Filtering The Traffic Entering An Analyzer - Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual

Copyright © 2010, Juniper Networks, Inc.
When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer.
You can use this to reduce the volume of mirrored traffic as a very high volume of
mirrored traffic can be performance intensive for the switch.

Filtering the Traffic Entering an Analyzer

To filter which packets are mirrored to an analyzer, create the analyzer and then use it
as the action in the firewall filter. You can use firewall filters in both local and remote
port mirroring configurations.
If the same analyzer is used in multiple filters or terms, the packets are copied to the
analyzer output port or analyzer VLAN only once.
To filter mirrored traffic, create an analyzer and then create a firewall filter. The filter can
use any of the available match conditions and must have an action of
. The action of the firewall filter provides the input to the analyzer.
analyzer-name
To configure port mirroring with filters:
Configure the analyzer name (here,
1.
For local analysis, set the output to the local interface to which you will connect
a.
the computer running the protocol analyzer application:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor output interface ge-0/0/10.0
For remote analysis, set the loss priority to high and set the output to the
b.
remote-analyzer VLAN:
[edit ethernet-switching-options]
user@switch# set analyzer employee–monitor loss-priority high output vlan 999
Create a firewall filter using any of the available match conditions and specify the
2.
action as
analyzer employee-monitor
This step shows a firewall filter called
Create the first term to define the traffic that should not pass through to the
a.
analyzer:
[edit firewall family ethernet-switching]
user@switch# set filter example-filter term no-analyzer from source-address ip–address
[edit firewall family ethernet-switching]
user@switch# set filter example-filter term no-analyzer from destination-address
ip-address
[edit firewall family ethernet-switching]
user@switch# set filter example-filter term no-analyzer then accept
Create the second term to define the traffic that should pass through to the
b.
analyzer:
[edit firewall family ethernet-switching]
user@switch# set filter example-filter term to-analyzer from destination-port 80
[edit firewall family ethernet-switching]
) and the output:
employee-monitor
:
, with two terms:
example-filter
Chapter 138: Port Mirroring
analyzer
3851