Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  Port mirroring and ingress filtering to "discard"

    Posted 08-31-2010 18:10

    I want to set up an analyzer to capture ingress traffic from all IP addresses arriving on the port *except* for one subnet. I have limited means to test this in a non-production network. So:

     

    set ethernet-switching-options analyzer copysense input ingress interface ge-0/0/45.0
    set ethernet-switching-options analyzer copysense output interface ge-0/0/47.0

    Now for the filter. This seems intuitive:

     

    set firewall family ethernet-switching filter dont-mirror-core term notcore from source-address 149.137.1.0/24

    set firewall family ethernet-switching filter dont-mirror-core term notcore then discard
    set firewall family ethernet-switching filter dont-mirror-core term sendtocopysense then analyzer copysense

     

    BUT - won't having the "discard" term in there before the "then analyzer" term discard all 149.137.1.0/24 packets on ingress, even those that need to be forwarded on to their normal destination port?

     

     So - I need to figure out a way to do this without any "discard" actions, is that correct? Then, you would use a first term that accepts 149.137.1.0/24 but does nothing, and then a second term that catches everything else:

     

    set firewall family ethernet-switching filter dont-mirror-core term notcore from source-address 149.137.1.0/24

    set firewall family ethernet-switching filter dont-mirror-core term notcore then accept
    set firewall family ethernet-switching filter dont-mirror-core term sendtocopysense then analyzer copysense

     

    I think I can test this latter one without too much risk of shutting off our "core"....

     



  • 2.  RE: Port mirroring and ingress filtering to "discard"
    Best Answer

    Posted 09-01-2010 09:12

    Hi W Sanders,

     

    I am not a switching expert, but if you want to "see" all the traffic except one subnet, you can configure this filter:

     

        term 1 {

            from {

                source-address {

                    0.0.0.0/0;

                    149.137.1.0/24 except;

     

    HTH,

    Manuel



  • 3.  RE: Port mirroring and ingress filtering to "discard"

    Posted 09-02-2010 17:17

    Thanks - I did not know about "except". It is not presented as a completion option in the set command. Perhaps because it may not be supported in EX-land (or all of EX-land):

     

    [[edit firewall family ethernet-switching]
    wms2@ccf-dmz1# show
    filter dont-mirror-core {
        term notcore {
            from {
                source-address {
                    0.0.0.0/0;
                    ##
                    ## Warning: statement ignored: unsupported platform (ex3200-48t)
                    ##
                    149.137.1.0/24 except;
                }
            }
            then {
                discard;
                count notcore;
            }
        }
        term sendtocopysense {
            then {
                analyzer copysense;
                count sendtocopysense;

    I suppose the competition has a patent on the word "not"....