7. Specify Layer 2 port mirroring or a next-hop group as the action-modifier:
•
To reference the Layer 2 port mirroring properties currently in effect for the Packet
Forwarding Engine or PIC associated with the underlying physical interface, use the
port-mirror statement:
[edit firewall family family filter pm-filter-name term pm-filter-term-name then]
user@host# set port-mirror
•
To reference the Layer 2 port mirroring properties configured in a specific named
instance, use the port-mirror-instance pm-instance-name action modifier:
[edit firewall family family filter pm-filter-name term pm-filter-term-name then]
user@host# set port-mirror-instance pm-instance-name
If the underlying physical interface is not bound to a named instance of Layer 2 port
mirroring but instead is implicitly bound to the global instance of Layer 2 port
mirroring, then traffic at the logical interface is mirrored according to the properties
specified in the named instance referenced by the port-mirror-instance action
modifier.
•
To reference a next-hop group that specifies the next-hop addresses (for sending
additional copies of packets to an analyzer), use the
next-hop-group pm-next-hop-group-name action modifier:
[edit firewall family family filter pm-filter-name term pm-filter-term-name then]
user@host# set next-hop-group pm-next-hop-group-name
For configuration information about next-hop groups, see “Defining a Next-Hop
Group for Layer 2 Port Mirroring” on page 72. If you specify a next-hop group for
Layer 2 port mirroring, the firewall filter term applies to the tunnel interface input
only.
8.
Verify the minimum configuration of the Layer 2 port-mirroring firewall filter:
[edit firewall ... ]
user@host# top
[edit]
user@host# show firewall
family (ethernet-switching | ccc | vpls) { # Type of packets to mirror
filter pm-filter-name { # Firewall filter name
term pm-filter-term-name {
from { # Do not specify match conditions based on route source address
}
then {
action; # Recommended action is ’accept’
action-modifier; # Three options for Layer 2 port mirroring
}
}
}
}
In the firewall filter term then statement, the action-modifier can be port-mirror,
port-mirror-instance pm-instance-name, or next-hop-group pm-next-hop-group-name.
47Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Port Mirroring for Logical interfaces
To Next Page
Loading...
