Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Layer 2 Port Mirroring Firewall Filters

    This topic describes the following information:

    Layer 2 Port Mirroring Firewall Filters Overview

    On an MX Series router, you can configure a firewall filter term to specify that Layer 2 port mirroring is to be applied to all packets at the interface to which the firewall filter is applied.

    You can apply a Layer 2 port-mirroring firewall filter to the input or output logical interfaces (including aggregated Ethernet logical interfaces), to traffic forwarded or flooded to a bridge domain, or traffic forwarded or flooded to a VPLS routing instance.

    MX Series routers support Layer 2 port mirroring of VPLS (family bridge or family vpls) traffic and Layer 2 VPN traffic with family ccc n a Layer 2 environment.

    Within a firewall filter term, you can specify the Layer 2 port-mirroring properties under the then statement in either of the following ways:

    • Implicitly reference the Layer 2 port-mirroring properties in effect on the port.
    • Explicitly reference a particular named instance of Layer 2 port mirroring.

    Note: When configuring a Layer 2 port-mirroring firewall filter, do not include the optional from statement that specifies match conditions based on the route source address. Omit this statement so that all packets are considered to match and all actions and action-modifiers specified in the then statement are taken.

    If you want to mirror all incoming packets, then you must not use the from statement; one configure filter terms with from if they are interested in mirroring only a subset of packet.

    For a general description of Layer 2 port-mirroring properties, see Understanding Layer 2 Port Mirroring Properties. For a comparison of the types of Layer 2 port mirroring available on an MX Series router, see Application of Layer 2 Port Mirroring Types.

    Note: If you associate integrated routing and bridging (IRB) with the bridge domain (or VPLS routing instance), and also configure within the bridge domain (or VPLS routing instance) a forwarding table filter with the port-mirror or port-mirror-instance action, then the IRB packet is mirrored as a Layer 2 packet. You can disable this behavior by configuring the no-irb-layer-2-copy statement in the bridge-domain (or VPLS routing instance).

    For a detailed description of how to configure a Layer 2 port-mirroring firewall filter, see Defining a Layer 2 Port-Mirroring Firewall Filter.

    For detailed information about how you can use Layer 2 port-mirroring firewall filters with MX Routers configured as provider edge (PE) routers, see Understanding Layer 2 Port Mirroring of PE Router Logical Interfaces. For detailed information about configuring firewall filters in general (including in a Layer 3 environment), see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.

    Mirroring of Packets Received or Sent on a Logical Interface

    To mirror Layer 2 traffic received or sent on a logical interface, apply a port-mirroring firewall filter to the input or output of the interface.

    A port-mirroring firewall filter can also be applied to an aggregated-Ethernet logical interface. For details, see Understanding Layer 2 Port Mirroring of PE Router Aggregated Ethernet Interfaces.

    Note: If port-mirroring firewall filters are applied at both the input and output of a logical interface, two copies of each packet are mirrored. To prevent the router from forwarding duplicate packets to the same destination, you can enable the “mirror-once” option for Layer 2 port mirroring in the global instance for the Layer 2 packet address family.

    Mirroring of Packets Forwarded or Flooded to a Bridge Domain

    To mirror Layer 2 traffic forwarded to or flooded to a bridge domain, apply a port-mirroring firewall filter to the input to the forwarding table or flood table. Any packet received for the bridge domain forwarding or flood table and that matches the filter conditions is mirrored.

    For more information about bridge domains, see Understanding Layer 2 Bridge Domains . For information about flooding behavior in a bridge domain, see Understanding Layer 2 Learning and Forwarding for Bridge Domains .

    Note: When you configure port mirroring on any interface under one bridge domain, the mirrored packet can move to an external analyzer located under different bridge domains.

    Mirroring of Packets Forwarded or Flooded to a VPLS Routing Instance

    To mirror Layer 2 traffic forwarded to or flooded to a VPLS routing instance, apply a port-mirroring firewall filter to the input to the forwarding table or flood table. Any packet received for the VPLS routing instance forwarding or flood table and that matches the filter condition is mirrored.

    For more information about VPLS routing instances, see Configuring a VPLS Routing Instance and Configuring VLAN Identifiers for Bridge Domains and VPLS Routing Instances. For information about flooding behavior in VPLS, see the Junos OS VPNs Library for Routing Devices.

    Modified: 2017-11-20