Services on the QFX Series - Juniper.net

More documents

Recommendations

Info

<strong>Services</strong> on the QFX Series [edit ethernet-switching-options] user@switch# set analyzer analyzer-name input (ingress | egress) interface interface-name NOTE: If you configure Junos OS to mirror egress packets, do not configure more than 2000 VLANs. If you do so, some VLAN packets might contain incorrect VLAN IDs. NOTE: If you configure mirroring for packets that egress an access interface, the original packets lose any VLAN tags when they exit the access interface, but the mirrored (copied) packets retain the VLAN tags when they are sent to the analyzer system. 2. If you want to specify that all traffic entering a VLAN should be mirrored, choose a name for the port-mirroring configuration and specify the VLAN: [edit ethernet-switching-options] user@switch# set analyzer analyzer-name input ingress vlan vlan-name NOTE: You cannot configure port mirroring to copy traffic that egresses a VLAN. 3. Configure the destination interface for the mirrored packets: Configuring Port Mirroring for Remote Analysis [edit ethernet-switching-options] user@switch# set analyzer analyzer-name output interface interface-name To mirror traffic to a VLAN for analysis at a remote location: 1. Configure a VLAN to carry the mirrored traffic: [edit] user@switch# set vlans vlan-name vlan-id number 2. Configure the interface that connects to another switch (the uplink interface) to trunk mode and associate it with the appropriate VLAN: [edit] user@switch# set interfaces interface-name unit 0 family ethernet-switching port-mode trunk vlan members (vlan-name | vlan-id) 3. Configure the analyzer: a. Choose a name for the analyzer: [edit ethernet-switching-options] user@switch# set analyzer analyzer-name b. Specify the interface to be mirrored and whether the traffic should be mirrored on ingress or egress: [edit ethernet-switching-options] user@switch# set analyzer analyzer-name input (ingress | egress) interface interface-name 24 Copyright © 2013, Juniper Networks, Inc.
Chapter 4: Configuration Tasks c. Specify the appropriate IP address or VLAN as the output (a VLAN is specified in this example: [edit ethernet-switching-options] user@switch# set analyzer analyzer-name output vlan (vlan-name | vlan-id) If you specify an IP address as the output, note the following constraints: • The address cannot be in the same subnetwork as any of the switch’s management interfaces. • If you create virtual routing instances and also create an analyzer configuration that includes an output IP address, the output address belongs to the default virtual routing instance (inet.0 routing table). • The analyzer device must be able to de-encapsulate GRE-encapsulated packets, or the GRE-encapsulated packets must be de-encapsulated before reaching the analyzer device. (You can use a network sniffer to de-encapsulate the packets.) Filtering the Traffic Entering an Analyzer In addition to specifying which traffic to mirror by configuring an analyzer, you can also use a firewall filter to exercise more control over which packets are copied. For example, you might use a filter to specify that only traffic from certain applications be mirrored. The filter can use any of the available match conditions and must have an action of analyzer analyzer-name. If you use the same analyzer in multiple filters or terms, the output packets are copied only once. NOTE: You can include the action analyzer in ingress firewall filters only. You can apply ingress filters with this action to ports (Layer 2 interfaces), Layer 3 interfaces, and VLANs. When you use a firewall filter as the input to an analyzer, you output the copied traffic to a local interface or a VLAN just as you do when a firewall is not involved. To configure port mirroring with filters: 1. Configure an analyzer for local or remote analysis. Configure only the output. For example, for local analysis enter: [edit ethernet-switching-options] user@switch# set analyzer analyzer-name output interface interface-name NOTE: Do not configure input to this analyzer. 2. Create a firewall filter using any of the available match conditions and specify the action as analyzer analyzer-name. 3. Apply the firewall filter to the interfaces or VLAN that should provide the input to the analyzer: Copyright © 2013, Juniper Networks, Inc. 25
Page 1 and 2: Services on the QF
Page 3 and 4: Table of Contents About the Documen
Page 5 and 6: Table of Contents Part 3 Administra
Page 7 and 8: List of Figures Part 2 Configuratio
Page 9 and 10: List of Tables About the Documentat
Page 11 and 12: About the Documentation Documentati
Page 13 and 14: About the Documentation [edit] user
Page 15 and 16: About the Documentation https://www
Page 17 and 18: PART 1 Overview • Port Mirroring
Page 19 and 20: CHAPTER 1 Port Mirroring Understand
Page 21 and 22: Chapter 1: Port Mirroring Table 3:
Page 23 and 24: Chapter 1: Port Mirroring • CPU-g
Page 25 and 26: CHAPTER 2 DHCP Relay DHCP and BOOTP
Page 27 and 28: PART 2 Configuration • Configurat
Page 29 and 30: CHAPTER 3 Configuration Examples
Page 31 and 32: Chapter 3: Configuration Examples u
Page 33 and 34: Chapter 3: Configuration Examples V
Page 35 and 36: Chapter 3: Configuration Examples S
Page 37 and 38: Chapter 3: Configuration Examples }
Page 39: CHAPTER 4 Configuration Tasks Confi
Page 43 and 44: Chapter 4: Configuration Tasks rela
Page 45 and 46: CHAPTER 5 Configuration Statements
Page 47 and 48: Chapter 5: Configuration Statements
Page 85 and 86: PART 3 Administration • Monitorin
Page 87 and 88: CHAPTER 8 Monitoring Commands for P
Page 89 and 90: Chapter 8: Monitoring Commands for
Page 91 and 92:
PART 4 Troubleshooting • Troubles
Page 93 and 94:
CHAPTER 9 Troubleshooting Procedure
Page 95 and 96:
Chapter 9: Troubleshooting Procedur
show all

Services on the QFX Series - Juniper.net

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?