Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS System Management and Monitoring User Guide Manage and Monitor

System Management and Monitoring User Guide

keyboard_arrow_up
close
keyboard_arrow_left
System Management and Monitoring User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Passive Monitoring

date_range 15-Dec-23
arrow_backward
arrow_forward

Understanding Passive Monitoring

Passive monitoring is a type of network monitoring used to passively capture traffic from monitoring interfaces. When you enable passive monitoring, the device accepts and monitors traffic on the interface and forwards the traffic to monitoring tools like IDS servers and packet analyzers, or other devices such as routers or end node hosts.

Passive Monitoring Benefits

  • Provides filtering capabilities for monitoring ingress and egress traffic at the Internet point of presence (PoP) where security networks are attached.

Guidelines for Configuring Passive Monitoring

  • You can only configure passive monitoring at the interface level. Configuration per VLAN or logical interface is not supported.

  • A passive monitoring interface cannot be an aggregated Ethernet (AE) interface.

  • Monitoring tools or devices must be directly connected to the switch or router.

  • Packets with more than two MPLS labels and more than two VLAN tags are dropped.

  • Exception packets such as IP packet options, router alert, and TTL expiry packets are treated as regular traffic.

  • Ethernet encapsulation is not supported.

  • MPLS family is supported on the PTX10001-36MR, PTX10004, and PTX10008 routers.

  • Link Aggregation Control Protocol (LACP) is not supported on the AE bundle connected to the monitoring tool or device.

Example: Configuring Passive Monitoring

This example shows how to configure passive monitoring on QFX10000 switches.

Requirements

This example uses the following hardware and software components:

  • Two routers (R1 and R2)

  • One QFX10002 switch

  • Two devices, directly connected to the switch

  • Junos OS Release 18.4R1 or later

Overview

This example describes how to configure passive monitoring on the switch.

In Figure 1, et-0/0/2 and et-0/0/4 are configured as passive monitoring interfaces. Packets coming into the network are exchanged between Router 1 (R1) and Router 2 (R2) in two directions (R1 to R2, R2 to R1) and are sent to the monitored interfaces. When traffic is received, a firewall filter transfers all packets to a routing instance and forwards the packets to the monitoring tools. The interfaces are then grouped into a single logical interface, known as a link aggregation group (LAG) or AE bundle. This enables the traffic to be evenly distributed across the monitoring tools effectively increasing the uplink bandwidth. If one interface fails, the bundle continues to carry traffic over the remaining interfaces.

Optionally, you can apply symmetric hashing over the passive monitor interfaces for load balancing traffic to the monitoring tools. This allows ingress and egress traffic of the same flow to be sent out through the same monitored interface. To configure symmetric hashing, include the no-incoming-port option under the [edit forwarding-options enhanced-hash-key] hierarchy. Symmetric hashing is enabled and disabled at the global level only. Per protocol hashing is not supported.

Topology

Figure 1: Passive Monitoring Topology Passive Monitoring Topology

Configuration

The following example requires you to navigate various levels in the CLI hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set interfaces et-0/0/2 passive-monitor-mode
set interfaces et-0/0/2 unit 0 family inet filter input pm
set interfaces et-0/0/4 passive-monitor-mode
set interfaces et-0/0/4 unit 0 family inet filter input pm1 
set firewall family inet filter pm1 term t1 from interface et-0/0/4.0
set firewall family inet filter pm1 term t1 then count c1 
set firewall family inet filter pm1 term t1 then routing-instance pm_inst
set firewall family inet filter pm term t1 from interface et-0/0/2.0
set firewall family inet filter pm term t1 then count c3 
set firewall family inet filter pm term t1 then routing-instance pm_inst
set routing-instances pm_inst instance-type virtual-router 
set routing-instances pm_inst interface ae0.0 
set routing-instances pm_inst routing-options static route 0.0.0.0/0 next-hop 198.51.100.1 
set interfaces xe-0/0/9:0 ether-options 802.3ad ae0
set interfaces xe-0/0/9:1 ether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 198.51.100.2/24 arp 198.51.100.1 mac 00:10:94:00:00:05 
set routing-instances pm_inst interface ae0.0 
set forwarding-options enhanced-hash-key inet no-incoming-port

Configuring Passive Monitoring

Step-by-Step Procedure

To configure passive monitoring:

  1. Configure passive-monitor mode on the switch interfaces:

    content_copy zoom_out_map
    [edit]]
user@switch# 
set interfaces et-0/0/2 passive-monitor-mode
set interfaces et-0/0/2 unit 0 family inet filter input pm
set interfaces et-0/0/4 passive-monitor-mode
set interfaces et-0/0/4 unit 0 family inet filter input pm1

  2. Configure a family inet firewall filter on the passive monitor interfaces to forward the traffic to a routing instance. Supported filter actions are accept, reject, count, routing-instance.

    content_copy zoom_out_map
    [edit]
user@switch#
set firewall family inet filter pm1 term t1 from interface et-0/0/4.0
set firewall family inet filter pm1 term t1 then count c1 
set firewall family inet filter pm1 term t1 then routing-instance pm_inst
set firewall family inet filter pm term t1 from interface et-0/0/2.0
set firewall family inet filter pm term t1 then count c3 
set firewall family inet filter pm term t1 then routing-instance pm_inst

  3. Create a routing-instance with a static route that points to the devices.

    content_copy zoom_out_map
    [edit]
user@switch#
set routing-instances pm_inst instance-type virtual-router 
set routing-instances pm_inst interface ae0.0 
set routing-instances pm_inst routing-options static route 0.0.0.0/0 next-hop 198.51.100.1

  4. Configure an AE bundle on the passive monitoring interfaces.

    content_copy zoom_out_map
    [edit]
user@switch#
set interfaces xe-0/0/9:0 ether-options 802.3ad ae0
set interfaces xe-0/0/9:1 ether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 198.51.100.2/24 arp 198.51.100.1 mac 00:10:94:00:00:05
set routing-instances pm_inst interface ae0.0

  5. (Optional) Configure symmetric hashing.

    content_copy zoom_out_map
    [edit]
user@switch#
set forwarding-options enhanced-hash-key inet no-incoming-port

  6. From configuration mode, confirm your configuration by entering the show interfaces command. If the command output does not display the intended configuration, repeat the instructions in this example to correct it.

  7. If you are done configuring the interfaces, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verify the Passive Monitoring Configuration

Purpose

Verify that passive monitoring is working on the interfaces. If the interface output shows No-receive and No-transmit, this means that passive monitoring is working.

Action

From operational mode, enter the show interfaces command to view the passive monitoring interfaces.

content_copy zoom_out_map
user@host> show interfaces et-0/0/2
Physical interface: et-0/0/2, Enabled, Physical link is Up
  Interface index: 146, SNMP ifIndex: 515
  Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 40Gbps, BPDU Error: None, Loop Detect PDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE Error: None,
  Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Media type: Fiber
  Device flags   : Present Running
  Interface flags: SNMP-Traps No-receive No-transmit Internal: 0x4000
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 3c:61:04:75:3c:5d, Hardware address: 3c:61:04:75:3c:5d
  Last flapped   : 2018-05-17 11:19:05 PDT (00:17:55 ago)
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)
  Active alarms  : None
  Active defects : None
  PCS statistics                      Seconds
    Bit errors                             0
    Errored blocks                         0
  Ethernet FEC Mode  :                   NONE
  Ethernet FEC statistics              Errors
    FEC Corrected Errors                    0
    FEC Uncorrected Errors                  0
    FEC Corrected Errors Rate               0
    FEC Uncorrected Errors Rate             0
  PRBS Statistics : Disabled
  Interface transmit statistics: Disabled

user@host show interfaces et-0/0/4
Physical interface: et-0/0/4, Enabled, Physical link is Up
  Interface index: 146, SNMP ifIndex: 515
  Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 40Gbps, BPDU Error: None, Loop Detect PDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE Error: None,
  Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Media type: Fiber
  Device flags   : Present Running
  Interface flags: SNMP-Traps No-receive No-transmit Internal: 0x4000
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 3c:61:04:75:3c:5d, Hardware address: 3c:61:04:75:3c:5d
  Last flapped   : 2018-05-17 11:19:05 PDT (00:18:17 ago)
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)
  Active alarms  : None
  Active defects : None
  PCS statistics                      Seconds
    Bit errors                             0
    Errored blocks                         0
  Ethernet FEC Mode  :                   NONE
  Ethernet FEC statistics              Errors
    FEC Corrected Errors                    0
    FEC Uncorrected Errors                  0
    FEC Corrected Errors Rate               0
    FEC Uncorrected Errors Rate             0
  PRBS Statistics : Disabled
  Interface transmit statistics: Disabled

Verify Symmetric Hashing

Purpose

Verify the output for symmetric hashing. The incoming port fields for inet,inet6 and L2 should all be set to No.

Action

From configuration mode, enter the show forwarding-options enhanced-hash-key command.

content_copy zoom_out_map
Slot 0


Seed value for Hash function           0: 3626023417
Seed value for Hash function           1: 3626023417
Seed value for Hash function           2: 3626023417
Seed value for Hash function           3: 3626023417

    Inet settings:
    --------------
        IPV4 dest address:    Yes
        IPV4 source address:  Yes
        L4 Dest Port:         Yes
        L4 Source Port:       Yes
	Incoming port:        No
    Inet6 settings:
    --------------
        IPV6 dest address:    Yes
        IPV6 source address:  Yes
        L4 Dest Port:         Yes
        L4 Source Port:       Yes
	Incoming port:        No
    L2 settings:
    ------------
        Dest Mac address:    No
        Source Mac address:  No
        Vlan Id:             Yes
        Inner-vlan Id:       No
        Incoming port:       No
    GRE settings:
    -------------
        Key:                 No
        Protocol:            No
    MPLS settings:
    --------------
    MPLS Enabled:   	    Yes
 
    VXLAN settings:
    ---------------
        VXLAN VNID:          No

Sample Configuration for PTX10001-36MR, PTX10004, and PTX10008 Routers

The following is a sample configuration for the PTX10001-36MR, PTX10004, and PTX10008 routers with family mpls support.

content_copy zoom_out_map

set interfaces et-0/0/13 passive-monitor-mode
set interfaces et-0/0/13 passive-monitor-mode
set interfaces et-0/0/13 unit 0 family inet filter input ipv4pmFilter
set interfaces et-0/0/13 unit 0 family inet6 filter input ipv6pmFilter
set interfaces et-0/0/13 unit 0 family mpls filter input mplspmFilter
set interfaces et-0/0/5 ether-options 802.3ad ae0
set interfaces et-0/0/7 ether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 192.168.1.1/24 arp 192.168.1.10 mac 00:00:00:11:11:11
set interfaces ae0 unit 0 family inet6 address 2001:db8:1::1/64 ndp 2001:db8:1::10 mac 00:00:00:11:11:11
set routing-instances pm_inst routing-options rib pm_inst.inet6.0 static route 0::0/0 next-hop 2001:db8:1::10
set routing-instances pm_inst routing-options static route 0.0.0.0/0 next-hop 192.168.1.10
set routing-instances pm_inst instance-type virtual-router
set routing-instances pm_inst interface ae0.0
set firewall family inet filter ipv4pmFilter term t1 then count C1
set firewall family inet filter ipv4pmFilter term t1 then routing-instance pm_inst
set firewall family inet6 filter ipv6pmFilter term t2 then count C2
set firewall family inet6 filter ipv6pmFilter term t2 then routing-instance pm_inst
set firewall family mpls filter ipv4pmfilter term t1 then count C1
set firewall family mpls filter ipv4pmfilter term t1 then routing-instance pm_inst
set firewall family mpls filter ipv4pmfilter term t1 from ip-version ipv4 ip-protocol-except 255
set firewall family mpls filter ipv6pmfilter term t2 then count C2
set firewall family mpls filter ipv6pmfilter term t2 then routing-instance pm_inst
set firewall family mpls filter ipv6pmfilter term t2 from ip-version ipv6 next-header-except 255

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
18.4R1
Starting in Junos OS Release 18.4R1, passive monitoring is supported on QFX10000 switches.
18.4R1
Starting in Junos OS Evolved 19.4R1, passive monitoring is supported on PTX10003 routers.
arrow_backward PREVIOUS Device Monitoring
NEXT arrow_forward How to Locate a Device or Port Using the Chassis Beacon
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top