Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Port Mirroring on EX Series Switches

 
Note

This concept uses Junos OS for EX Series switches that do not support the Enhanced Layer 2 Software (ELS) configuration style.

You can use port mirroring to facilitate analyzing traffic on your Juniper Networks EX Series Ethernet Switch on a packet level. You might use port mirroring as part of monitoring switch traffic for such purposes as enforcing policies concerning network usage and file sharing and for identifying sources of problems on your network by locating abnormal or heavy bandwidth usage by particular stations or applications.

Port mirroring copies packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets:

  • Packets entering or exiting a port

  • Packets entering a VLAN on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, or EX6200 switches

  • Packets exiting a VLAN on EX8200 switches

This topic describes:

Port Mirroring Overview

Port mirroring might be needed for traffic analysis on a switch because a switch, unlike a hub, does not broadcast packets to every port on the destination device. The switch sends packets only to the port to which the destination device is connected.

You configure port mirroring on the switch to send copies of unicast traffic to either a local analyzer port or an analyzer VLAN. Then you can analyze the mirrored traffic using a protocol analyzer application. The protocol analyzer application can run either on a computer connected to the analyzer output interface or on a remote monitoring station.

You can use port mirroring on a switch to mirror any of the following:

  • Packets entering or exiting a port—You can mirror the packets in any combination (on up to 256 ports). For example, you can send copies of the packets entering some ports and the packets exiting other ports to the same local analyzer port or analyzer VLAN.

  • Packets entering a VLAN on an EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, or EX6200 switch—You can mirror the packets entering a VLAN on these switches to either a local analyzer port or to an analyzer VLAN. On EX3200, EX4200, EX4500, and EX4550 switches, you can configure multiple VLANs (up to 256 VLANs), including a VLAN range and PVLANs, as ingress input to an analyzer.

  • Packets exiting a VLAN on an EX8200 switch—You can mirror the packets exiting a VLAN on an EX8200 switch to either a local analyzer port or to an analyzer VLAN. You can configure multiple VLANs (up to 256 VLANs), including a VLAN range and PVLANs, as egress input to an analyzer.

  • Statistical samples—You can mirror a statistical sample of packets that are

    • Entering or exiting a port

    • Entering a VLAN on an EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, or EX6200 switch

    • Exiting a VLAN on an EX8200 switch

    You specify the sample number of packets by setting the ratio. You can send the sample to either a local analyzer port or to an analyzer VLAN.

  • Policy-based sample—You can mirror a policy-based sample of packets that are entering a port or a VLAN. You configure a firewall filter to establish a policy to select the packets to be mirrored. You can send the sample to a local analyzer port or to an analyzer VLAN.

Note

Juniper Networks Junos operating system (Junos OS) for EX Series switches implements port mirroring differently than other Junos OS packages. Junos OS for EX Series switches does not include the port-mirroring statement found in the edit forwarding-options level of the hierarchy of other Junos OS packages, or the port-mirror action in firewall filter terms.

Port Mirroring Terminology

Table 1 lists some port mirroring terms and their descriptions.

Table 1: Port Mirroring Terminology

TermDescription

Analyzer

A port mirroring configuration on an EX Series switch. The analyzer includes:

  • The name of the analyzer

  • Source (input) ports or VLAN (optional)

  • A destination for mirrored packets (either a monitor port or a monitor VLAN)

  • Ratio field for specifying statistical sampling of packets (optional)

  • Loss-priority setting

Analyzer output interface

(Also known as monitor port)

Interface to which mirrored traffic is sent and to which a protocol analyzer application is connected.

Note: Interfaces used as output for an analyzer must be configured as family ethernet-switching.

Analyzer output interfaces have the following limitations:

  • Cannot also be a source port.

  • Cannot be used for switching.

  • Do not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP), when part of a port mirroring configuration.

  • Do not retain any VLAN associations they held before they were configured as analyzer output interfaces.

If the bandwidth of the analyzer output interface is not sufficient to handle the traffic from the source ports, overflow packets are dropped.

Analyzer VLAN

(Also known as monitor VLAN)

VLAN to which mirrored traffic is sent. The mirrored traffic can be used by a protocol analyzer application. The member interfaces in the monitor VLAN are spread across the switches in your network.

Firewall-based analyzer

An analyzer whose configuration does not specify an input source; it specifies only an output destination. A firewall-based analyzer must be used with a firewall filter to achieve the functionality of an analyzer.

Global analyzer (on EX4500 and EX4550 switches only)

An analyzer that is based on a firewall filter, VLAN, or link aggregation group (LAG) or an analyzer in which interfaces are on different port groups on the switch. A port group is a logical group of ports on the switch.

Input interface

(Also known as mirrored ports or monitored interfaces)

An interface on the switch that is being mirrored, on traffic that is either entering or exiting the interface. An input interface cannot also be an output interface for an analyzer.

LAG-based analyzer

An analyzer that has a LAG specified as the input (ingress) interface in the analyzer configuration.

Local port mirroring

An analyzer configuration in which packets are mirrored to a local analyzer port.

Mirror ratio

See statistical sampling.

Monitoring station

A computer running a protocol analyzer application.

Native analyzer session

An analyzer session that has both input and output definitions in its analyzer configuration.

Policy-based mirroring

Mirroring of packets that match the match items in the defined firewall filter term. The action item analyzer analyzer-name is used in the firewall filter to send the packets to the analyzer.

Port-based analyzer

An analyzer session whose configuration defines interfaces for both input and output.

Protocol analyzer application

An application used to examine packets transmitted across a network segment. Also commonly called network analyzer, packet sniffer, or probe.

Remote port mirroring

Functions the same as local port mirroring, except that the mirrored traffic is not copied to a local analyzer port but is flooded to an analyzer VLAN that you create specifically for the purpose of receiving mirrored traffic.

If you are using an intermediate (transit) switch, you can avoid flooding of the mirrored traffic to member interfaces of the VLAN by setting the ingress option to specify an interface of the VLAN for ingress-only traffic and the egress option to specify an interface of the VLAN for egress-only traffic in the [edit vlans] hierarchy level.

Statistical sampling

You can configure the system to mirror a sampling of the packets by setting a ratio of 1:x, where x is a value from 1 through 2047.

For example, when x is set to 1, all packets are copied to the analyzer. When x is set to 200, 1 of every 200 packets is copied.

VLAN-based analyzer

An analyzer session whose configuration uses VLANs for both input and output or for either input or output.

Configuration Guidelines for Port Mirroring on the Switches

When you configure port mirroring, we recommend that you follow certain guidelines to ensure that you obtain optimum benefit from the port mirroring feature. Additionally, we recommend that you disable port mirroring when you are not using it and that you select specific interfaces for which packets must be mirrored (that is, select specific interfaces as input to the analyzer) in preference to using the all keyword option, which will enable port mirroring on all interfaces. You can also limit the amount of mirrored traffic by using statistical sampling, setting a ratio to select a statistical sample, or using a firewall filter. Mirroring only the necessary packets reduces any potential performance impact.

With local port mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output interface for an analyzer reaches capacity, packets are dropped. Thus, while configuring an analyzer, you must consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.

Table 2 summarizes further configuration guidelines for port mirroring on the switches.

Table 2: Configuration Guidelines for Port Mirroring

Guideline

Description

Comment

Note: “All other switches” or “All switches” in the Description column applies to switch platforms that support port mirroring. For details on platform support, see Feature Explorer.

Number of VLANs that you can use as ingress input to an analyzer

  • 1—EX2200 switches

  • 256—EX3200, EX4200, EX4500, EX4550, and EX6200 switches

  • Does not apply—EX8200 switches

 

Number of analyzers that you can enable concurrently (applies to both standalone switches and to Virtual Chassis)

  • 1—EX2200, EX3200, EX4200, EX3300, and EX6200 switches

  • 7 port-based or 1 global—EX4500 and EX4550 switches

  • 7 total, with one based on a VLAN, firewall filter, or LAG and with the remaining 6 based on firewall filters—EX8200 switches

    Note: An analyzer configured using a firewall filter does not support mirroring of packets that are egressing ports.

  • You can configure more than the specified number of analyzers on the switch, but you can enable only the specified number for a session. Use disable ethernet-switching-options analyzer name to disable an analyzer.

  • See Table 1 for a description of global analyzers.

  • See the next row entry in this table for the exception to the number of firewall-filter–based analyzers allowed on EX4500 and EX4550 switches.

  • On an EX4550 Virtual Chassis, you can configure only one analyzer if ports in the input and output definitions are on different switches in a Virtual Chassis. To configure multiple analyzers, an entire analyzer session must be configured on the same switch of a Virtual Chassis.

Number of firewall-filter–based analyzers that you can configure on EX4500 and EX4550 switches

  • 1—EX4500 and EX4550 switches

If you configure multiple analyzers, you cannot attach any of them to a firewall filter.

Types of ports on which you cannot mirror traffic

  • Virtual Chassis ports (VCPs)

  • Management Ethernet ports (me0 or vme0)

  • Routed VLAN interfaces (RVIs)

  • VLAN-tagged Layer 3 interfaces

 

If port mirroring is configured to mirror packets exiting 10-Gigabit Ethernet ports on EX8200 switches, packets are dropped in both network and mirrored traffic when the mirrored packets exceed 60 percent of the 10-Gigabit Ethernet port traffic.

  • EX8200 switches

 

Traffic directions for which you can specify a ratio

  • Ingress only—EX8200 switches

  • Ingress and egress—All other switches

 

Protocol families that you can include in a firewall-filter-based remote analyzer

  • Any except inet and inet6—EX8200 switches

  • Any—All other switches

You can use inet and inet6 on EX8200 switches in a local analyzer.

Traffic directions that you can configure for mirroring on ports in firewall-filter–based configurations

  • Ingress only—All switches

 

Mirrored packets on tagged interfaces might contain an incorrect VLAN ID or Ethertype.

  • Both VLAN ID and Ethertype—EX2200 switches

  • VLAN ID only—EX3200 and EX4200 switches

  • Ethertype only—EX4500 and EX4550 switches

  • Does not apply—EX8200 switches

 

Mirrored packets exiting an interface do not reflect rewritten class-of-service (CoS) DSCP or 802.1p bits.

  • All switches

 

The analyzer appends an incorrect 802.1Q (dot1q) header to the mirrored packets on the routed traffic or does not mirror any packets on the routed traffic when an egress VLAN that belongs to a routed VLAN interface (RVI) is configured as the input for that analyzer.

  • EX8200 switches

  • Does not apply—All other switches

As a workaround, configure an analyzer that uses each port (member interface) of the VLAN as egress input.

Packets with physical layer errors are not sent to the local or remote analyzer.

  • All switches

Packets with these errors are filtered out and thus are not sent to the analyzer.

Port mirroring configuration on a Layer 3 interface with the output configured to a VLAN is not available on EX8200 switches.

  • EX8200 switches

  • Does not apply—All other switches

 

Port mirroring does not support line-rate traffic.

  • All switches

Port mirroring for line-rate traffic is done on a best-effort basis.

In an EX8200 Virtual Chassis, if you need to mirror traffic across the Virtual Chassis, then the output port must be a LAG.

  • EX8200 Virtual Chassis

  • Does not apply—All other switches

In an EX8200 Virtual Chassis:

  • You can configure LAG as a monitor port only for native analyzers.

  • You cannot configure LAG as a monitor port for analyzers based on firewall filters.

  • If an analyzer configuration contains LAG as a monitor port, then you cannot configure VLAN in the input definition of an analyzer.

In standalone EX8200 switches, you can configure LAG in the output definition.

  • EX8200 standalone switches

  • Does not apply—All other switches

In EX8200 standalone switches:

  • You can configure a LAG as a monitor port on both native and firewall-based analyzers.

  • If a configuration contains LAG as a monitor port, then you cannot configure VLAN in the input definition of an analyzer.