On EX Series switches, you can configure firewall filters to monitor traffic between 2 devices. Let's pretend there are 2 devices (1 server and 1 PC) connected to our EX4200 switch, and we want to verify that traffic is passing from the PC to Server.
Configure a firewall filter for the server and apply it to the port that the server is plugged into:
set firewall family ethernet-switching filter F1 term T1 from source-address 1.1.1.1/32
set firewall family ethernet-switching filter F1 term T1 from destination-address 2.2.2.2/32
set firewall family ethernet-switching filter F1 term T1 from protocol tcp
set firewall family ethernet-switching filter F1 term T1 from tcp-flags "syn&ack"
set firewall family ethernet-switching filter F1 term T1 then count ack-count
set firewall family ethernet-switching filter F1 term T2 then accept
set interfaces ge-0/0/5 unit 0 family ethernet-switching filter input F1
Configure a firewall filter for the server and apply it to the port that the PC is plugged into:
set firewall family ethernet-switching filter F2 term T1 from source-address 1.1.1.1/32
set firewall family ethernet-switching filter F2 term T1 from destination-address 2.2.2.2/32
set firewall family ethernet-switching filter F2 term T1 from protocol tcp
set firewall family ethernet-switching filter F2 term T1 from tcp-flags "syn&ack"
set firewall family ethernet-switching filter F2 term T1 then count ack-count
set firewall family ethernet-switching filter F2 term T2 then accept
set interfaces ge-0/0/22 unit 0 family ethernet-switching filter output F2
We can then run a ping from the PC to the server and verify whether or not traffic is traversing the ports we are monitoring.
show firewall:
Filter: F1
Counters:
Name Bytes Packets
ack-count 2310 33
Filter: egress
Counters:
Name Bytes Packets
ack-count 2310 33
Enjoy!
No comments:
Post a Comment