Restrictions on Layer 2 Port Mirroring

• Only Layer 2 transit data (packets that contain chunks of data transiting the routing platform as they are forwarded from a source to a destination) can be mirrored. Layer 2 local data (packets that contain chunks of data that are destined for or sent by the Routing Engine, such as Layer 2 control packets) can be mirrored by configuring set chassis host-outbound media-interface.
• If you apply a port-mirroring filter to the output of a logical interface, only unicast packets are mirrored. To mirror broadcast packets, multicast packets, unicast packets with an unknown destination media access control (MAC) address, or packets with MAC entry in the destination MAC (DMAC) routing table, apply a filter to the input to the flood table of a bridge domain or virtual private LAN service (VPLS) routing instance.

  Note: Starting with Junos OS Release 13.2R1, this is restricted only for DPCs. For MX series routers with MPCs and MICs, both unicast, and multicast packets can be mirrored.

• Starting with Junos OS Release 13.2R1, the family any mirroring is supported in logical systems.
• Starting with Junos OS Release 13.2R1, the family any mirroring can be achieved by creating port-mirroring instance under the [edit forwarding-options] and applying family any filter on an interface belonging to logical systems.
• The mirror destination device should be on a dedicated bridge domain and should not participate in any bridging activity: The mirror destination device should not have a bridge to the ultimate traffic destination, and the mirror destination device should not send the mirrored packets back to the source address.
• For either the global port-mirroring instance or a named port-mirroring instance, you can configure only one mirror output interface per port-mirroring instance and packet address family. If you include more than one interface statement under the family (bridge | ccc | vpls) output statement, the previous interface statement is overridden.
• Layer 2 port-mirroring firewall filtering is supported for logical systems.

  In a Layer 2 port-mirroring firewall filter definition, the filter action-modifier (port-mirror ) relies on port-mirroring properties defined in the global instance or named instances of Layer 2 port mirroring, which are configured under the [edit forwarding-options port-mirroring] hierarchy. Therefore, in Layer 2 port mirroring, the filter term is supported for logical systems.

• For a Layer 2 port mirroring firewall filter in which you implicitly reference Layer 2 port mirroring properties by including the port-mirror statement, if multiple named instances of Layer 2 port mirroring are bound to the underlying physical interface, then only the first binding in the stanza (or the only binding) is used at the logical interface. This is done mainly for backward compatibility.
• Layer 2 port-mirroring firewall filters support the use of next-hop subgroups for load-balancing mirrored traffic.
• If a family ccc mirror destination is a Logical Tunnel (lt-) interface hosted on a DPC and that lt- interface also has a firewall filter with action next-hop-group applied that redirects packets to MPC interfaces, then port-mirror instances must be created at the [edit forwarding options port-mirroring instance] with family ccc output interface destination of a next-hop-group member interface. One port-mirroring instance will be needed for each member interface in the next-hop-group. These port-mirroring instances do not need to be used anywhere in the configuration.