Ethernet Switching
Ethernet Switching

determine a specific traffic on ex9200

[ Edited ]
‎10-07-2019 08:16 PM

Hi all,

how to determine that a transit traffic sourced 2.2.2.2 and destinated 1.1.1.1 comes into ex9200 and leaving from which interface of the e9200? Any idea? I know on the SRX this can be achieved >sh sec flo ses so-pre des-pre etx... But on ex no idea honestly? Shouldn't be difficult?

11 REPLIES 11
Ethernet Switching

Re: determine a specific traffic on ex9200

‎10-07-2019 08:34 PM

coming into ex9200 and leaving sounds like transit traffic, to which you will need to port mirror the traffic.

 

Or if it's just to know source and destination interfaces, try using show route source-gateway to fetch source address info and show route <destination-ip> to know possible outgoing interface..

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-route-source...

 

 

 

 

 

 

/Karan Dhanak
# Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Ethernet Switching

Re: determine a specific traffic on ex9200

[ Edited ]
‎10-07-2019 08:41 PM

There is no a chance for port mirroring... how about traceoption or pcap? If so can you provide workable conf?

 

With the command of >show route forwarding-table destination <destIP> I found irb interface.

But I need to capture some interested traffic that is  traversing on the ex9200...

Ethernet Switching

Re: determine a specific traffic on ex9200

‎10-07-2019 08:50 PM

Traceoptions and pcap are from RE point of view, meaning traffic towards it's local interface uplifted to/from RE , not the transit.

To capture interesting traffic, you will need to perform port mirroring.

 

 

 

 

/Karan Dhanak
# Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Ethernet Switching

Re: determine a specific traffic on ex9200

[ Edited ]
‎10-08-2019 01:06 AM

Hi, 

 

An option might be applying ingress/egress filters on the interfaces of interest to match for those src & dst criteria.

If any hits on the firewall filters, that would indicate the specific traffic is going through those interfaces.

The knob 'interface-specific' can be used in the filter.

Possible example:

interface-specific;
term t1 {
    from {
        ip-source-address {
            2.2.2.2/32;
        }
        ip-destination-address {
            1.1.1.1/32;
        }
    }
    then {
        count test;
        accept;
    }
}
term explicit-accept-all {
    then accept;
}

Hope this helps.

 

Cheers, 

Ashvin

Ethernet Switching

Re: determine a specific traffic on ex9200

‎10-08-2019 01:58 AM

Hi,

You may try this option , 

 

set firewall family inet filter default term 1 from source-address 2.2.2.0/30
set firewall family inet filter default term 1 from destination-address 1.1.1.1/32
set firewall family inet filter default term 1 then syslog
set firewall family inet filter default term 1 then accept

set system syslog file messages firewall any

 

You can see the interested traffic in the message log file 

Example log 

fpc5 PFE_FW_SYSLOG_ETH_IP: FW: xe-5/0/0.0 A 0800 00:00:06:00:03:00 -> 10:0e:7e:3f:b8:72 255 2.2.2.2 1.1.1.1 0 0 (626 packets)
fpc5 PFE_FW_SYSLOG_ETH_IP: FW: xe-5/0/0.0 A 0800 00:00:06:00:03:00 -> 10:0e:7e:3f:b8:72 255 2.2.2.2 1.1.1.1 0 0 (629 packets)
fpc5 PFE_FW_SYSLOG_ETH_IP: FW: xe-5/0/0.0 A 0800 00:00:06:00:03:00 -> 10:0e:7e:3f:b8:72 255 2.2.2.2 1.1.1.1 0 0 (622 packets)

And if you are looking details of the packets, then you will have to go with port-mirroring only

 

thank you

Prabin

 

Ethernet Switching

Re: determine a specific traffic on ex9200

[ Edited ]
‎10-09-2019 09:45 PM

Can I ask about the firewall filter config in the previous post seems not correct. Because rest of traffic is gona bloked. Am i right or?

 

 

And also I have tried to make the following FF config: what do you thing you guys. Is this okay for ex9200 or?

 

set firewall filter Syslog_filter term data_log from destination-address 10.10.10.10/32
set firewall filter Syslog_filter term data_log from destination-port 514
set firewall filter Syslog_filter term data_log then log
set firewall filter Syslog_filter term data_log then accept
set firewall filter Syslog_filter term allow then accept

set interfaces ge-3/4/0 unit 0 family inet filter output Syslog_filter

> show firewall log detail -------------->verification

Ethernet Switching

Re: determine a specific traffic on ex9200

‎10-13-2019 04:27 AM

Any ideas regarding to my previous post?

Ethernet Switching

Re: determine a specific traffic on ex9200

‎10-13-2019 04:50 AM
Hi Arix,

Below firewall config looks good. The last term allow will pass the rest of the traffic .



set firewall filter Syslog_filter term data_log from destination-address 10.10.10.10/32
set firewall filter Syslog_filter term data_log from destination-port 514
set firewall filter Syslog_filter term data_log then log
set firewall filter Syslog_filter term data_log then accept
set firewall filter Syslog_filter term allow then accept

set interfaces ge-3/4/0 unit 0 family inet filter output Syslog_filter


Regards,
Jibu
Ethernet Switching

Re: determine a specific traffic on ex9200

‎10-14-2019 02:38 AM

Hi, 

 

Is that a family inet or family ethernet-switching interface.

If ethernet-switching the firewall filter will be a slightly different.

 

Cheers, 
Ashvin

Ethernet Switching

Re: determine a specific traffic on ex9200

‎10-14-2019 05:20 AM

hi there...Thanks for replies...

What you mean slightly different?

CAn you provide workable config for both ethernet-swithing and family inet? Is it possible?

 

Ethernet Switching

Re: determine a specific traffic on ex9200

[ Edited ]
‎10-14-2019 05:42 AM

Hi, 

 

I think that might depend on the junos version. Sometimes, the match conditions can be different, e.g ip-source-address instead of source-address.

ethernet-switching:

set firewall family ethernet-switching <name> term <term> from ip-source-address x.x.x.x

inet:

set firewall family inet <name> term <term> from source-address x.x.x.x

Ref: https://www.juniper.net/documentation/en_US/junos/topics/reference/general/firewall-filter-ex-series...

 

Cheers,

Ashvin