... h5. Правило для зеркалирования в firewall "internet-output":
|
\\ {code}
|
user@host# show firewall family inet filter internet-output term 1-span-to-carbon {from { protocol tcp; destination-port [ http https ftp domain 81 82 84 888 2020 2072 4001 4002 5000 8001 8080 8081 8085 10009 16869 16873 ];}
|
then port-mirror; }
|
... term 2-span-to-carbon-udp { from {protocol udp; destination-port domain;} then port-mirror; } term 9-premit_any {then accept;} {code} \\ h5. Настройки зеркалирования (куда отправляем зеркало): \\ {code} user@host# show forwarding-options port-mirroring input { rate 1; } family inet { output { interface xe-2/2/0.4020 { next-hop 172.16.16.2; } } } {code} \\ h5. Настройки интерфейса для carbon-reductor: \\ {code} user@host# show interfaces xe-2/2/0.4020 description "remote mirror for carbon reductor";
|
vlan-id 4020; family inet { address 172.16.16.1/30; }
|
family inet6 { address fdeb:446c:912d:8da::/64; }
|
{code} \\
|
... h5. Настройка firewall: \\ {code} user@host# show interfaces | display set | match internet-output set interfaces xe-2/2/0 unit 1510 family inet filter output internet-output {code} h5. Настройка нескольких получателей зеркала: \\ создадим next-hop группу: \\ {code} [edit] user@host# show forwarding-options next-hop-group Analyzer-servers group-type inet; interface ge-0/0/1.0 { next-hop 192.168.0.1; } interface ge-0/0/2.0 {
|
next-hop 192.168.0.2; }
|
Для ipv6 interface et-0/0/0.1791 { next-hop fdeb:446c:912d:8da::/64; }
|
{code} \\
|
... И теперь укажем данную группу, как next-hop в ouput: \\ {code} [edit] user@host# show forwarding-options port-mirroring instance SPAN-1 input { rate 1; run-length 0; } family inet { output { next-hop-group Analyzer-servers; } } {code} \\ h5. На Carbon Reductor: \\ {code} [root@localhost]# cat /etc/sysconfig/network-scripts/ifcfg-eth2 DEVICE=eth2 BOOTPROTO=static IPADDR=172.16.16.2 NETMASK=255.255.255.252 DEFROUTE=no TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=no ARP=yes
|
MTU=9200 {code}
|
ipv6 {code} [root@localhost]# cat /etc/sysconfig/network-scripts/ifcfg-eth2 DEVICE=eth2 BOOTPROTO=static IPADDR=172.16.16.2 NETMASK=255.255.255.252 DEFROUTE=no TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=no ARP=yes IPV6INIT="yes" IPV6ADDR=fdeb:446c:912d:8da::/64 {code}
|