Services on the QFX Series - Juniper.net
Services on the QFX Series - Juniper.net
Services on the QFX Series - Juniper.net
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 4: C<strong>on</strong>figurati<strong>on</strong> Tasks<br />
c. Specify <strong>the</strong> appropriate IP address or VLAN as <strong>the</strong> output (a VLAN is specified in<br />
this example:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer analyzer-name output vlan (vlan-name | vlan-id)<br />
If you specify an IP address as <strong>the</strong> output, note <strong>the</strong> following c<strong>on</strong>straints:<br />
• The address cannot be in <strong>the</strong> same sub<strong>net</strong>work as any of <strong>the</strong> switch’s<br />
management interfaces.<br />
• If you create virtual routing instances and also create an analyzer c<strong>on</strong>figurati<strong>on</strong><br />
that includes an output IP address, <strong>the</strong> output address bel<strong>on</strong>gs to <strong>the</strong> default<br />
virtual routing instance (i<strong>net</strong>.0 routing table).<br />
• The analyzer device must be able to de-encapsulate GRE-encapsulated packets,<br />
or <strong>the</strong> GRE-encapsulated packets must be de-encapsulated before reaching<br />
<strong>the</strong> analyzer device. (You can use a <strong>net</strong>work sniffer to de-encapsulate <strong>the</strong><br />
packets.)<br />
Filtering <strong>the</strong> Traffic Entering an Analyzer<br />
In additi<strong>on</strong> to specifying which traffic to mirror by c<strong>on</strong>figuring an analyzer, you can also<br />
use a firewall filter to exercise more c<strong>on</strong>trol over which packets are copied. For example,<br />
you might use a filter to specify that <strong>on</strong>ly traffic from certain applicati<strong>on</strong>s be mirrored.<br />
The filter can use any of <strong>the</strong> available match c<strong>on</strong>diti<strong>on</strong>s and must have an acti<strong>on</strong> of<br />
analyzer analyzer-name. If you use <strong>the</strong> same analyzer in multiple filters or terms, <strong>the</strong> output<br />
packets are copied <strong>on</strong>ly <strong>on</strong>ce.<br />
NOTE: You can include <strong>the</strong> acti<strong>on</strong> analyzer in ingress firewall filters <strong>on</strong>ly. You<br />
can apply ingress filters with this acti<strong>on</strong> to ports (Layer 2 interfaces), Layer 3<br />
interfaces, and VLANs.<br />
When you use a firewall filter as <strong>the</strong> input to an analyzer, you output <strong>the</strong> copied traffic<br />
to a local interface or a VLAN just as you do when a firewall is not involved.<br />
To c<strong>on</strong>figure port mirroring with filters:<br />
1. C<strong>on</strong>figure an analyzer for local or remote analysis. C<strong>on</strong>figure <strong>on</strong>ly <strong>the</strong> output. For<br />
example, for local analysis enter:<br />
[edit e<strong>the</strong>r<strong>net</strong>-switching-opti<strong>on</strong>s]<br />
user@switch# set analyzer analyzer-name output interface interface-name<br />
NOTE: Do not c<strong>on</strong>figure input to this analyzer.<br />
2. Create a firewall filter using any of <strong>the</strong> available match c<strong>on</strong>diti<strong>on</strong>s and specify <strong>the</strong><br />
acti<strong>on</strong> as analyzer analyzer-name.<br />
3. Apply <strong>the</strong> firewall filter to <strong>the</strong> interfaces or VLAN that should provide <strong>the</strong> input to <strong>the</strong><br />
analyzer:<br />
Copyright © 2013, <strong>Juniper</strong> Networks, Inc.<br />
25