set firewall family ethernet-switching filter watch-employee term employee-to-corp then
accept
set firewall family ethernet-switching filter watch-employee term employee-to-web from
destination-port 80
set firewall family ethernet-switching filter watch-employee term employee-to-web then
port-mirror-instance employee-web-monitor
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input watch-employee
set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee
• Copy and paste the following commands in the destination switch terminal window:
[edit]
set vlans remote-analyzer vlan-id 999
set interfaces ge-0/0/10 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999
set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 999
Step-by-Step
Procedure
To configure port mirroring of all traffic from the two ports connected to employee
computers to the remote-analyzer VLAN for use from a remote monitoring station:
1. On the source switch:
a. Configure the employee-web-monitor port-mirroring instance:
[edit ]
user@switch# set interfaces ge-0/0/10 unit 0 family ethernet-switching port mode
access
user@switch# set forwarding-options port-mirroring instance employee-web-monitor
output vlan 999
b. Configure the VLAN ID for the remote-analyzer VLAN:
[edit vlans]
user@switch# set remote-analyzer vlan-id 999
c. Configure the interface to associate it with the remote-analyzer VLAN:
[edit interfaces]
user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999
d. Configure the firewall filter called watch-employee:
[edit firewall family ethernet-switching]
user@switch# set filter watch-employee term employee-to-corp from
destination-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp from source-address
192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp then accept
user@switch# set filter watch-employee term employee-to-web from destination-port
80
user@switch# set filter watch-employee term employee-to-web then
port-mirror-instance employee-web-monitor
In this configuration, the employee-to-corp term defines that traffic from
destination-address 192.0.2.16/28 and source address 192.0.2.16/28 can be
accepted to pass through the switch, and the employee-to-web term defines
that traffic from port 80 must be sent to the port-mirroring instance
employee-web-monitor.
e. Apply the firewall filter to the employee interfaces:
[edit interfaces]
Copyright © 2016, Juniper Networks, Inc.86
Port Mirroring Feature Guide for EX9200 Switches
To Next Page
Loading...
Need help?
General
