Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Port Mirroring Analyzers

 

Port mirroring can be used for traffic analysis on routers and switches that, unlike hubs, do not broadcast packets to every port on the destination device. Port mirroring sends copies of all packets or policy-based sample packets to local or remote analyzers where you can monitor and analyze the data.

In the context of port mirroring analyzers, we use the term switching device. The term indicates that the device (including routers) is performing a switching function.

You can use analyzers on a packet level to help you:

  • Monitor network traffic

  • Enforce network usage policies

  • Enforce file sharing policies

  • Identify causes of problems

  • Identify stations or applications with heavy or abnormal bandwidth usage

You can configure an analyzer to mirror:

  • Bridged packets (Layer 2 packets)

  • Routed packets (Layer 3 packets)

Mirrored packets can be copied to either a local interface for local monitoring or a VLAN or bridge domain for remote monitoring.

The following packets can be copied:

  • Packets entering or exiting a port—You can mirror packets entering or exiting ports, in any combination, for up to 256 ports. For example, you can send copies of the packets entering some ports and the packets exiting other ports to the same local analyzer port or analyzer VLAN.

  • Packets entering or exiting a VLAN or bridge domain—You can mirror the packets entering or exiting a VLAN or bridge domain to either a local analyzer port or to an analyzer VLAN or bridge domain. You can configure multiple VLANs (up to 256 VLANs) or bridge domains as ingress inputs to an analyzer, including a VLAN range and private VLANs (PVLANs).

  • Policy-based sample packets—You can mirror a policy-based sample of packets that are entering a port, VLAN, or bridge domain. You configure a firewall filter with a policy to select the packets to be mirrored. You can send the sample to a port-mirroring instance or to an analyzer VLAN or bridge domain.

This topic describes:

Analyzer Overview

You can configure an analyzer to define both the input traffic and the output traffic in the same analyzer configuration. The input traffic to be analyzed can be either traffic that enters or traffic that exits an interface or VLAN. The analyzer configuration enables you to send this traffic to an output interface, instance, next-hop group, VLAN, or bridge domain. You can configure an analyzer at the [edit forwarding-options analyzer] hierarchy level.

Statistical Analyzer Overview

You can define a set of mirroring properties, such as mirroring rate and maximum packet length for traffic, that you can explicitly bind to physical ports on the router or switch. This set of mirroring properties constitutes a statistical analyzer (also called a nondefault analyzer). At this level, you can bind a named instance to the physical ports associated with a specific FPC.

Default Analyzer Overview

You can configure an analyzer without configuring any mirroring properties (such as mirroring rate or maximum packet length). By default, the mirroring rate is set to 1 and the maximum packet length is set to the complete length of the packet. These properties are applied at the global level and need not be bound to a specific FPC.

Port Mirroring at a Group of Ports Bound to Multiple Statistical Analyzers

You can apply up to two statistical analyzers to the same port groups on the switching device. By applying two different statistical analyzer instances to the same FPC or Packet Forwarding Engine, you can bind two distinct Layer 2 mirroring specifications to a single port group. Mirroring properties that are bound to an FPC override any analyzer (default analyzer) properties bound at the global level on the switching device. Default analyzer properties are overridden by binding a second analyzer instance on the same port group.

Port Mirroring Analyzer Terminology

Table 1 lists some port mirroring analyzer terms and their descriptions.

Table 1: Analyzer Terminology

TermDescription

Analyzer

In a mirroring configuration, the analyzer includes:

  • The name of the analyzer

  • Source (input) ports, VLANs, or bridge domains

  • A destination for mirrored packets (either a monitor port, VLAN, or bridge domain)

Analyzer output interface

(Also known as a monitor port)

Interface to which mirrored traffic is sent and to which a protocol analyzer application is connected.

Note: Interfaces used as output for an analyzer must be configured under the forwarding-options hierarchy level.

Analyzer output interfaces have the following limitations:

  • They cannot also be a source port.

  • They do not participate in Layer 2 protocols, such as the Spanning Tree Protocol (STP), when part of a port-mirroring configuration.

  • If the bandwidth of the analyzer output interface is not sufficient to handle the traffic from the source ports, overflow packets are dropped.

Analyzer VLAN or bridge domain

(Also known as a monitor VLAN or bridge domain)

VLAN or bridge domain to which mirrored traffic is sent. The mirrored traffic can be used by a protocol analyzer application. The member interfaces in the monitor VLAN or bridge domain are spread across the switching devices in your network.

Bridge-domain-based analyzer

An analyzer session whose configuration uses bridge domains for both input and output or for either input or output.

Default analyzer

An analyzer with default mirroring parameters. By default, the mirroring rate is 1 and the maximum packet length is the length of the complete packet.

Input interface

(Also known as mirrored ports or monitored interfaces)

An interface on the switching device that is being mirrored. Traffic that is either entering or exiting this interface is mirrored.

LAG-based analyzer

An analyzer that has a link aggregation group (LAG) specified as the input (ingress) interface in the analyzer configuration.

Local mirroring

An analyzer configuration in which packets are mirrored to a local analyzer port.

Monitoring station

A computer running a protocol analyzer application.

Analyzer based on next-hop group

An analyzer session configuration that uses the next-hop group as the analyzer output.

Port-based analyzer

An analyzer session configuration that defines interfaces for both input and output.

Protocol analyzer application

An application used to examine packets transmitted across a network segment. Also commonly called a network analyzer, packet sniffer, or probe.

Remote mirroring

Functions the same way as local mirroring, except that the mirrored traffic is not copied to a local analyzer port but is flooded to an analyzer VLAN or bridge domain that you create specifically for the purpose of receiving mirrored traffic. Mirrored packets have an additional outer tag of the analyzer VLAN or bridge domain.

Statistical analyzer

(Also known as a nondefault analyzer)

You can define a set of mirroring properties that you can explicitly bind to physical ports on the switch. This set of analyzer properties is known as a statistical analyzer.

VLAN-based analyzer

An analyzer session whose configuration uses VLANs for both input and output or for either input or output.

Configuration Guidelines for Port Mirroring Analyzers

When you configure port mirroring analyzers. we recommend that you follow these guidelines to ensure optimum benefit. We recommend that you disable mirroring when you are not using it, and that you select specific interfaces as input to the analyzer rather than using the all keyword option, which enables mirroring on all interfaces. Mirroring only necessary packets reduces any potential performance impact.

You can also limit the amount of mirrored traffic by:

  • Using statistical sampling

  • Using a firewall filter

  • Setting a ratio to select a statistical sample

With local mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output interface for an analyzer reaches capacity, packets are dropped. You must consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.

Table 2 summarizes further configuration guidelines for analyzers.

Table 2: Configuration Guidelines for Port Mirroring Analyzers

Guideline

Value or Support Information

Comment

Number of analyzers that you can enable concurrently.

64–Default analyzers

2 per FPC–Statistical analyzer

  • Statistical analyzers must be bound to an FPC for mirroring traffic on ports belonging to that FPC.

    Note: Default analyzer properties are implicitly bound on the last (or second to last) instance on all FPCs in the system. Therefore, when you explicitly bind a second statistical analyzer on the FPC, the default analyzer properties are overridden.

Number of interfaces, VLANs, or bridge domains that you can use as ingress input to an analyzer.

256

Types of ports on which you cannot mirror traffic.

  • Virtual Chassis ports (VCPs)

  • Management Ethernet ports (me0 or vme0)

  • Integrated routing and bridging (IRB) interfaces

  • VLAN-tagged Layer 3 interfaces

 

Protocol families that you can include in an analyzer.

ethernet-switching for EX Series switches and bridge for MX Series routers.

Analyzer mirrors only bridged traffic. For mirroring routed traffic, use the port mirroring configuration with family as inet or inet6.

Packets with physical layer errors are not sent to the local or remote analyzer.

Applicable

Packets with these errors are filtered out and thus are not sent to the analyzer.

Analyzer does not support line-rate traffic.

Applicable

Mirroring for line-rate traffic is done on a best-effort basis.

Analyzer output on a LAG interface.

Supported

 

Analyzer output interface mode as trunk mode.

Supported

  • The trunk interface has to be a member of all VLANs or bridge domains that are related to the input configuration of analyzer.

  • You must use the mirror-once option if the input has been configured as VLAN or bridge domain and the output is a trunk interface.

    Note: With the mirror-once option, if the input is for both ingress and egress mirroring, only ingress traffic is mirrored. If both ingress and egress mirroring are required, the output interface cannot be a trunk. In such cases, configure the interface as an access interface.

Egress mirroring of host-generated control packets.

Not supported

 

Configuring Layer 3 logical interfaces in the input stanza of an analyzer.

Not supported

 

The analyzer input and output stanzas containing members of the same VLAN or the VLAN itself must be avoided.

Applicable

 

Support for VLAN and its member interfaces in different analyzer sessions

Not supported

If mirroring is configured, either of the analyzers is active.

Egress mirroring of aggregated Ethernet (ae) interfaces and its child logical interfaces configured for different analyzers.

Not supported