Understanding Layer 2 Port Mirroring of PE Router Logical Interfaces
For an MX Series router or an EX Series switch configured as a provider edge (PE) router or PE switch on the customer-facing edge of a service provider network, you can apply a Layer 2 port-mirroring firewall filter at the following ingress and egress points to mirror the traffic between the MX Series router (or an EX Series switch) and customer edge (CE) devices, such as routers and Ethernet switches.
Table 1 describes the ways in which you can apply Layer 2 port-mirroring firewall filters to an MX Series router or an EX Series switch configured as a PE router or PE switch.
Table 1: Application of Layer 2 Port Mirroring Firewall Filters on PE Routers and PE Switches
Point of Application
Scope of Mirroring
Ingress Customer-Facing Logical Interface
Packets originating within a service provider customer’s network, sent first to a CE device, and sent next to an MX Series router or an EX Series switch acting as a PE router or PE switch.
You can also configure aggregated Ethernet interfaces between CE devices and PE routers or PE switches for VPLS routing instances. Traffic is load-balanced across all of the links in the aggregated interface.
Traffic received on an aggregated Ethernet interface is forwarded over a different interface based on a lookup of the destination MAC (DMAC) address:
For more information about VPLS routing instances, see Configuring a VPLS Routing Instance and Configuring VLAN Identifiers for Bridge Domains and VPLS Routing Instances.
Egress Customer-Facing Logical Interface
Unicast packets being forwarded by the MX Series router or the EX Series switch to another PE router or PE switch.
If you apply a port-mirroring filter to the output for a logical interface, only Unicast packets are mirrored. To mirror Mulitcast, unknown Unicast, and broadcast packets, apply a filter to the input to the flood table of a bridge domain or VPLS routing instance.
Input to a Bridge Domain Forwarding Table or Flood Table
Forwarding traffic or flood traffic sent to the bridge domain from a CE device.
Forwarding and flood traffic typically consists of broadcast packets, Mulitcast packets, Unicast packets with an unknown destination MAC address, or packets with a MAC entry in the DMAC routing table.
See Applying Layer 2 Port Mirroring to Traffic Forwarded or Flooded to a Bridge Domain. For information about flooding behavior in VPLS, see the Junos OS VPNs Library for Routing Devices.
Input to a VPLS Routing Instance Forwarding Table or Flood Table
Forwarding traffic or flood traffic sent to the VPLS routing instance from a CE device.
See Applying Layer 2 Port Mirroring to Traffic Forwarded or Flooded to a VPLS Routing Instance. For information about flooding behavior in VPLS, see the Junos OS VPNs Library for Routing Devices.