[j-nsp] MX/Trio, mirror IRB egress traffic with VLANs [OFFLIST]

Saku Ytti saku at ytti.fi
Mon Mar 16 11:40:00 EDT 2015


On (2015-03-16 10:34 -0400), Clarke Morledge wrote:

Hey,

> I have not been able to figure this one out either. Very frustrating.
> 
> If you do find an answer, please post to the list.

I got tip from Max, Eduard and Pete to use 'family any', instead of 'family
bridge'. I didn't initially even entertain the idea, because I knew I needed
filtering which 'family any' lacks. But with some juggling, I was able to also
filter my mirrored packet.

Relevant config:

set groups SBC:IFD interfaces <*> unit <*> filter input ANY:SBC
set groups SBC:IFD interfaces <*> unit <*> filter output ANY:SBC
set groups SBC firewall family any filter ANY:SBC term all then port-mirror
set groups SBC firewall family any filter ANY:SBC term all then forwarding-class EF
set groups SBC firewall family any filter ANY:SBC term all then accept
set groups SBC forwarding-options port-mirroring input rate 1
set groups SBC forwarding-options port-mirroring family any output interface lt-0/0/0.0
set groups SBC interfaces lt-0/0/0 unit 0 encapsulation ethernet-ccc
set groups SBC interfaces lt-0/0/0 unit 0 peer-unit 1
set groups SBC interfaces lt-0/0/0 unit 1 encapsulation ethernet-vpls
set groups SBC interfaces lt-0/0/0 unit 1 peer-unit 0
set groups SBC interfaces lt-0/0/0 unit 1 family vpls filter input VPLS:MIRROR_FILTER
set groups SBC interfaces lt-0/0/0 unit 1 family vpls filter output VPLS:DISCARD
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term sip from ip-protocol tcp
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term sip from ip-protocol udp
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term sip from port 5060-5070
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term sip then count sip
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term sip then accept
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term rtpc from ip-protocol udp
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term rtpc from port 1024-65535
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term rtpc from flexible-match-mask match-start layer-4
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term rtpc from flexible-match-mask byte-offset 1
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term rtpc from flexible-match-mask bit-offset 7
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term rtpc from flexible-match-mask bit-length 1
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term rtpc from flexible-match-mask mask-in-hex 0x1
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term rtpc from flexible-match-mask prefix 0x1
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term rtpc then count rtpc
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term rtpc then accept
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term discard then count discard
set groups SBC firewall family vpls filter VPLS:MIRROR_FILTER term discard then discard
set routing-instances MIRROR instance-type vpls
set routing-instances MIRROR interface lt-0/0/0.1
set routing-instances MIRROR interface ge-0/1/0.0
set routing-instances MIRROR interface ge-0/1/1.0
set routing-instances MIRROR protocols vpls no-mac-learning
set interfaces ge-0/1/1 encapsulation ethernet-vpls
set interfaces ge-0/1/1 unit 0 family vpls filter input VPLS:DISCARD
set interfaces ge-0/1/0 encapsulation ethernet-vpls
set interfaces ge-0/1/0 unit 0 family vpls filter input VPLS:DISCARD
set groups SBC firewall family vpls filter VPLS:DISCARD term discard then discard

-- 
  ++ytti


More information about the juniper-nsp mailing list