br />
family e<strong>the</strong>r<strong>net</strong>-switching {<br />
filter {<br />
input watch-employee;<br />
}<br />
}<br />
20<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 3: C<strong>on</strong>figurati<strong>on</strong> Examples<br />
}<br />
}<br />
ge-0/0/1 {<br />
unit 0 {<br />
family e<strong>the</strong>r<strong>net</strong>-switching {<br />
filter {<br />
input watch-employee;<br />
}<br />
}<br />
}<br />
}<br />
}<br />
...<br />
firewall {<br />
family e<strong>the</strong>r<strong>net</strong>-switching {<br />
...<br />
filter watch-employee {<br />
term employee-to-web {<br />
from {<br />
destinati<strong>on</strong>-port 80;<br />
}<br />
<strong>the</strong>n analyzer employee-web-m<strong>on</strong>itor;<br />
}<br />
}<br />
}<br />
}<br />
e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s {<br />
analyzer employee-web-m<strong>on</strong>itor {<br />
output {<br />
vlan {<br />
999;<br />
}<br />
}<br />
}<br />
vlans {<br />
remote-analyzer {<br />
vlan-id 999;<br />
}<br />
}<br />
Verificati<strong>on</strong><br />
Verifying That <strong>the</strong> Analyzer Has Been Correctly Created<br />
Purpose<br />
Verify that <strong>the</strong> analyzer named employee-m<strong>on</strong>itor or employee-web-m<strong>on</strong>itor has been<br />
created <strong>on</strong> <strong>the</strong> switch with <strong>the</strong> appropriate input interfaces and appropriate output<br />
interface.<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
21
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
Acti<strong>on</strong><br />
You can verify <strong>the</strong> port mirror analyzer is c<strong>on</strong>figured as expected using <strong>the</strong> show analyzer<br />
command.<br />
user@switch> show analyzer<br />
Analyzer name<br />
: employee-m<strong>on</strong>itor<br />
Output VLAN<br />
: remote-analyzer<br />
Ingress m<strong>on</strong>itored interfaces : ge-0/0/0.0<br />
Ingress m<strong>on</strong>itored interfaces : ge-0/0/1.0<br />
Meaning<br />
This output shows that <strong>the</strong> employee-m<strong>on</strong>itor analyzer is mirroring <strong>the</strong> traffic entering<br />
ge-0/0/0 and ge-0/0/1 and is sending <strong>the</strong> mirror traffic to <strong>the</strong> analyzer remote-analyzer.<br />
Related<br />
Documentati<strong>on</strong><br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
• Overview of Firewall Filters<br />
22<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
CHAPTER 4<br />
C<strong>on</strong>figurati<strong>on</strong> Tasks<br />
C<strong>on</strong>figuring Port Mirroring<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• C<strong>on</strong>figuring DHCP and BOOTP Relay <strong>on</strong> page 26<br />
You use port mirroring to copy packets and send <strong>the</strong> copies to a device running an<br />
applicati<strong>on</strong> such as a <strong>net</strong>work analyzer or intrusi<strong>on</strong> detecti<strong>on</strong> applicati<strong>on</strong> so that you can<br />
analyze traffic without delaying it. You can mirror traffic entering or exiting a port or<br />
entering a VLAN, and you can send <strong>the</strong> copies to a local access interface or to a VLAN<br />
through a trunk interface.<br />
We recommend that you disable port mirroring when you are not using it. To avoid creating<br />
a performance issue If you do enable port mirroring, we recommend that you select<br />
specific input interfaces instead of using <strong>the</strong> all keyword. You can also limit <strong>the</strong> amount<br />
of mirrored traffic by using a firewall filter.<br />
NOTE: If you want to create additi<strong>on</strong>al analyzers without deleting an existing<br />
analyzer, first disable <strong>the</strong> existing analyzer using <strong>the</strong> disable analyzer<br />
analyzer-name command.<br />
NOTE: You must c<strong>on</strong>figure port mirroring output interfaces as family<br />
e<strong>the</strong>r<strong>net</strong>-switching.<br />
• C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 23<br />
• C<strong>on</strong>figuring Port Mirroring for Remote Analysis <strong>on</strong> page 24<br />
• Filtering <strong>the</strong> Traffic Entering an Analyzer <strong>on</strong> page 25<br />
C<strong>on</strong>figuring Port Mirroring for Local Analysis<br />
To mirror interface traffic to a local interface <strong>on</strong> <strong>the</strong> switch:<br />
1. If you want to mirror traffic that is ingressing or egressing specific interfaces, choose<br />
a name for <strong>the</strong> port-mirroring c<strong>on</strong>figurati<strong>on</strong> and c<strong>on</strong>figure what traffic should be<br />
mirrored by specifying <strong>the</strong> interfaces and directi<strong>on</strong> of traffic:<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
23
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer analyzer-name input (ingress | egress) interface interface-name<br />
NOTE: If you c<strong>on</strong>figure Junos OS to mirror egress packets, do not c<strong>on</strong>figure<br />
more than 2000 VLANs. If you do so, some VLAN packets might c<strong>on</strong>tain<br />
incorrect VLAN IDs.<br />
NOTE: If you c<strong>on</strong>figure mirroring for packets that egress an access<br />
interface, <strong>the</strong> original packets lose any VLAN tags when <strong>the</strong>y exit <strong>the</strong><br />
access interface, but <strong>the</strong> mirrored (copied) packets retain <strong>the</strong> VLAN tags<br />
when <strong>the</strong>y are sent to <strong>the</strong> analyzer system.<br />
2. If you want to specify that all traffic entering a VLAN should be mirrored, choose a<br />
name for <strong>the</strong> port-mirroring c<strong>on</strong>figurati<strong>on</strong> and specify <strong>the</strong> VLAN:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer analyzer-name input ingress vlan vlan-name<br />
NOTE: You cannot c<strong>on</strong>figure port mirroring to copy traffic that egresses<br />
a VLAN.<br />
3. C<strong>on</strong>figure <strong>the</strong> destinati<strong>on</strong> interface for <strong>the</strong> mirrored packets:<br />
C<strong>on</strong>figuring Port Mirroring for Remote Analysis<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer analyzer-name output interface interface-name<br />
To mirror traffic to a VLAN for analysis at a remote locati<strong>on</strong>:<br />
1. C<strong>on</strong>figure a VLAN to carry <strong>the</strong> mirrored traffic:<br />
[edit]<br />
user@switch# set vlans vlan-name vlan-id number<br />
2. C<strong>on</strong>figure <strong>the</strong> interface that c<strong>on</strong>nects to ano<strong>the</strong>r switch (<strong>the</strong> uplink interface) to trunk<br />
mode and associate it with <strong>the</strong> appropriate VLAN:<br />
[edit]<br />
user@switch# set interfaces interface-name unit 0 family e<strong>the</strong>r<strong>net</strong>-switching port-mode<br />
trunk vlan members (vlan-name | vlan-id)<br />
3. C<strong>on</strong>figure <strong>the</strong> analyzer:<br />
a. Choose a name for <strong>the</strong> analyzer:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer analyzer-name<br />
b. Specify <strong>the</strong> interface to be mirrored and whe<strong>the</strong>r <strong>the</strong> traffic should be mirrored <strong>on</strong><br />
ingress or egress:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer analyzer-name input (ingress | egress) interface interface-name<br />
24<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 4: C<strong>on</strong>figurati<strong>on</strong> Tasks<br />
c. Specify <strong>the</strong> appropriate IP address or VLAN as <strong>the</strong> output (a VLAN is specified in<br />
this example:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer analyzer-name output vlan (vlan-name | vlan-id)<br />
If you specify an IP address as <strong>the</strong> output, note <strong>the</strong> following c<strong>on</strong>straints:<br />
• The address cannot be in <strong>the</strong> same sub<strong>net</strong>work as any of <strong>the</strong> switch’s<br />
management interfaces.<br />
• If you create virtual routing instances and also create an analyzer c<strong>on</strong>figurati<strong>on</strong><br />
that includes an output IP address, <strong>the</strong> output address bel<strong>on</strong>gs to <strong>the</strong> default<br />
virtual routing instance (i<strong>net</strong>.0 routing table).<br />
• The analyzer device must be able to de-encapsulate GRE-encapsulated packets,<br />
or <strong>the</strong> GRE-encapsulated packets must be de-encapsulated before reaching<br />
<strong>the</strong> analyzer device. (You can use a <strong>net</strong>work sniffer to de-encapsulate <strong>the</strong><br />
packets.)<br />
Filtering <strong>the</strong> Traffic Entering an Analyzer<br />
In additi<strong>on</strong> to specifying which traffic to mirror by c<strong>on</strong>figuring an analyzer, you can also<br />
use a firewall filter to exercise more c<strong>on</strong>trol over which packets are copied. For example,<br />
you might use a filter to specify that <strong>on</strong>ly traffic from certain applicati<strong>on</strong>s be mirrored.<br />
The filter can use any of <strong>the</strong> available match c<strong>on</strong>diti<strong>on</strong>s and must have an acti<strong>on</strong> of<br />
analyzer analyzer-name. If you use <strong>the</strong> same analyzer in multiple filters or terms, <strong>the</strong> output<br />
packets are copied <strong>on</strong>ly <strong>on</strong>ce.<br />
NOTE: You can include <strong>the</strong> acti<strong>on</strong> analyzer in ingress firewall filters <strong>on</strong>ly. You<br />
can apply ingress filters with this acti<strong>on</strong> to ports (Layer 2 interfaces), Layer 3<br />
interfaces, and VLANs.<br />
When you use a firewall filter as <strong>the</strong> input to an analyzer, you output <strong>the</strong> copied traffic<br />
to a local interface or a VLAN just as you do when a firewall is not involved.<br />
To c<strong>on</strong>figure port mirroring with filters:<br />
1. C<strong>on</strong>figure an analyzer for local or remote analysis. C<strong>on</strong>figure <strong>on</strong>ly <strong>the</strong> output. For<br />
example, for local analysis enter:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer analyzer-name output interface interface-name<br />
NOTE: Do not c<strong>on</strong>figure input to this analyzer.<br />
2. Create a firewall filter using any of <strong>the</strong> available match c<strong>on</strong>diti<strong>on</strong>s and specify <strong>the</strong><br />
acti<strong>on</strong> as analyzer analyzer-name.<br />
3. Apply <strong>the</strong> firewall filter to <strong>the</strong> interfaces or VLAN that should provide <strong>the</strong> input to <strong>the</strong><br />
analyzer:<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
25
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
[edit]<br />
user@switch# set interfaces interface-name unit 0 family e<strong>the</strong>r<strong>net</strong>-switching filter input<br />
filter-name<br />
[edit]<br />
user@switch# set vlan (vlan-name | vlan-id) filter input filter-name<br />
Related<br />
Documentati<strong>on</strong><br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Remote Analysis <strong>on</strong> page 17<br />
• Overview of Firewall Filters<br />
C<strong>on</strong>figuring DHCP and BOOTP Relay<br />
You can c<strong>on</strong>figure <strong>the</strong> <strong>QFX</strong> <strong>Series</strong> to act as a Dynamic Host C<strong>on</strong>figurati<strong>on</strong> Protocol (DHCP)<br />
and Bootstrap Protocol (BOOTP) relay agent. This means that if a locally attached host<br />
can issue a DHCP or BOOTP request as a broadcast message and <strong>the</strong> switch relays <strong>the</strong><br />
message to a specified DHCP or BOOTP server. You should c<strong>on</strong>figure a switch to be a<br />
DHCP and BOOTP relay agent if you have locally attached hosts and a remote DHCP or<br />
BOOTP server.<br />
If you c<strong>on</strong>figure a switch to be a DHCP relay agent, you can also enable smart DHCP<br />
relay, which allows you to c<strong>on</strong>figure alternative gateway addresses for a DHCP server so<br />
that if <strong>the</strong> server fails to reply to <strong>the</strong> requests sent using <strong>the</strong> primary gateway address,<br />
<strong>the</strong> switch can resend <strong>the</strong> requests via <strong>the</strong> alternative gateway addresses. To use this<br />
feature, you must c<strong>on</strong>figure a routed VLAN interface or Layer 3 logical interface with<br />
multiple IP addresses and c<strong>on</strong>figure that interface to be a relay agent.<br />
• C<strong>on</strong>figuring a DHCP and BOOTP Relay Agent <strong>on</strong> page 26<br />
• C<strong>on</strong>figuring DHCP Smart Relay <strong>on</strong> page 28<br />
C<strong>on</strong>figuring a DHCP and BOOTP Relay Agent<br />
To c<strong>on</strong>figure a switch to act as a DHCP and BOOTP relay agent, include <strong>the</strong> bootp<br />
statement at <strong>the</strong> [edit forwarding-opti<strong>on</strong>s helpers] hierarchy level:<br />
[edit forwarding-opti<strong>on</strong>s helpers]<br />
bootp {<br />
apply-sec<strong>on</strong>dary-as-giaddr text-descripti<strong>on</strong>;<br />
client-resp<strong>on</strong>se-ttl number;<br />
descripti<strong>on</strong> text-descripti<strong>on</strong>;<br />
interface (interface-name | interface-group) {<br />
client-resp<strong>on</strong>se-ttl number;<br />
descripti<strong>on</strong> text-descripti<strong>on</strong>;<br />
maximum-hop-count number;<br />
minimum-wait-time sec<strong>on</strong>ds;<br />
no-listen;<br />
server address<br />
apply-sec<strong>on</strong>dary-as-giaddr<br />
}<br />
maximum-hop-count number;<br />
minimum-wait-time sec<strong>on</strong>ds;<br />
26<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 4: C<strong>on</strong>figurati<strong>on</strong> Tasks<br />
relay-agent-opti<strong>on</strong>;<br />
server server-identifier<br />
}<br />
To include a descripti<strong>on</strong> of <strong>the</strong> BOOTP service, DHCP service, or interface, use <strong>the</strong><br />
descripti<strong>on</strong> statement.<br />
To c<strong>on</strong>figure a logical interface or a group of logical interfaces with a specific DHCP relay<br />
or BOOTP c<strong>on</strong>figurati<strong>on</strong>, include <strong>the</strong> interface statement.<br />
To stop packets from being forwarded, include <strong>the</strong> no-listen statement.<br />
To set <strong>the</strong> maximum allowed number in <strong>the</strong> hops field of <strong>the</strong> BOOTP message, include<br />
<strong>the</strong> maximum-hop-count statement. BOOTP messages that have a larger number in <strong>the</strong><br />
hops field than <strong>the</strong> maximum allowed are not forwarded. If you omit <strong>the</strong><br />
maximum-hop-count statement, <strong>the</strong> default maximum number of hops is four.<br />
To set <strong>the</strong> minimum allowed number of sec<strong>on</strong>ds in <strong>the</strong> secs field of <strong>the</strong> BOOTP message,<br />
include <strong>the</strong> minimum-wait-time statement. This setting c<strong>on</strong>figures a minimum number<br />
of sec<strong>on</strong>ds since <strong>the</strong> client sent its first BOOTP request. BOOTP messages that have a<br />
smaller number in <strong>the</strong> secs field than <strong>the</strong> allowed minimum are not forwarded. The default<br />
value for <strong>the</strong> minimum wait time is zero (0).<br />
To set <strong>the</strong> IP address that specify <strong>the</strong> DHCP or BOOTP server for <strong>the</strong> router, switch, or<br />
interface, include <strong>the</strong> server statement. You can include multiple server statements.<br />
To set an IP time-to-live (TTL) value for DHCP resp<strong>on</strong>se packets sent to a DHCP client,<br />
include <strong>the</strong> client-resp<strong>on</strong>se-ttl statement.<br />
The following example dem<strong>on</strong>strates a BOOTP relay agent c<strong>on</strong>figurati<strong>on</strong>.<br />
user@host# show forwarding-opti<strong>on</strong>s<br />
helpers {<br />
bootp {<br />
descripti<strong>on</strong> "dhcp relay agent global parameters";<br />
server 192.168.55.44;<br />
server 172.16.0.3 routing-instance c3;<br />
maximum-hop-count 10;<br />
minimum-wait-time 8;<br />
interface {<br />
xe-0/0/1 {<br />
descripti<strong>on</strong> "use this info for this interface";<br />
server 10.10.10.10;<br />
server 192.168.14.14;<br />
maximum-hop-count 11;<br />
minimum-wait-time 3;<br />
}<br />
xe-0/0/2 {<br />
no-listen; ###ignore DHCPDISCOVER messages <strong>on</strong> this interface<br />
}<br />
all {<br />
descripti<strong>on</strong> "globals apply to all o<strong>the</strong>r interfaces";<br />
}<br />
}<br />
}<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
27
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
}<br />
C<strong>on</strong>figuring DHCP Smart Relay<br />
You can use DHCP smart relay to provide redundancy and resiliency to your DHCP relay<br />
c<strong>on</strong>figurati<strong>on</strong>. Smart relay provides additi<strong>on</strong>al relay functi<strong>on</strong>ality and requires all of <strong>the</strong><br />
c<strong>on</strong>figurati<strong>on</strong> settings required by DHCP relay. To use DHCP smart relay, you also need<br />
an interface with multiple IP addresses assigned to it. You can achieve this by doing ei<strong>the</strong>r<br />
of <strong>the</strong> following tasks:<br />
• Create a routed VLAN interface and assign at least two IP addresses to it. See<br />
C<strong>on</strong>figuring Routed VLAN Interfaces and Example: C<strong>on</strong>figuring Routing Between VLANs<br />
<strong>on</strong> One Switch for informati<strong>on</strong> about this approach.<br />
• Create a Layer 3 logical interface (by using VLAN tagging) and assign at least two IP<br />
addresses to it. See “Understanding Layer 3 Logical Interfaces” <strong>on</strong> page 7 and<br />
C<strong>on</strong>figuring a Layer 3 Logical Interface for informati<strong>on</strong> about this approach.<br />
Once you have created an interface with multiple IP addresses, complete <strong>the</strong> smart relay<br />
c<strong>on</strong>figurati<strong>on</strong> by entering <strong>on</strong>e of <strong>the</strong> following statements:<br />
• set forwarding-opti<strong>on</strong>s helpers bootp smart-relay-global: Use this statement to enable<br />
smart relay <strong>on</strong> all <strong>the</strong> interfaces that are c<strong>on</strong>figured as relay agents.<br />
• set forwarding-opti<strong>on</strong>s helpers bootp interface interface-name smart-relay-agent: Use<br />
this statement to enable smart relay <strong>on</strong> a specific interface.<br />
When smart relay is c<strong>on</strong>figured for an interface, <strong>the</strong> switch initially sends DHCP request<br />
(discover) messages out of that interface using <strong>the</strong> primary address of <strong>the</strong> interface as<br />
<strong>the</strong> gateway IP address (in <strong>the</strong> giaddr field) for <strong>the</strong> DHCP message. If no DHCP offer<br />
message is received from a server in reply, <strong>the</strong> switch allows <strong>the</strong> client to send as many<br />
as three more discover messages using <strong>the</strong> same gateway IP address. If no DHCP offer<br />
message is received after three retries, <strong>the</strong> switch resends <strong>the</strong> discover message using<br />
<strong>the</strong> alternate IP address as <strong>the</strong> gateway IP address. If you c<strong>on</strong>figure more than two IP<br />
addresses <strong>on</strong> <strong>the</strong> relay agent interface, <strong>the</strong> switch repeats this process until a DHCP offer<br />
message is received or all of <strong>the</strong> IP addresses have been used without success.<br />
28<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
CHAPTER 5<br />
C<strong>on</strong>figurati<strong>on</strong> Statements for Port<br />
Mirroring<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
29
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
analyzer<br />
Syntax analyzer {<br />
name {<br />
input {<br />
egress {<br />
interface (all | interface-name);<br />
}<br />
ingress {<br />
interface (all | interface-name);<br />
vlan (vlan-id | vlan-name);<br />
}<br />
output {<br />
interface interface-name;<br />
ip-address ip-address;<br />
vlan (vlan-id | vlan-name);<br />
}<br />
}<br />
}<br />
Hierarchy Level<br />
For platforms without ELS:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
For platforms with ELS:<br />
[edit forwarding-opti<strong>on</strong>s]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Opti<strong>on</strong> output vlan added in Junos OS Release 12.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Opti<strong>on</strong> output ip-address added in Junos OS Release 12.3 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
C<strong>on</strong>figure port mirroring. You can create a total of four port-mirroring c<strong>on</strong>figurati<strong>on</strong>s <strong>on</strong><br />
<strong>the</strong> <strong>QFX</strong> <strong>Series</strong>, subject to <strong>the</strong> following limits:<br />
• There can be no more than two c<strong>on</strong>figurati<strong>on</strong>s that mirror ingress traffic.<br />
• There can be no more than two c<strong>on</strong>figurati<strong>on</strong>s that mirror egress traffic.<br />
Default<br />
Port mirroring is disabled, and Junos OS creates no default analyzers.<br />
Opti<strong>on</strong>s<br />
all—Mirror all <strong>the</strong> access interfaces. Using this opti<strong>on</strong> does not cause <strong>the</strong> QSFP+ or<br />
management interfaces to be mirrored.<br />
CAUTION: C<strong>on</strong>figuring <strong>the</strong> all opti<strong>on</strong> in a QFabric system causes all <strong>the</strong> access<br />
interfaces <strong>on</strong> all <strong>the</strong> nodes to be mirrored. Be cautious about using this opti<strong>on</strong><br />
<strong>on</strong> a QFabric system.<br />
30<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 5: C<strong>on</strong>figurati<strong>on</strong> Statements for Port Mirroring<br />
name—Name of <strong>the</strong> analyzer. The name can include as many as 125 characters; must<br />
begin with a letter; and can include uppercase letters, lowercase letters, numbers,<br />
dashes, and underscores. No o<strong>the</strong>r special characters are allowed.<br />
The remaining statements are explained separately.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
routing—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
routing-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
egress<br />
Syntax egress {<br />
interface (all | interface-name);<br />
}<br />
Hierarchy Level<br />
For platforms without ELS:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer name input]<br />
For platforms with ELS:<br />
[edit forwarding-opti<strong>on</strong>s analyzer name input]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.2 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Specify interfaces for which egressing traffic is mirrored.<br />
The statement is explained separately.<br />
NOTE: If you c<strong>on</strong>figure Junos OS to mirror egress packets, do not c<strong>on</strong>figure<br />
more than 2000 VLANs. If you do so, some of <strong>the</strong> mirrored packets might<br />
c<strong>on</strong>tain incorrect VLAN IDs.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
routing—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
routing-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
31
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s<br />
Syntax e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s {<br />
analyzer {<br />
name {<br />
input {<br />
egress {<br />
interface (all | interface-name);<br />
}<br />
ingress {<br />
interface (all | interface-name);<br />
vlan (vlan-id | vlan-name);<br />
}<br />
output {<br />
interface interface-name;<br />
ip-address ip-address;<br />
vlan (vlan-id | vlan-name);<br />
}<br />
}<br />
}<br />
bpdu-block {<br />
interface (all | [interface-name]);<br />
disable-timeout timeout;<br />
}<br />
dot1q-tunneling {<br />
e<strong>the</strong>r-type (0x8100 | 0x88a8 | 0x9100)<br />
}<br />
interfaces interface-name {<br />
no-mac-learning;<br />
}<br />
mac-table-aging-time sec<strong>on</strong>ds {<br />
}<br />
port-error-disable {<br />
disable-timeout timeout;<br />
}<br />
secure-access-port {<br />
dhcp-snooping-file {<br />
locati<strong>on</strong> local_pathname | remote_URL;<br />
timeout sec<strong>on</strong>ds;<br />
write-interval sec<strong>on</strong>ds;<br />
}<br />
interface (all | interface-name) {<br />
allowed-mac {<br />
mac-address-list;<br />
}<br />
(dhcp-trusted | no-dhcp-trusted);<br />
fcoe-trusted;<br />
mac-limit limit acti<strong>on</strong> acti<strong>on</strong>;<br />
no-allowed-mac-log;<br />
}<br />
vlan (all | vlan-name) {<br />
(arp-inspecti<strong>on</strong> | no-arp-inspecti<strong>on</strong>) [<br />
forwarding-class (for DHCP Snooping or DAI Packets) class-name;<br />
}<br />
32<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 5: C<strong>on</strong>figurati<strong>on</strong> Statements for Port Mirroring<br />
dhcp-opti<strong>on</strong>82 {<br />
circuit-id {<br />
prefix (Circuit ID for Opti<strong>on</strong> 82) hostname;<br />
use-interface-descripti<strong>on</strong>;<br />
use-vlan-id;<br />
}<br />
remote-id {<br />
prefix (Remote ID for Opti<strong>on</strong> 82) hostname | mac | n<strong>on</strong>e;<br />
use-interface-descripti<strong>on</strong>;<br />
use-string string;<br />
}<br />
vendor-id ;<br />
}<br />
(examine-dhcp | no-examine-dhcp) {<br />
forwarding-class (for DHCP Snooping or DAI Packets) class-name;<br />
}<br />
examine-fip {<br />
examine-vn2vn {<br />
beac<strong>on</strong>-period millisec<strong>on</strong>ds;<br />
}<br />
fc-map fc-map-value;<br />
}<br />
mac-move-limit limit
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
Descripti<strong>on</strong><br />
C<strong>on</strong>figure E<strong>the</strong>r<strong>net</strong> switching opti<strong>on</strong>s.<br />
The remaining statements are explained separately.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
routing—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
routing-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• Overview of Access Port Protecti<strong>on</strong><br />
• Understanding Storm C<strong>on</strong>trol<br />
ingress (e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s)<br />
Syntax ingress {<br />
interface (all | interface-name);<br />
vlan (vlan-id | vlan-name);<br />
}<br />
Hierarchy Level<br />
For platforms without ELS:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer name input]<br />
For platforms with ELS:<br />
[edit forwarding-opti<strong>on</strong>s analyzer name input]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Specify <strong>the</strong> interfaces or VLANs for which incoming traffic is mirrored as part of a port<br />
mirroring c<strong>on</strong>figurati<strong>on</strong>.<br />
The statements are explained separately.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
routing—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.routing-c<strong>on</strong>trol—To add this<br />
statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
34<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 5: C<strong>on</strong>figurati<strong>on</strong> Statements for Port Mirroring<br />
input<br />
Syntax input {<br />
ingress {<br />
interface (all | interface-name);<br />
vlan (vlan-id | vlan-name);<br />
}<br />
egress {<br />
interface (all | interface-name);<br />
}<br />
}<br />
Hierarchy Level<br />
For platforms without ELS:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer name]<br />
For platforms with ELS:<br />
[edit forwarding-opti<strong>on</strong>s analyzer name]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Define <strong>the</strong> traffic to be mirrored. The definiti<strong>on</strong> can be a combinati<strong>on</strong> of traffic entering<br />
or exiting specific ports or VLANs.<br />
The statements are explained separately.<br />
Default<br />
No default.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
routing—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
routing-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
35
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
interface (Port Mirroring)<br />
Syntax<br />
interface (all | interface-name);<br />
Hierarchy Level<br />
For platforms without ELS:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer name input (egress | ingress)],<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer name output]<br />
For platforms with ELS:<br />
[edit forwarding-opti<strong>on</strong>s analyzer name input (egress | ingress)]<br />
[edit forwarding-opti<strong>on</strong>s analyzer name output]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Specify <strong>the</strong> interfaces for which ingressing traffic is mirrored. Specify <strong>the</strong> interface that<br />
mirrored traffic should be copied to (<strong>the</strong> output interface).<br />
Opti<strong>on</strong>s<br />
all—Apply port mirroring to all interfaces <strong>on</strong> <strong>the</strong> switch (except <strong>the</strong> output interface).<br />
Mirroring a high volume of traffic can cause performance issues, so you should<br />
generally select specific input interfaces.<br />
CAUTION: C<strong>on</strong>figuring all in a QFabric system causes all <strong>the</strong> access interfaces<br />
<strong>on</strong> all <strong>the</strong> nodes to be mirrored. Be cautious about using this opti<strong>on</strong> <strong>on</strong> a<br />
QFabric system.<br />
interface-name—Apply port mirroring to <strong>the</strong> specified interface <strong>on</strong>ly.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
routing—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
routing-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
36<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 5: C<strong>on</strong>figurati<strong>on</strong> Statements for Port Mirroring<br />
ip-address (Port Mirroring)<br />
Syntax<br />
ip-address ip-address;<br />
Hierarchy Level<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer name output]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 12.3 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Specify <strong>the</strong> IP address to which traffic should be mirrored (<strong>the</strong> IP address of <strong>the</strong> analyzer<br />
system). The device can be <strong>on</strong> a remote <strong>net</strong>work. The analyzer device must be able to<br />
de-encapsulate GRE-encapsulated packets, or <strong>the</strong> GRE-encapsulated packets must be<br />
de-encapsulated before reaching <strong>the</strong> analyzer device. (You can use a <strong>net</strong>work sniffer to<br />
de-encapsulate <strong>the</strong> packets.) This statement is not supported <strong>on</strong> QFabric systems.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
routing—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
routing-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
37
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
output<br />
Syntax output {<br />
interface interface-name;<br />
ip-address ip-address;<br />
vlan (vlan-id | vlan-name);<br />
}<br />
Hierarchy Level<br />
For platforms without ELS:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer name]<br />
For platforms with ELS:<br />
[edit forwarding-opti<strong>on</strong>s analyzer name]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Opti<strong>on</strong> output vlan added in Junos OS Release 12.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
C<strong>on</strong>figure <strong>the</strong> destinati<strong>on</strong> for mirrored traffic, ei<strong>the</strong>r an interface <strong>on</strong> <strong>the</strong> switch (for local<br />
m<strong>on</strong>itoring) or a VLAN (for remote m<strong>on</strong>itoring).<br />
The statements are explained separately.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
routing—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
routing-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
38<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 5: C<strong>on</strong>figurati<strong>on</strong> Statements for Port Mirroring<br />
vlan (Port Mirroring)<br />
Syntax<br />
vlan (vlan-id | vlan-name);<br />
Hierarchy Level<br />
For platforms without ELS:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer name input ingress],<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s analyzer name output]<br />
For platforms with ELS:<br />
[edit forwarding-opti<strong>on</strong>s analyzer name input (egress | ingress)]<br />
[edit forwarding-opti<strong>on</strong>s analyzer name output]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Opti<strong>on</strong>output vlan added in Junos OS Release 12.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Specify that traffic entering into a VLAN should be mirrored. C<strong>on</strong>figure mirrored traffic<br />
to be sent to a VLAN for remote m<strong>on</strong>itoring (output).<br />
Opti<strong>on</strong>s<br />
vlan-id—Numeric VLAN identifer.<br />
vlan-name—Name of <strong>the</strong> VLAN.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
routing—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
routing-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• C<strong>on</strong>figuring Port Mirroring <strong>on</strong> page 23<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
39
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
40<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
CHAPTER 6<br />
C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong><br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
41
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
au<strong>the</strong>nticati<strong>on</strong>-key-chains<br />
Syntax au<strong>the</strong>nticati<strong>on</strong>-key-chains {<br />
key-chain key-chain-name {<br />
descripti<strong>on</strong> text-string;<br />
key key {<br />
algorithm (md5 | hmac-sha-1);<br />
opti<strong>on</strong>s (basic | isis-enhanced);<br />
secret secret-data;<br />
start-time yyyy-mm-dd.hh:mm:ss;<br />
}<br />
tolerance sec<strong>on</strong>ds;<br />
}<br />
}<br />
Hierarchy Level<br />
[edit security]<br />
Release Informati<strong>on</strong> Statement introduced in Junos OS Release 7.6.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Support for <strong>the</strong> BFD protocol introduced in Junos OS Release 9.6.<br />
Support for <strong>the</strong> BFD protocol introduced in Junos OS Release 9.6 for EX <strong>Series</strong> switches.<br />
Support for IS-IS introduced in JUNOS OS Release 11.2.<br />
Statement introduced in Junos OS Release 11.3 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
C<strong>on</strong>figure au<strong>the</strong>nticati<strong>on</strong> key updates for <strong>the</strong> Border Gateway Protocol (BGP), <strong>the</strong> Label<br />
Distributi<strong>on</strong> Protocol (LDP) routing protocols, <strong>the</strong> Bidirecti<strong>on</strong>al Forwarding Detecti<strong>on</strong><br />
(BFD) protocol, and <strong>the</strong> Intermediate System-to-Intermediate System (IS-IS) protocol.<br />
When <strong>the</strong> au<strong>the</strong>nticati<strong>on</strong>-key-chains statement is c<strong>on</strong>figured at <strong>the</strong> [edit security] hierarchy<br />
level, and is associated with <strong>the</strong> BGP, LDP, or IS-IS protocols at <strong>the</strong> [edit protocols]<br />
hierarchy level or with <strong>the</strong> BFD protocol using <strong>the</strong> bfd-liveness-detecti<strong>on</strong> statement,<br />
au<strong>the</strong>nticati<strong>on</strong> key updates can occur without interrupting routing and signaling protocols<br />
such as Open Shortest Path First (OSPF) and Resource Reservati<strong>on</strong> Setup Protocol<br />
(RSVP).<br />
The remaining statements are explained separately.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring <strong>the</strong> Au<strong>the</strong>nticati<strong>on</strong> Key Update Mechanism for BGP and LDP Routing Protocols<br />
• Example: C<strong>on</strong>figuring BFD Au<strong>the</strong>nticati<strong>on</strong> for Static Routes<br />
• Example: C<strong>on</strong>figuring Hitless Au<strong>the</strong>nticati<strong>on</strong> Key Rollover for IS-IS<br />
42<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 6: C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong><br />
cache-size<br />
Syntax<br />
cache-size bytes;<br />
Hierarchy Level<br />
[edit security certificates]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
C<strong>on</strong>figure <strong>the</strong> cache size for digital certificates.<br />
Opti<strong>on</strong>s<br />
bytes—Cache size for digital certificates.<br />
Range: 64 through 4,294,967,295<br />
Default: 2 megabytes (MB)<br />
NOTE: We recommend that you limit your cache size to 4 MB.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong><br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
43
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
cache-timeout-negative<br />
Syntax<br />
cache-timeout-negative sec<strong>on</strong>ds;<br />
Hierarchy Level<br />
[edit security certificates]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
C<strong>on</strong>figure a negative cache for digital certificates.<br />
Opti<strong>on</strong>s<br />
sec<strong>on</strong>ds—Negative time to cache digital certificates, in sec<strong>on</strong>ds.<br />
Range: 10 through 4,294,967,295<br />
Default: 20<br />
CAUTION: C<strong>on</strong>figuring a large negative cache value can lead to a<br />
denial-of-service attack.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong><br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
ca-name<br />
Syntax<br />
ca-name ca-identity;<br />
Hierarchy Level<br />
[edit security certificates certificati<strong>on</strong>-authority]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
Specify <strong>the</strong> certificate authority (CA) identity to use in <strong>the</strong> certificate request.<br />
Opti<strong>on</strong>s<br />
ca-identity—CA identity to use in <strong>the</strong> certificate request.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
44<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 6: C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong><br />
certificates<br />
Syntax certificates {<br />
cache-size bytes;<br />
cache-timeout-negative sec<strong>on</strong>ds;<br />
certificati<strong>on</strong>-authority ca-profile-name {<br />
ca-name ca-identity;<br />
crl file-name;<br />
encoding (binary | pem);<br />
enrollment-url url-name;<br />
file certificate-filename;<br />
ldap-url url-name;<br />
}<br />
enrollment-retry attempts;<br />
local certificate-name {<br />
certificate-key-string;<br />
load-key-file URL filename;<br />
}<br />
maximum-certificates number;<br />
path-length certificate-path-length;<br />
}<br />
Hierarchy Level<br />
[edit security]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
C<strong>on</strong>figure <strong>the</strong> digital certificates for IPsec.<br />
The remaining statements are explained separately.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
45
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
certificati<strong>on</strong>-authority<br />
Syntax certificati<strong>on</strong>-authority ca-profile-name {<br />
ca-name ca-identity;<br />
crl file-name;<br />
encoding (binary | pem);<br />
enrollment-url url-name;<br />
file certificate-filename;<br />
ldap-url url-name;<br />
}<br />
Hierarchy Level<br />
[edit security certificates]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
C<strong>on</strong>figure a certificate authority profile name.<br />
The remaining statements are explained separately.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong><br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
crl (Encrypti<strong>on</strong> Interface)<br />
Syntax<br />
crl file-name;<br />
Hierarchy Level<br />
[edit security certificates]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
C<strong>on</strong>figure <strong>the</strong> certificate revocati<strong>on</strong> list (CRL). A CRL is a time-stamped list identifying<br />
revoked certificates, which is signed by a CA and made available to <strong>the</strong> participating<br />
IPsec peers <strong>on</strong> a regular periodic basis.<br />
Opti<strong>on</strong>s<br />
file-name—Specify <strong>the</strong> file from which to read <strong>the</strong> CRL.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong><br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
46<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 6: C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong><br />
encoding<br />
Syntax<br />
encoding (binary | pem);<br />
Hierarchy Level<br />
[edit security ike policy ike-peer-address],<br />
[edit security certificates certificati<strong>on</strong>-authority ca-profile-name]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
Specify <strong>the</strong> file format used for <strong>the</strong> local-certificate and local-key-pair statements.<br />
Opti<strong>on</strong>s<br />
binary—Binary file format.<br />
pem—Privacy-enhanced mail (PEM), an ASCII base 64 encoded format.<br />
Default: binary<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
• C<strong>on</strong>figuring an IKE Policy for Digital Certificates for an ES PIC<br />
enrollment-retry<br />
Syntax<br />
enrollment-retry attempts;<br />
Hierarchy Level<br />
[edit security certificates]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
Specify how many times a router or switch can resend a digital certificate request.<br />
Opti<strong>on</strong>s<br />
attempts—Number of enrollment retries.<br />
Range: 0 through 100<br />
Default: 0<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
47
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
enrollment-url<br />
Syntax<br />
enrollment-url url-name;<br />
Hierarchy Level<br />
[edit security certificates certificati<strong>on</strong>-authority ca-profile-name]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
Specify where your router or switch sends Simple Certificate Enrollment Protocol-based<br />
(SCEP-based) certificate enrollment requests (certificate authority URL).<br />
Opti<strong>on</strong>s<br />
url-name—Certificate authority URL.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
file<br />
Syntax<br />
file certificate-filename;<br />
Hierarchy Level<br />
[edit security certificates certificati<strong>on</strong>-authority ca-profile-name]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
Specify <strong>the</strong> file from which to read <strong>the</strong> digital certificate.<br />
Opti<strong>on</strong>s<br />
certificate-filename—File from which to read <strong>the</strong> digital certificate.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
48<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 6: C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong><br />
key (Au<strong>the</strong>nticati<strong>on</strong> Keychain)<br />
Syntax key key {<br />
algorithm (md5 | hmac-sha-1);<br />
opti<strong>on</strong>s (basic | isis-enhanced);<br />
secret secret-data;<br />
start-time yyyy-mm-dd.hh:mm:ss;<br />
}<br />
Hierarchy Level<br />
[edit security au<strong>the</strong>nticati<strong>on</strong>-key-chains key-chain key-chain-name]<br />
Release Informati<strong>on</strong> Statement introduced in Junos OS Release 7.6.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Support for <strong>the</strong> BFD protocol introduced in Junos OS Release 9.6.<br />
Support for <strong>the</strong> BFD protocol introduced in Junos OS Release 9.6 for EX <strong>Series</strong> switches.<br />
Support for IS-IS introduced in JUNOS OS Release 11.2.<br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
C<strong>on</strong>figure <strong>the</strong> au<strong>the</strong>nticati<strong>on</strong> element.<br />
Opti<strong>on</strong>s<br />
key—Each key within a keychain is identified by a unique integer value.<br />
Range: 0 through 63<br />
The remaining statements are explained separately.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring <strong>the</strong> Au<strong>the</strong>nticati<strong>on</strong> Key Update Mechanism for BGP and LDP Routing Protocols<br />
• Example: C<strong>on</strong>figuring BFD Au<strong>the</strong>nticati<strong>on</strong> for Static Routes<br />
• Example: C<strong>on</strong>figuring Hitless Au<strong>the</strong>nticati<strong>on</strong> Key Rollover for IS-IS<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
49
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
key-chain (Security)<br />
Syntax keychain key-chain-name {<br />
descripti<strong>on</strong> text-string;<br />
key key {<br />
algorithm (md5 | hmac-sha-1);<br />
opti<strong>on</strong>s (basic | isis-enhanced);<br />
secret secret-data;<br />
start-time yyyy-mm-dd.hh:mm:ss;<br />
}<br />
tolerance sec<strong>on</strong>ds;<br />
}<br />
Hierarchy Level<br />
[edit security au<strong>the</strong>nticati<strong>on</strong>-key-chains]<br />
Release Informati<strong>on</strong> Statement introduced in Junos OS Release 7.6.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Support for <strong>the</strong> BFD protocol introduced in Junos OS Release 9.6.<br />
Support for <strong>the</strong> BFD protocol introduced in Junos OS Release 9.6 for EX <strong>Series</strong> switches.<br />
Support for IS-IS introduced in Junos OS Release 11.2.<br />
Statement introduced in Junos OS Release 11.3 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
Create <strong>the</strong> key-chain c<strong>on</strong>figurati<strong>on</strong> for <strong>the</strong> Border Gateway Protocol (BGP), <strong>the</strong> Label<br />
Distributi<strong>on</strong> Protocol (LDP) routing protocols, <strong>the</strong> Bidirecti<strong>on</strong>al Forwarding Detecti<strong>on</strong><br />
(BFD) protocol, and <strong>the</strong> Intermediate System-to-Intermediate System (IS-IS) protocol.<br />
Opti<strong>on</strong>s<br />
key-chain-name—Au<strong>the</strong>nticati<strong>on</strong> keychain name. It can be up to 126 characters. Characters<br />
can include any ASCII strings. If you include spaces, enclose all characters in quotati<strong>on</strong><br />
marks (“ ”).<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• au<strong>the</strong>nticati<strong>on</strong>-key-chains <strong>on</strong> page 42<br />
• C<strong>on</strong>figuring <strong>the</strong> Au<strong>the</strong>nticati<strong>on</strong> Key Update Mechanism for BGP and LDP Routing Protocols<br />
• Example: C<strong>on</strong>figuring BFD Au<strong>the</strong>nticati<strong>on</strong> for Static Routes<br />
• Example: C<strong>on</strong>figuring Hitless Au<strong>the</strong>nticati<strong>on</strong> Key Rollover for IS-IS<br />
50<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 6: C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong><br />
ldap-url<br />
Syntax<br />
;<br />
Hierarchy Level<br />
[edit security certificates certificati<strong>on</strong>-authority ca-profile-name]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
(Opti<strong>on</strong>al) Specify <strong>the</strong> Lightweight Directory Access Protocol (LDAP) URL for digital<br />
certificates.<br />
Opti<strong>on</strong>s<br />
url-name—Name of <strong>the</strong> LDAP URL.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
system—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
system-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
51
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
local<br />
Syntax local certificate-name {<br />
certificate-key-string;<br />
load-key-file URL filename;<br />
}<br />
Hierarchy Level<br />
[edit security certificates]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
Import a paired X.509 private key and au<strong>the</strong>nticati<strong>on</strong> certificate, to enable Junos XML<br />
protocol client applicati<strong>on</strong>s to establish Secure Sockets Layer (SSL) c<strong>on</strong>necti<strong>on</strong>s to <strong>the</strong><br />
router or switch.<br />
Opti<strong>on</strong>s<br />
certificate-namecertificate-key-string—String of alphanumeric characters that c<strong>on</strong>stitute<br />
<strong>the</strong> private key and certificate.<br />
certificate-name—Name that uniquely identifies <strong>the</strong> certificate.<br />
load-key-file URL filename—File that c<strong>on</strong>tains <strong>the</strong> private key and certificate. It can be<br />
<strong>on</strong>e of two types of values:<br />
• Pathname of a file <strong>on</strong> <strong>the</strong> local disk (assuming you have already used ano<strong>the</strong>r method<br />
to copy <strong>the</strong> certificate file to <strong>the</strong> router’s or switch’s local disk)<br />
• URL to <strong>the</strong> certificate file locati<strong>on</strong> (for instance, <strong>on</strong> <strong>the</strong> computer where <strong>the</strong> Junos XML<br />
protocol client applicati<strong>on</strong> runs)<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
system—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
system-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Importing SSL Certificates for Junos XML Protocol Support<br />
52<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 6: C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong><br />
maximum-certificates<br />
Syntax<br />
maximum-certificates number;<br />
Hierarchy Level<br />
[edit security certificates]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
C<strong>on</strong>figure <strong>the</strong> maximum number of peer digital certificates to be cached.<br />
Opti<strong>on</strong>s<br />
number—Maximum number of peer digital certificates to be cached.<br />
Range: 64 through 4,294,967,295 peer certificates<br />
Default: 1024 peer certificates<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
system—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
system-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
path-length<br />
Syntax<br />
path-length certificate-path-length;<br />
Hierarchy Level<br />
[edit security certificates]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
(Encrypti<strong>on</strong> interface <strong>on</strong> M <strong>Series</strong> and T <strong>Series</strong> routers and EX <strong>Series</strong> switches <strong>on</strong>ly)<br />
C<strong>on</strong>figure <strong>the</strong> digital certificate path length.<br />
Opti<strong>on</strong>s<br />
certificate-path-length—Digital certificate path length.<br />
Range: 2 through 15 certificates<br />
Default: 15 certificates<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Digital Certificates for an ES PIC<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
53
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
secret<br />
Syntax<br />
secret secret-data;<br />
Hierarchy Level<br />
[edit security au<strong>the</strong>nticati<strong>on</strong>-key-chains key-chain key-chain-name key key]<br />
Release Informati<strong>on</strong> Statement introduced in Junos OS Release 7.6.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Support for <strong>the</strong> BFD protocol introduced in Junos OS Release 9.6.<br />
Support for <strong>the</strong> BFD protocol introduced in Junos OS Release 9.6 for EX <strong>Series</strong> switches.<br />
Support for IS-IS introduced in JUNOS OS Release 11.2.<br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
Specify a password in encrypted text or plain text format. The secret password always<br />
appears in encrypted format.<br />
Opti<strong>on</strong>s<br />
secret-data—Password to use; it can include spaces if <strong>the</strong> character string is enclosed in<br />
quotati<strong>on</strong> marks.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring <strong>the</strong> Au<strong>the</strong>nticati<strong>on</strong> Key Update Mechanism for BGP and LDP Routing Protocols<br />
• Example: C<strong>on</strong>figuring BFD Au<strong>the</strong>nticati<strong>on</strong> for Static Routes<br />
• Example: C<strong>on</strong>figuring Hitless Au<strong>the</strong>nticati<strong>on</strong> Key Rollover for IS-IS<br />
54<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 6: C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong><br />
security<br />
Syntax security {<br />
au<strong>the</strong>nticati<strong>on</strong>-key-chains {<br />
key-chain key-chain-name {<br />
key key {<br />
secret secret-data;<br />
start-time yyyy-mm-dd.hh:mm:ss;<br />
}<br />
}<br />
certificates {<br />
cache-size bytes;<br />
cache-timeout-negative sec<strong>on</strong>ds;<br />
certificati<strong>on</strong>-authority ca-profile-name {<br />
ca-name ca-identity;<br />
crl file-name;<br />
encoding (binary | pem);<br />
enrollment-url url-name;<br />
file certificate-filename;<br />
ldap-url url-name;<br />
}<br />
enrollment-retry attempts;<br />
local certificate-filename {<br />
certificate-key-string;<br />
load-key-file key-file-name;<br />
}<br />
maximum-certificates number;<br />
path-length certificate-path-length;<br />
}<br />
ssh-known-hosts {<br />
host {<br />
fetch-from-server host-name;<br />
load-key-file file-name;<br />
}<br />
}<br />
traceopti<strong>on</strong>s {<br />
file filename ;<br />
flag flag;<br />
level level;<br />
no-remote-trace<br />
}<br />
}<br />
Hierarchy Level<br />
[edit]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
C<strong>on</strong>figure security services. Most of <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong> statements do not have default<br />
values. If you do not specify an identifier for a statement that does not have a default<br />
value, you cannot commit <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
Required Privilege<br />
Level<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
55
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
Related<br />
Documentati<strong>on</strong><br />
ssh-known-hosts<br />
Syntax ssh-known-hosts {<br />
host host-name {<br />
fetch-from-server host-name;<br />
load-key-file file-name;<br />
}<br />
}<br />
Hierarchy Level<br />
[edit security ssh-known-hosts]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
C<strong>on</strong>figure SSH support for known hosts and for administering SSH host key updates.<br />
Opti<strong>on</strong>s<br />
host host-name—Hostname of <strong>the</strong> SSH known host entry. This opti<strong>on</strong> has <strong>the</strong> following<br />
subopti<strong>on</strong>s:<br />
• fetch-from-server host-name—Retrieve SSH public host key informati<strong>on</strong> from a specified<br />
server.<br />
• load-key-file filename—Import SSH host key informati<strong>on</strong> from <strong>the</strong><br />
/var/tmp/ssh-known-hosts file.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• Understanding Security Features <strong>on</strong> <strong>the</strong> QFabric System<br />
• C<strong>on</strong>figuring SSH Host Keys for Secure Copying of Data<br />
56<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 6: C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong><br />
start-time (Au<strong>the</strong>nticati<strong>on</strong> Key Transmissi<strong>on</strong>)<br />
Syntax<br />
start-time (now | yyyy-mm-dd.hh:mm:ss);<br />
Hierarchy Level<br />
[edit security au<strong>the</strong>nticati<strong>on</strong>-key-chains key-chain key-chain-name key key]<br />
Release Informati<strong>on</strong> Statement introduced in Junos OS Release 7.6.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Support for <strong>the</strong> BFD protocol introduced in Junos OS Release 9.6.<br />
Support for <strong>the</strong> BFD protocol introduced in Junos OS Release 9.6 for EX <strong>Series</strong> switches.<br />
Support for IS-IS introduced in JUNOS OS Release 11.2.<br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
Specify a start time for key transmissi<strong>on</strong>. You do not need to specify an end time for <strong>the</strong><br />
key. If a new key is present with a new start time, <strong>the</strong> keychain rolls over to <strong>the</strong> new <strong>on</strong>e.<br />
The start time must be unique within <strong>the</strong> keychain.<br />
Opti<strong>on</strong>s<br />
now—Start time as <strong>the</strong> current year, m<strong>on</strong>th, day, hour, minute, and sec<strong>on</strong>d.<br />
daydays—Start time as <strong>the</strong> specified number of days after <strong>the</strong> current day. For example,<br />
if <strong>the</strong> current day is <strong>the</strong> 12th and you c<strong>on</strong>figure start-time 2day, <strong>the</strong> start time will be<br />
<strong>on</strong> <strong>the</strong> 14th, exactly two days after <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong> is entered.<br />
hourhours—Start time as <strong>the</strong> specified number of hours after <strong>the</strong> current hour. For example,<br />
if <strong>the</strong> current hour is 9:00 and you c<strong>on</strong>figure start-time 3hour, <strong>the</strong> start time will be<br />
in 12:00, exactly three hours after <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong> is entered.<br />
minuteminutes—Start time as <strong>the</strong> specified number of minutes after <strong>the</strong> current minute.<br />
For example, if <strong>the</strong> current minute is 27 minutes after <strong>the</strong> hour and you c<strong>on</strong>figure<br />
start-time 5min, <strong>the</strong> start time will be in 32 minutes after <strong>the</strong> hour, exactly five minutes<br />
after <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong> is entered.<br />
m<strong>on</strong>thm<strong>on</strong>ths—Start time as <strong>the</strong> specified number of m<strong>on</strong>ths after <strong>the</strong> current m<strong>on</strong>th.<br />
For example, if <strong>the</strong> current m<strong>on</strong>th is March and you c<strong>on</strong>figure start-time 4m<strong>on</strong>th, <strong>the</strong><br />
start time will be in July, exactly four m<strong>on</strong>ths after <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong> is entered.<br />
sec<strong>on</strong>dsec<strong>on</strong>ds—Start time as <strong>the</strong> specified number of sec<strong>on</strong>ds after <strong>the</strong> current sec<strong>on</strong>d.<br />
For example, if <strong>the</strong> current sec<strong>on</strong>d is 10:20:40 and you c<strong>on</strong>figure start-time 10sec<strong>on</strong>ds,<br />
<strong>the</strong> start time will be 10:20:50, exactly 10 sec<strong>on</strong>ds after <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong> is entered.<br />
yearyears—Start time as <strong>the</strong> specified number of years after <strong>the</strong> current year. For example,<br />
if <strong>the</strong> current year is 2011 and you c<strong>on</strong>figure start-time 1year, <strong>the</strong> start time will be in<br />
2012, exactly <strong>on</strong>e year after <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong> is entered.<br />
yyyy–mm-dd.hh:mm:ss—Start time in UTC (Coordinated Universal Time). The start time<br />
must be unique within <strong>the</strong> keychain.<br />
Required Privilege<br />
Level<br />
admin—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
57
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
Related<br />
Documentati<strong>on</strong><br />
• C<strong>on</strong>figuring <strong>the</strong> Au<strong>the</strong>nticati<strong>on</strong> Key Update Mechanism for BGP and LDP Routing Protocols<br />
• Example: C<strong>on</strong>figuring BFD Au<strong>the</strong>nticati<strong>on</strong> for Static Routes<br />
• Example: C<strong>on</strong>figuring BFD Au<strong>the</strong>nticati<strong>on</strong> for Static Routes<br />
• Example: C<strong>on</strong>figuring Hitless Au<strong>the</strong>nticati<strong>on</strong> Key Rollover for IS-IS<br />
58<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 6: C<strong>on</strong>figurati<strong>on</strong> Statements for Encrypti<strong>on</strong><br />
traceopti<strong>on</strong>s<br />
Syntax traceopti<strong>on</strong>s {<br />
file filename ;<br />
flag all;<br />
flag certificates;<br />
flag database;<br />
flag general;<br />
flag ike;<br />
flag parse;<br />
flag policy-manager;<br />
flag routing-socket;<br />
flag timer;<br />
level<br />
no-remote-trace<br />
}<br />
Hierarchy Level<br />
[edit security],<br />
[edit services ipsec-vpn]<br />
Trace opti<strong>on</strong>s can be c<strong>on</strong>figured at ei<strong>the</strong>r <strong>the</strong> [edit security] or <strong>the</strong> [edit services ipsec-vpn]<br />
hierarchy level, but not at both levels.<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Descripti<strong>on</strong><br />
C<strong>on</strong>figure security trace opti<strong>on</strong>s.<br />
To specify more than <strong>on</strong>e trace opti<strong>on</strong>, include multiple flag statements. Trace opti<strong>on</strong><br />
output is recorded in <strong>the</strong> /var/log/kmd file.<br />
NOTE: The traceopti<strong>on</strong>sstatement is not supported <strong>on</strong> QFabric systems.<br />
Opti<strong>on</strong>s<br />
files number—(Opti<strong>on</strong>al) Maximum number of trace files. When a trace file (for example,<br />
kmd) reaches its maximum size, it is renamed kmd.0, <strong>the</strong>n kmd.1, and so <strong>on</strong>, until <strong>the</strong><br />
maximum number of trace files is reached. Then <strong>the</strong> oldest trace file is overwritten.<br />
If you specify a maximum number of files, you must also specify a maximum file size with<br />
<strong>the</strong> size opti<strong>on</strong>.<br />
Range: 2 through 1000 files<br />
Default: 0 files<br />
size size—(Opti<strong>on</strong>al) Maximum size of each trace file, in kilobytes (KB). When a trace file<br />
(for example, kmd) reaches this size, it is renamed, kmd.0, <strong>the</strong>n kmd.1 and so <strong>on</strong>, until<br />
<strong>the</strong> maximum number of trace files is reached. Then <strong>the</strong> oldest trace file is overwritten.<br />
Default: 1024 KB<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
59
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
flag flag—Trace operati<strong>on</strong> to perform. To specify more than <strong>on</strong>e trace operati<strong>on</strong>, include<br />
multiple flag statements.<br />
• all—Trace all security events.<br />
• certificates—Trace certificate events.<br />
• database—Trace database events.<br />
• general—Trace general events.<br />
• ike—Trace IKE module processing.<br />
• parse—Trace c<strong>on</strong>figurati<strong>on</strong> processing.<br />
• policy-manager—Trace policy manager processing.<br />
• routing-socket—Trace routing socket messages.<br />
• timer—Trace internal timer events.<br />
level level—(Opti<strong>on</strong>al) Set traceopti<strong>on</strong>s level.<br />
• all—match all levels.<br />
• error—Match error c<strong>on</strong>diti<strong>on</strong>s.<br />
• info—Match informati<strong>on</strong>al messages.<br />
• notice—Match c<strong>on</strong>diti<strong>on</strong>s that should be handled specially.<br />
• verbose—Match verbose messages.<br />
• warning—Match warning messages.<br />
no-remote-trace—(Opti<strong>on</strong>al) Disable remote tracing<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
admin—To view <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
admin-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Tracing Operati<strong>on</strong>s for Security <str<strong>on</strong>g>Services</str<strong>on</strong>g><br />
60<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
CHAPTER 7<br />
C<strong>on</strong>figurati<strong>on</strong> Statements for DHCP Relay<br />
apply-sec<strong>on</strong>dary-as-giaddr<br />
Syntax<br />
apply-sec<strong>on</strong>dary-as-giaddr;<br />
Hierarchy Level<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp],<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp interface]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 12.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
C<strong>on</strong>figures <strong>the</strong> interfaces <strong>on</strong> a switch that are DHCP relay agents to be enabled for smart<br />
DHCP relay:<br />
• When you c<strong>on</strong>figure this statement directly under <strong>the</strong> bootp statement, it enables<br />
smart relay <strong>on</strong> all <strong>the</strong> interfaces that are relay agents.<br />
• When you c<strong>on</strong>figure this statement under <strong>the</strong> interface statement, it enables smart<br />
relay <strong>on</strong> <strong>the</strong> specified interface.<br />
Smart relay requires <strong>the</strong> interfaces to be routed VLAN interfaces or Layer 3 logical<br />
interfaces that have multiple IP addresses.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
interface—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
interface-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring DHCP and BOOTP Relay <strong>on</strong> page 26<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
61
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
bootp<br />
Syntax bootp {<br />
client-resp<strong>on</strong>se-ttl number;<br />
descripti<strong>on</strong> text-descripti<strong>on</strong>;<br />
apply-sec<strong>on</strong>dary-as-giaddr<br />
interface (interface-name | interface-group) {<br />
broadcast number;<br />
client-resp<strong>on</strong>se-ttl number;<br />
descripti<strong>on</strong> text-descripti<strong>on</strong>;<br />
maximum-hop-count number;<br />
minimum-wait-time sec<strong>on</strong>ds;<br />
no-listen;<br />
server address ;<br />
apply-sec<strong>on</strong>dary-as-giaddr<br />
}<br />
maximum-hop-count number;<br />
minimum-wait-time sec<strong>on</strong>ds;<br />
server address {<br />
}<br />
}<br />
Hierarchy Level<br />
[edit forwarding-opti<strong>on</strong>s helpers]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.3 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
C<strong>on</strong>figure a router, switch, or interface to act as a Dynamic Host C<strong>on</strong>figurati<strong>on</strong> Protocol<br />
(DHCP) or bootstrap protocol (BOOTP) relay agent.<br />
Opti<strong>on</strong>s<br />
The remaining statements are explained separately.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
interface—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
interface-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring DHCP and BOOTP Relay <strong>on</strong> page 26<br />
62<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 7: C<strong>on</strong>figurati<strong>on</strong> Statements for DHCP Relay<br />
broadcast<br />
Syntax<br />
broadcast number;<br />
Hierarchy Level<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp interface (interface-name | interface-group)]<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
If <strong>the</strong> specified interface is unavailable, broadcast DHCP and BOOTP packets.<br />
Opti<strong>on</strong>s<br />
N<strong>on</strong>e<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
interface—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
interface-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring DHCP and BOOTP Relay <strong>on</strong> page 26<br />
client-resp<strong>on</strong>se-ttl<br />
Syntax<br />
client-resp<strong>on</strong>se-ttl number;<br />
Hierarchy Level<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp],<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp interface (interface-name | interface-group)]<br />
Release Informati<strong>on</strong> Statement introduced in Junos OS Release 8.1.<br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
Set <strong>the</strong> IP time-to-live (TTL) value in DHCP resp<strong>on</strong>se packets sent to a DHCP client.<br />
Opti<strong>on</strong>s<br />
number—Decrement amount.<br />
Default: N<strong>on</strong>e<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
interface—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
interface-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
63
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
descripti<strong>on</strong> (Forwarding Opti<strong>on</strong>s)<br />
Syntax<br />
descripti<strong>on</strong> text-descripti<strong>on</strong>;<br />
Hierarchy Level<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp],<br />
[edit forwarding-opti<strong>on</strong>s helpers bootpinterface (interface-name | interface-group)],<br />
[edit forwarding-opti<strong>on</strong>s helpers domain],<br />
[edit forwarding-opti<strong>on</strong>s helpers domain interface interface-name],<br />
[edit forwarding-opti<strong>on</strong>s helpers tftp],<br />
[edit forwarding-opti<strong>on</strong>s helpers tftpinterface interface-name]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
Describe a BOOTP, DHCP, Domain Name System (DNS), or Trivial File Transfer Protocol<br />
(TFTP) service, or an interface that is c<strong>on</strong>figured for <strong>the</strong> service.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
interface—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
interface-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring DNS and TFTP Packet Forwarding<br />
• C<strong>on</strong>figuring Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents<br />
64<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 7: C<strong>on</strong>figurati<strong>on</strong> Statements for DHCP Relay<br />
interface (BOOTP)<br />
Syntax interface (interface-name | interface-group) {<br />
broadcast;<br />
client-resp<strong>on</strong>se-ttl number;<br />
descripti<strong>on</strong> text-descripti<strong>on</strong>;<br />
maximum-hop-count number;<br />
minimum-wait-time sec<strong>on</strong>ds;<br />
no-listen;<br />
server address {<br />
logical-system logical-system-name ;<br />
routing-instance [ routing-instance-names ];<br />
}<br />
apply-sec<strong>on</strong>dary-as-giaddr (<strong>QFX</strong> platforms <strong>on</strong>ly)<br />
}<br />
Hierarchy Level<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
Specify <strong>the</strong> interface for a DHCP and BOOTP relay agent.<br />
Opti<strong>on</strong>s<br />
interface-group—Sets a logical interface or group of logical interfaces with a specific<br />
DHCP relay c<strong>on</strong>figurati<strong>on</strong>.<br />
The remaining statements are explained separately.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
interface—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
interface-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents<br />
• Setting Up DHCP Opti<strong>on</strong> 82 with <strong>the</strong> Switch as a Relay Agent Between Clients and DHCP<br />
Server (CLI Procedure)<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
65
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
maximum-hop-count<br />
Syntax<br />
maximum-hop-count number;<br />
Hierarchy Level<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp],<br />
[edit forwarding-opti<strong>on</strong>s helpers bootpinterface (interface-name | interface-group)]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
Specify <strong>the</strong> maximum number of hops allowed.<br />
Opti<strong>on</strong>s<br />
number—Maximum number of hops.<br />
Default: 4 hops<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
interface—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
interface-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents<br />
minimum-wait-time<br />
Syntax<br />
minimum-wait-time sec<strong>on</strong>ds;<br />
Hierarchy Level<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp],<br />
[edit forwarding-opti<strong>on</strong>s helpers bootpinterface (interface-name | interface-group)]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
Specify <strong>the</strong> minimum time allowed.<br />
Opti<strong>on</strong>s<br />
sec<strong>on</strong>ds—Minimum time.<br />
Default: 0 sec<strong>on</strong>ds<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
interface—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
interface-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents<br />
66<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 7: C<strong>on</strong>figurati<strong>on</strong> Statements for DHCP Relay<br />
no-listen<br />
Syntax<br />
no-listen;<br />
Hierarchy Level<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp interface (interface-name | interface-group)],<br />
[edit forwarding-opti<strong>on</strong>s helpers domain interface interface-name],<br />
[edit forwarding-opti<strong>on</strong>s helpers tftp interface interface-name]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
Disable recogniti<strong>on</strong> of DNS requests or stop packets from being forwarded <strong>on</strong> a logical<br />
interface, a group of logical interfaces, a router, or a switch.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
interface—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
interface-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring DNS and TFTP Packet Forwarding<br />
• C<strong>on</strong>figuring Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents<br />
server (DHCP and BOOTP Relay Agent)<br />
Syntax server address {<br />
logical-system logical-system-name ;<br />
routing-instance [ routing-instance-names ];<br />
}<br />
Hierarchy Level<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp],<br />
[edit forwarding-opti<strong>on</strong>s helpers bootp interface (interface-name | interface-group)]<br />
Release Informati<strong>on</strong> Statement introduced before Junos OS Release 7.4.<br />
Statement introduced in Junos OS Release 9.0 for EX <strong>Series</strong> switches.<br />
Statement introduced in Junos OS Release 11.3 for <strong>QFX</strong> <strong>Series</strong> switches.<br />
Descripti<strong>on</strong><br />
C<strong>on</strong>figure <strong>the</strong> router or switch to act as a DHCP and BOOTP relay agent.<br />
Opti<strong>on</strong>s • address—One or more addresses of <strong>the</strong> server.<br />
• logical-system logical-system-name—(Opti<strong>on</strong>al) Logical system of <strong>the</strong> server.<br />
• routing-instance routing-instance-names—(Opti<strong>on</strong>al) Routing instance name that bel<strong>on</strong>g<br />
to <strong>the</strong> DHCP or BOOTP relay agent.<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
interface—To view this statement in <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
interface-c<strong>on</strong>trol—To add this statement to <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>.<br />
• C<strong>on</strong>figuring Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
67
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
68<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
PART 3<br />
Administrati<strong>on</strong><br />
• M<strong>on</strong>itoring Commands for Port Mirroring <strong>on</strong> page 71<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
69
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
70<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
CHAPTER 8<br />
M<strong>on</strong>itoring Commands for Port Mirroring<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
71
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
show analyzer<br />
Syntax<br />
Release Informati<strong>on</strong><br />
Descripti<strong>on</strong><br />
show analyzer <br />
Command introduced in Junos OS Release 11.1 for <strong>the</strong> <strong>QFX</strong> <strong>Series</strong>.<br />
Display informati<strong>on</strong> about port mirroring.<br />
Opti<strong>on</strong>s<br />
analyzer-name—(Opti<strong>on</strong>al) Displays <strong>the</strong> status of a specific analyzer (port-mirroring<br />
c<strong>on</strong>figurati<strong>on</strong>).<br />
Required Privilege<br />
Level<br />
Related<br />
Documentati<strong>on</strong><br />
view<br />
• Layer 2 Port Mirroring Overview<br />
• Port Mirroring C<strong>on</strong>straints and Limitati<strong>on</strong>s <strong>on</strong> page 5<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Remote Analysis <strong>on</strong> page 17<br />
List of Sample Output show analyzer <strong>on</strong> page 72<br />
Output Fields<br />
Table 4 <strong>on</strong> page 72 describes <strong>the</strong> output fields for <strong>the</strong> show analyzer command. Output<br />
fields are listed in <strong>the</strong> approximate order in which <strong>the</strong>y appear.<br />
Table 4: show analyzer Output Fields<br />
Field Name<br />
Field Descripti<strong>on</strong><br />
Analyzer name<br />
Name of <strong>the</strong> analyzer.<br />
Output interface<br />
Local interface to which mirror packets are sent. If you c<strong>on</strong>figure an output<br />
interface, you cannot also c<strong>on</strong>figure an output VLAN.<br />
Output VLAN<br />
VLAN to which mirror packets are sent. If you c<strong>on</strong>figure an output VLAN, you<br />
cannot also c<strong>on</strong>figure an output interface.<br />
Egress m<strong>on</strong>itored interfaces<br />
Interfaces for which egress traffic is mirrored.<br />
Ingress m<strong>on</strong>itored interfaces<br />
Interfaces for which ingress traffic is mirrored.<br />
Ingress m<strong>on</strong>itored VLANs<br />
VLANs for which ingress traffic is mirrored.<br />
Sample Output<br />
show analyzer<br />
user@switch> show analyzer<br />
Analyzer name<br />
Output interface<br />
Output VLAN<br />
: employee-m<strong>on</strong>itor<br />
: ge-0/0/10.0<br />
: remote-analyzer<br />
72<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 8: M<strong>on</strong>itoring Commands for Port Mirroring<br />
Egress m<strong>on</strong>itored interfaces : ge-0/0/7.0<br />
Ingress m<strong>on</strong>itored interfaces : ge-0/0/8.0<br />
Ingress m<strong>on</strong>itored interfaces : ge-0/0/9.0<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
73
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
74<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
PART 4<br />
Troubleshooting<br />
• Troubleshooting Procedures <strong>on</strong> page 77<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
75
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
76<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
CHAPTER 9<br />
Troubleshooting Procedures<br />
Troubleshooting Port Mirroring<br />
• Troubleshooting Port Mirroring <strong>on</strong> page 77<br />
• Port Mirroring C<strong>on</strong>straints and Limitati<strong>on</strong>s <strong>on</strong> page 77<br />
• Egress Port Mirroring with VLAN Translati<strong>on</strong> <strong>on</strong> page 79<br />
• Egress Port Mirroring with Private VLANs <strong>on</strong> page 79<br />
Port Mirroring C<strong>on</strong>straints and Limitati<strong>on</strong>s<br />
• Local and Remote Port Mirroring <strong>on</strong> page 77<br />
• Remote Port Mirroring Only <strong>on</strong> page 79<br />
Local and Remote Port Mirroring<br />
The following c<strong>on</strong>straints and limitati<strong>on</strong>s apply to local and remote port mirroring with<br />
<strong>the</strong> <strong>QFX</strong> <strong>Series</strong>:<br />
• You can create a total of four port-mirroring c<strong>on</strong>figurati<strong>on</strong>s <strong>on</strong> a <strong>QFX</strong> <strong>Series</strong> standal<strong>on</strong>e<br />
switch.<br />
• You can create a total of four port-mirroring c<strong>on</strong>figurati<strong>on</strong>s <strong>on</strong> each Node group in a<br />
QFabric system, subject to <strong>the</strong> following c<strong>on</strong>straints:<br />
• As many as four of <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>s can be for local port mirroring.<br />
• As many as three of <strong>the</strong> c<strong>on</strong>figurati<strong>on</strong>s can be for remote port mirroring.<br />
• Regardless of whe<strong>the</strong>r you are c<strong>on</strong>figuring a standal<strong>on</strong>e switch or a Node group, <strong>the</strong><br />
following limits apply:<br />
• There can be no more than two c<strong>on</strong>figurati<strong>on</strong>s that mirror ingress traffic. (If you<br />
c<strong>on</strong>figure a firewall filter to send traffic to a port mirror—that is, you use <strong>the</strong> analyzer<br />
acti<strong>on</strong> modifier in a filter term—this counts as an ingress mirroring c<strong>on</strong>figurati<strong>on</strong> for<br />
switch or Node group <strong>on</strong> which <strong>the</strong> filter is applied.)<br />
• There can be no more than two c<strong>on</strong>figurati<strong>on</strong>s that mirror egress traffic.<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
77
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
NOTE: On QFabric systems, <strong>the</strong>re is no system-wide limit <strong>on</strong> <strong>the</strong> total number<br />
of mirror sessi<strong>on</strong>s.<br />
• You can c<strong>on</strong>figure no more than <strong>on</strong>e type of output in <strong>on</strong>e port-mirroring c<strong>on</strong>figurati<strong>on</strong>.<br />
That is, you can use no more than <strong>on</strong>e of <strong>the</strong> following to complete a set analyzer name<br />
output statement:<br />
• interface<br />
• ip-address<br />
• vlan<br />
• If you c<strong>on</strong>figure Junos OS to mirror egress packets, do not c<strong>on</strong>figure more than 2000<br />
VLANs <strong>on</strong> a <strong>QFX</strong>3500 device or QFabric system. If you do so, some VLAN packets<br />
might c<strong>on</strong>tain incorrect VLAN IDs. This applies to any VLAN packets—not <strong>on</strong>ly <strong>the</strong><br />
mirrored copies.<br />
• The ratio and loss-priority opti<strong>on</strong>s are not supported.<br />
• Packets with physical layer errors are filtered out and are not sent to <strong>the</strong> output port<br />
or VLAN.<br />
• If you use sFlow m<strong>on</strong>itoring to sample traffic, it does not sample <strong>the</strong> mirror copies<br />
when <strong>the</strong>y exit from <strong>the</strong> output interface.<br />
• You cannot mirror packets exiting or entering <strong>the</strong> following ports:<br />
• Dedicated Virtual Chassis interfaces<br />
• Management interfaces (me0 or vme0)<br />
• Fibre Channel interfaces<br />
• Routed VLAN interfaces<br />
• An aggregated E<strong>the</strong>r<strong>net</strong> interface cannot be an output interface.<br />
• Do not include an 802.1Q subinterface that has a unit number o<strong>the</strong>r than 0 in a port<br />
mirroring c<strong>on</strong>figurati<strong>on</strong>. Port mirroring does not work with subinterfaces if <strong>the</strong>ir unit<br />
number is not 0. (You c<strong>on</strong>figure 802.1Q subinterfaces using <strong>the</strong> vlan-tagging statement.)<br />
• When packet copies are sent out <strong>the</strong> output interface, <strong>the</strong>y are not modified for any<br />
changes that are normally applied <strong>on</strong> egress, such as CoS rewriting.<br />
• An interface can be <strong>the</strong> input interface for <strong>on</strong>ly <strong>on</strong>e mirroring c<strong>on</strong>figurati<strong>on</strong>. Do not use<br />
<strong>the</strong> same interface as <strong>the</strong> input interface for multiple mirroring c<strong>on</strong>figurati<strong>on</strong>s.<br />
• CPU-generated packets (such as ARP or ICMP packets) cannot be mirrored <strong>on</strong> egress.<br />
• (QFabric systems <strong>on</strong>ly) If you c<strong>on</strong>figure a QFabric analyzer to mirror egress traffic and<br />
<strong>the</strong> input and output interfaces are <strong>on</strong> different Node devices, <strong>the</strong> mirrored copies have<br />
incorrect VLAN IDs. This limitati<strong>on</strong> does not apply if you c<strong>on</strong>figure a QFabric analyzer<br />
to mirror egress traffic and <strong>the</strong> input and output interfaces are <strong>on</strong> <strong>the</strong> same Node device.<br />
In this case <strong>the</strong> mirrored copies have <strong>the</strong> correct VLAN IDs (as l<strong>on</strong>g as you do not<br />
c<strong>on</strong>figure more than 2000 VLANs <strong>on</strong> <strong>the</strong> QFabric system).<br />
78<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.
Chapter 9: Troubleshooting Procedures<br />
Remote Port Mirroring Only<br />
The following c<strong>on</strong>straints and limitati<strong>on</strong>s apply to remote port mirroring with <strong>the</strong> <strong>QFX</strong><br />
<strong>Series</strong>:<br />
• If you c<strong>on</strong>figure an output IP address, <strong>the</strong> address cannot be in <strong>the</strong> same sub<strong>net</strong>work<br />
as any of <strong>the</strong> switch’s management interfaces.<br />
• If you create virtual routing instances and also create an analyzer c<strong>on</strong>figurati<strong>on</strong> that<br />
includes an output IP address, <strong>the</strong> output address bel<strong>on</strong>gs to <strong>the</strong> default virtual routing<br />
instance (i<strong>net</strong>.0 routing table).<br />
• An output VLAN cannot be a private VLAN or VLAN range.<br />
• An output VLAN cannot be shared by multiple analyzer statements.<br />
• An output VLAN interface cannot be a member of any o<strong>the</strong>r VLAN.<br />
• An output VLAN interface cannot be an aggregated E<strong>the</strong>r<strong>net</strong> interface.<br />
• On <strong>the</strong> source (m<strong>on</strong>itored) switch, <strong>on</strong>ly <strong>on</strong>e interface can be a member of <strong>the</strong> analyzer<br />
VLAN.<br />
Egress Port Mirroring with VLAN Translati<strong>on</strong><br />
Problem<br />
If you create a port-mirroring c<strong>on</strong>figurati<strong>on</strong> that mirrors customer VLAN (CVLAN) traffic<br />
<strong>on</strong> egress and <strong>the</strong> traffic undergoes VLAN translati<strong>on</strong> before being mirrored, <strong>the</strong> VLAN<br />
translati<strong>on</strong> does not apply to <strong>the</strong> mirrored packets. That is, <strong>the</strong> mirrored packets retain<br />
<strong>the</strong> service VLAN (SVLAN) tag that should be replaced by <strong>the</strong> CVLAN tag <strong>on</strong> egress. The<br />
original packets are unaffected—<strong>on</strong> <strong>the</strong>se packets VLAN translati<strong>on</strong> works properly, and<br />
<strong>the</strong> SVLAN tag is replaced with <strong>the</strong> CVLAN tag <strong>on</strong> egress.<br />
Soluti<strong>on</strong><br />
This is expected behavior.<br />
Egress Port Mirroring with Private VLANs<br />
Problem<br />
If you create a port-mirroring c<strong>on</strong>figurati<strong>on</strong> that mirrors private VLAN (PVLAN) traffic <strong>on</strong><br />
egress, <strong>the</strong> mirrored traffic (<strong>the</strong> traffic that is sent to <strong>the</strong> analyzer system) has <strong>the</strong> VLAN<br />
tag of <strong>the</strong> ingress VLAN instead of <strong>the</strong> egress VLAN. For example, assume <strong>the</strong> following<br />
PVLAN c<strong>on</strong>figurati<strong>on</strong>:<br />
• Promiscuous trunk port that carries primary VLANs pvlan100 and pvlan400.<br />
• Isolated access port that carries sec<strong>on</strong>dary VLAN isolated200. This VLAN is a member<br />
of primary VLAN pvlan100.<br />
• Community port that carries sec<strong>on</strong>dary VLAN comm300. This VLAN is also a member<br />
of primary VLAN pvlan100.<br />
• Output interface (m<strong>on</strong>itor interface) that c<strong>on</strong>nects to <strong>the</strong> analyzer system. This interface<br />
forwards <strong>the</strong> mirrored traffic to <strong>the</strong> analyzer.<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
79
<str<strong>on</strong>g>Services</str<strong>on</strong>g> <strong>on</strong> <strong>the</strong> <strong>QFX</strong> <strong>Series</strong><br />
If a packet for pvlan100 enters <strong>on</strong> <strong>the</strong> promiscuous trunk port and exits <strong>on</strong> <strong>the</strong> isolated<br />
access port, <strong>the</strong> original packet is untagged <strong>on</strong> egress because it is exiting <strong>on</strong> an access<br />
port. However, <strong>the</strong> mirror copy retains <strong>the</strong> tag for pvlan100 when it is sent to <strong>the</strong> analyzer.<br />
Here is ano<strong>the</strong>r example: If a packet for comm300 ingresses <strong>on</strong> <strong>the</strong> community port and<br />
egresses <strong>on</strong> <strong>the</strong> promiscuous trunk port, <strong>the</strong> original packet carries <strong>the</strong> tag for pvlan100<br />
<strong>on</strong> egress, as expected. However, <strong>the</strong> mirrored copy retains <strong>the</strong> tag for comm300 when<br />
it is sent to <strong>the</strong> analyzer.<br />
Soluti<strong>on</strong><br />
This is expected behavior.<br />
Related<br />
Documentati<strong>on</strong><br />
• Understanding Port Mirroring <strong>on</strong> page 3<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Local Analysis <strong>on</strong> page 13<br />
• Example: C<strong>on</strong>figuring Port Mirroring for Remote Analysis <strong>on</strong> page 17<br />
80<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.