Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Configuring Protocol-Independent Firewall Filter for Port Mirroring

On MX Series routers with MPCs, you can configure a firewall filter to mirror Layer 2 and Layer 3 packets at a global level and at an instance level. When port mirror is configured at ingress or egress, the packet entering or exiting an interface is copied and the copies are sent to the local interface for local monitoring.

Typically, the firewall filter is configured such that it mirrors either Layer 2 or Layer 3 packets based on the family configured at the interface. However, in case of an integrated routing and bridging (IRB) interface, Layer 2 packets are not completely mirrored because IRB interfaces are configured to mirror only Layer 3 packets. On such an interface, you can configure a firewall filter and port mirroring parameters in the family any to ensure that a packet is completely mirrored irrespective of whether it is a Layer 2 or a Layer 3 packet.

  • For port mirroring at an instance, you can configure one or more families such as inet, inet6, ccc, and vpls simultaneously for the same instance.
  • In case of Layer 2 port mirroring, VLAN tags, MPLS headers are retained and can be seen in the mirrored copy at egress.
  • For VLAN normalization, the information before normalization is seen for a mirrored packet at ingress. Similarly, at egress, the information after normalization is seen for the mirrored packet.

Before you begin configuring port mirroring, you must configure valid physical interfaces.

To configure a protocol-independent firewall filter for port mirroring:

  1. Configure a global firewall filter for port-mirroring egress or ingress traffic.
    [edit firewall family any]
    user@host# set filter filter-name {term term-name {then {port-mirror;accept;}}}
  2. Configure a firewall filter to port-mirror traffic for an instance.
    [edit firewall family any]
    user@host# set filter filter-name {term term-name {then {port-mirror-instance instance-name;accept;}}}
  3. Configure port mirroring parameters for egress and ingress traffic.
    [edit forwarding-options port-mirroring]
    user@host# input {maximum-packet-length bytesrate rate;}
    family any {output {(next-hop-group group-name | interface interface-name);}}
  4. Configure port mirroring parameters for an instance. In this configuration, you can specify the output or destination for the Layer 2 packets to be either a valid next-hop group or a Layer 2 interface.
    [edit forwarding-options port-mirroring]
    user@host#instance instance-name {family any{output {(next-hop-group group-name | interface interface-name);}}}
  5. Configure the firewall filter at the ingress or egress interface on which the packets are transmitted.
    [edit interface interface-name unit]
    user@host# filter {output filter-name;input filter-name;}
 

Related Documentation

 

Published: 2013-07-18

Previous Page Next Page