Services on the QFX Series - Juniper.net

More documents

Recommendations

Info

<strong>Services</strong> on the QFX Series NOTE: Multiple ports mirrored to one interface can cause buffer overflow and dropped packets. Figure 1 on page 14 shows the network topology for this example. Figure 1: Network Topology for Local Port Mirroring Example xe-0/0/47 xe-0/0/6 xe-0/0/0 Server running traffic analyzer Employee computers g040596 Mirroring All Employee Traffic for Local Analysis To configure port mirroring for all traffic sent by employee computers for local analysis, perform the tasks explained in this section. CLI Quick Configuration To quickly configure local port mirroring for ingress traffic to the two ports connected to employee computers, copy the following commands and paste them into a switch terminal window: [edit] set interfaces xe-0/0/0 unit 0 family ethernet-switching set interfaces xe-0/0/6 unit 0 family ethernet-switching set interfaces xe-0/0/47 unit 0 family ethernet-switching set ethernet-switching options analyzer employee-monitor input ingress interface xe-0/0/0.0 set ethernet-switching options analyzer employee-monitor input ingress interface xe-0/0/6.0 set ethernet-switching options analyzer employee-monitor output interface xe-0/0/47.0 Step-by-Step Procedure To configure an analyzer called employee-monitor and specify the input (source) interfaces and the output interface: 1. Configure the interfaces connected to employee computers as input interfaces for the port-mirror analyzer employee-monitor: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor input ingress interface xe–0/0/0.0 user@switch# set analyzer employee-monitor input ingress interface xe–0/0/6.0 2. Configure the output analyzer interface for the employee-monitor analyzer. This will be the destination interface for the mirrored packets: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor output interface xe-0/0/47.0 Results Check the results of the configuration: [edit] 14 Copyright © 2013, Juniper Networks, Inc.
Chapter 3: Configuration Examples user@switch# show ethernet-switching-options analyzer employee-monitor { input { ingress { interface xe-0/0/0.0; interface xe-0/0/6.0; } } output { interface { xe-0/0/47.0; } } } } Mirroring Employee-to-Web Traffic for Local Analysis To mirror only traffic sent by employees to the Web for local analysis, perform the tasks explained in this section. CLI Quick Configuration To quickly configure local port mirroring of traffic from employee computers that is destined for the Web, copy the following commands and paste them into a switch terminal window: [edit] set ethernet-switching-options analyzer employee–web–monitor output interface xe-0/0/47.0 set firewall family ethernet-switching filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter watch-employee term employee-to-corp from source-address 192.0.2.16/28 set firewall family ethernet-switching filter watch-employee term employee-to-corp then accept set firewall family ethernet-switching filter watch-employee term employee-to-web from destination-port 80 set firewall family ethernet-switching filter watch-employee term employee-to-web then analyzer employee-web-monitor set interfaces xe-0/0/0 unit 0 family ethernet-switching filter input watch-employee set interfaces xe-0/0/6 unit 0 family ethernet-switching filter input watch-employee Step-by-Step Procedure To configure local port mirroring of employee-to-web traffic from the two ports connected to employee computers: 1. Configure the output interface: [edit interfaces] user@switch# set xe-0/0/47 unit 0 family ethernet-switching 2. Configure the employee-web-monitor analyzer output. (Configure only the output—the input comes from the filter.) [edit ethernet-switching-options] user@switch# set analyzer employee-web-monitor output interface xe-0/0/47.0 3. Configure a firewall filter called watch-employee that includes a term to match traffic sent to the Web and send it to the analyzer employee-web-monitor. Traffic to and from the corporate subnet (destination or source address of 192.0.2.16/28) does not need to be copied, so create another term to accept that traffic before it reaches the term that sends Web traffic to the analyzer: Copyright © 2013, Juniper Networks, Inc. 15
Page 1 and 2: Services on the QF
Page 3 and 4: Table of Contents About the Documen
Page 5 and 6: Table of Contents Part 3 Administra
Page 7 and 8: List of Figures Part 2 Configuratio
Page 9 and 10: List of Tables About the Documentat
Page 11 and 12: About the Documentation Documentati
Page 13 and 14: About the Documentation [edit] user
Page 15 and 16: About the Documentation https://www
Page 17 and 18: PART 1 Overview • Port Mirroring
Page 19 and 20: CHAPTER 1 Port Mirroring Understand
Page 21 and 22: Chapter 1: Port Mirroring Table 3:
Page 23 and 24: Chapter 1: Port Mirroring • CPU-g
Page 25 and 26: CHAPTER 2 DHCP Relay DHCP and BOOTP
Page 27 and 28: PART 2 Configuration • Configurat
Page 29: CHAPTER 3 Configuration Examples
Page 33 and 34: Chapter 3: Configuration Examples V
Page 35 and 36: Chapter 3: Configuration Examples S
Page 37 and 38: Chapter 3: Configuration Examples }
Page 39 and 40: CHAPTER 4 Configuration Tasks Confi
Page 41 and 42: Chapter 4: Configuration Tasks c. S
Page 43 and 44: Chapter 4: Configuration Tasks rela
Page 45 and 46: CHAPTER 5 Configuration Statements
Page 47 and 48: Chapter 5: Configuration Statements
Page 81 and 82:
Chapter 7: Configuration Statements
Page 83 and 84:
Chapter 7: Configuration Statements
Page 85 and 86:
PART 3 Administration • Monitorin
Page 87 and 88:
CHAPTER 8 Monitoring Commands for P
Page 89 and 90:
Chapter 8: Monitoring Commands for
Page 91 and 92:
PART 4 Troubleshooting • Troubles
Page 93 and 94:
CHAPTER 9 Troubleshooting Procedure
Page 95 and 96:
Chapter 9: Troubleshooting Procedur
show all

Services on the QFX Series - Juniper.net

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?