Understanding Port Mirroring Analyzers
Port mirroring can be used for traffic analysis on routers and switches that, unlike hubs, do not broadcast packets to every port on the destination device. Port mirroring sends copies of all packets or policy-based sample packets to local or remote analyzers where you can monitor and analyze the data.
In the context of port mirroring analyzers, we use the term switching device. The term indicates that the device (including routers) is performing a switching function.
You can use analyzers on a packet level to help you:
Monitor network traffic
Enforce network usage policies
Enforce file sharing policies
Identify causes of problems
Identify stations or applications with heavy or abnormal bandwidth usage
You can configure an analyzer to mirror:
Bridged packets (Layer 2 packets)
Routed packets (Layer 3 packets)
Mirrored packets can be copied to either a local interface for local monitoring or a VLAN or bridge domain for remote monitoring.
The following packets can be copied:
Packets entering or exiting a port—You can mirror packets entering or exiting ports, in any combination, for up to 256 ports. For example, you can send copies of the packets entering some ports and the packets exiting other ports to the same local analyzer port or analyzer VLAN.
Packets entering or exiting a VLAN or bridge domain—You can mirror the packets entering or exiting a VLAN or bridge domain to either a local analyzer port or to an analyzer VLAN or bridge domain. You can configure multiple VLANs (up to 256 VLANs) or bridge domains as ingress inputs to an analyzer, including a VLAN range and private VLANs (PVLANs).
Policy-based sample packets—You can mirror a policy-based sample of packets that are entering a port, VLAN, or bridge domain. You configure a firewall filter with a policy to select the packets to be mirrored. You can send the sample to a port-mirroring instance or to an analyzer VLAN or bridge domain.
This topic describes:
You can configure an analyzer to define both the input traffic
and the output traffic in the same analyzer configuration. The input
traffic to be analyzed can be either traffic that enters or traffic
that exits an interface or VLAN. The analyzer configuration enables
you to send this traffic to an output interface, instance, next-hop
group, VLAN, or bridge domain. You can configure an analyzer at the
[edit forwarding-options analyzer] hierarchy level.
Statistical Analyzer Overview
You can define a set of mirroring properties, such as mirroring rate and maximum packet length for traffic, that you can explicitly bind to physical ports on the router or switch. This set of mirroring properties constitutes a statistical analyzer (also called a nondefault analyzer). At this level, you can bind a named instance to the physical ports associated with a specific FPC.
Default Analyzer Overview
You can configure an analyzer without configuring any mirroring properties (such as mirroring rate or maximum packet length). By default, the mirroring rate is set to 1 and the maximum packet length is set to the complete length of the packet. These properties are applied at the global level and need not be bound to a specific FPC.
Port Mirroring at a Group of Ports Bound to Multiple Statistical Analyzers
You can apply up to two statistical analyzers to the same port groups on the switching device. By applying two different statistical analyzer instances to the same FPC or Packet Forwarding Engine, you can bind two distinct Layer 2 mirroring specifications to a single port group. Mirroring properties that are bound to an FPC override any analyzer (default analyzer) properties bound at the global level on the switching device. Default analyzer properties are overridden by binding a second analyzer instance on the same port group.
Port Mirroring Analyzer Terminology
Table 1 lists some port mirroring analyzer terms and their descriptions.
Table 1: Analyzer Terminology
In a mirroring configuration, the analyzer includes:
Analyzer output interface
(Also known as a monitor port)
Interface to which mirrored traffic is sent and to which a protocol analyzer application is connected.
Note: Interfaces used as output for an analyzer must be configured under the forwarding-options hierarchy level.
Analyzer output interfaces have the following limitations:
Analyzer VLAN or bridge domain
(Also known as a monitor VLAN or bridge domain)
VLAN or bridge domain to which mirrored traffic is sent. The mirrored traffic can be used by a protocol analyzer application. The member interfaces in the monitor VLAN or bridge domain are spread across the switching devices in your network.
An analyzer session whose configuration uses bridge domains for both input and output or for either input or output.
An analyzer with default mirroring parameters. By default, the mirroring rate is 1 and the maximum packet length is the length of the complete packet.
(Also known as mirrored ports or monitored interfaces)
An interface on the switching device that is being mirrored. Traffic that is either entering or exiting this interface is mirrored.
An analyzer that has a link aggregation group (LAG) specified as the input (ingress) interface in the analyzer configuration.
An analyzer configuration in which packets are mirrored to a local analyzer port.
A computer running a protocol analyzer application.
Analyzer based on next-hop group
An analyzer session configuration that uses the next-hop group as the analyzer output.
An analyzer session configuration that defines interfaces for both input and output.
Protocol analyzer application
An application used to examine packets transmitted across a network segment. Also commonly called a network analyzer, packet sniffer, or probe.
Functions the same way as local mirroring, except that the mirrored traffic is not copied to a local analyzer port but is flooded to an analyzer VLAN or bridge domain that you create specifically for the purpose of receiving mirrored traffic. Mirrored packets have an additional outer tag of the analyzer VLAN or bridge domain.
(Also known as a nondefault analyzer)
You can define a set of mirroring properties that you can explicitly bind to physical ports on the switch. This set of analyzer properties is known as a statistical analyzer.
An analyzer session whose configuration uses VLANs for both input and output or for either input or output.
Configuration Guidelines for Port Mirroring Analyzers
When you configure port mirroring analyzers. we recommend that you follow these guidelines to ensure optimum benefit. We recommend that you disable mirroring when you are not using it, and that you select specific interfaces as input to the analyzer rather than using the all keyword option, which enables mirroring on all interfaces. Mirroring only necessary packets reduces any potential performance impact.
You can also limit the amount of mirrored traffic by:
Using statistical sampling
Using a firewall filter
Setting a ratio to select a statistical sample
With local mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output interface for an analyzer reaches capacity, packets are dropped. You must consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.
Table 2 summarizes further configuration guidelines for analyzers.
Table 2: Configuration Guidelines for Port Mirroring Analyzers
Value or Support Information
Number of analyzers that you can enable concurrently.
2 per FPC–Statistical analyzer
Number of interfaces, VLANs, or bridge domains that you can use as ingress input to an analyzer.
Types of ports on which you cannot mirror traffic.
Protocol families that you can include in an analyzer.
ethernet-switching for EX Series switches and bridge for MX Series routers.
Analyzer mirrors only bridged traffic. For mirroring routed traffic, use the port mirroring configuration with family as inet or inet6.
Packets with physical layer errors are not sent to the local or remote analyzer.
Packets with these errors are filtered out and thus are not sent to the analyzer.
Analyzer does not support line-rate traffic.
Mirroring for line-rate traffic is done on a best-effort basis.
Analyzer output on a LAG interface.
Analyzer output interface mode as trunk mode.
Egress mirroring of host-generated control packets.
Configuring Layer 3 logical interfaces in the input stanza of an analyzer.
The analyzer input and output stanzas containing members of the same VLAN or the VLAN itself must be avoided.
Support for VLAN and its member interfaces in different analyzer sessions
If mirroring is configured, either of the analyzers is active.
Egress mirroring of aggregated Ethernet (ae) interfaces and its child logical interfaces configured for different analyzers.