Understanding Port Mirroring

 

Port Mirroring Overview

Port mirroring copies packets entering or exiting a port or entering a VLAN and sends the copies to a local interface for local monitoring or to a VLAN for remote monitoring. Use port mirroring to send traffic to applications that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events, and so on.

Port mirroring is needed for traffic analysis on a switch because a switch normally sends packets only to the port to which the destination device is connected. You configure port mirroring on the switch to send copies of unicast traffic to a local interface or a VLAN and run an analyzer application on a device connected to the interface or VLAN. You configure port mirroring by using the analyzer statement.

Keep performance in mind when configuring port mirroring. For example, If you mirror traffic from multiple ports, the mirrored traffic may exceed the capacity of the output interface. We recommend that you limit the amount of copied traffic by selecting specific interfaces instead of using the all keyword. You can also limit the amount of mirrored traffic by using a firewall filter to send specific traffic to a port mirroring instance. Mirroring only the necessary packets reduces the possibility of a performance impact.

You can use port mirroring to copy any of the following:

  • All packets entering or exiting an interface (in any combination)—For example, you can send copies of the packets entering some interfaces and the packets exiting other interfaces to the same local interface or VLAN. If you configure port mirroring to copy packets exiting an interface, traffic that originates on that switch or Node device (in a QFabric system) is not copied when it egresses. Only switched traffic is copied on egress. (See the limitation on egress mirroring below.)

  • All packets entering a VLAN—You cannot use port mirroring to copy packets exiting a VLAN.

  • Firewall-filtered sample—Sample of packets entering a port or VLAN. Configure a firewall filter to select certain packets for mirroring.

    Note

    Firewall filters are not supported on egress ports; therefore, you cannot specify policy-based sampling of packets exiting an interface.

Port Mirroring Instance Types

To configure port mirroring, you configure an instance of one of the following types:

  • Analyzer instance: You must specify the input and output for the instance. This instance type is useful for ensuring that all traffic transiting an interface or VLAN is mirrored and sent to the analyzer device.

  • Port-mirroring instance: You do not specify an input for this instance type. Instead, you, create a firewall filter that specifies the required traffic and directs it to the mirror. This instance type is useful for controlling which types of traffic should be mirrored. When you use a port-mirroring instance, you can direct traffic to it in the following ways:

    • Specify the name of the port-mirroring instance in the firewall filter using the port-mirror-instance instance-name action. You should use this approach if there are multiple port-mirroring instances defined.

    • Configure the filter to send the mirrored packets to the output interface defined in the instance using the port-mirror action. You can use this approach if there is only one port-mirroring instance defined.

Port-Mirroring Terminology

Table 1 lists the terms used in the documentation about port mirroring and provides definitions.

Table 1: Port Mirroring Terms and Definitions

TermDescription

Analyzer instance

Port-mirroring configuration that includes a name, source interfaces or source VLAN, and a destination for mirrored packets (either a local access interface or a VLAN).

Port mirroring instance

Note: Port mirroring instance feature is not supported on NFX150 devices.

A port-mirroring configuration that does not specify an input.. A firewall filter must be used to send traffic to the port mirror. Use the action port-mirror-instance instance-name in the firewall filter configuration to send packets to the port mirror.

Output interface (also known as monitor interface)

Access interface to which packet copies are sent and to which a device running an analyzer application is connected.

The following limitations apply to an output interface:

  • Cannot also be a source port.

  • Cannot be used for switching.

  • Cannot be an aggregated Ethernet interface (LAG).

  • Does not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP).

  • Loses any existing VLAN associations when you configure it as an analyzer output interface.

If the capacity of the output interface is insufficient to handle the traffic from the source ports, overflow packets are dropped.

Output IP address

IP address of the device running an analyzer application. The device can be on a remote network. When you use this feature, the mirrored packets are GRE-encapsulated. The analyzer device must be able to de-encapsulate GRE-encapsulated packets, or the GRE-encapsulated packets must be de-encapsulated before reaching the analyzer device. (You can use a network sniffer to de-encapsulate the packets.)

  • An output IP address cannot be in the same subnetwork as any of the switch’s management interfaces.

  • If you create virtual routing instances and also create an analyzer configuration that includes an output IP address, the output address belongs to the default virtual routing instance (inet.0 routing table).

Output VLAN (also known as monitor or analyzer VLAN)

VLAN to which copies are sent and to which a device running an analyzer application is connected. The analyzer VLAN can span multiple switches.

The following limitations apply to an output VLAN:

  • Cannot be a private VLAN or VLAN range.

  • Cannot be shared by multiple analyzer statements.

  • An output VLAN interface cannot be a member of any other VLAN.

  • An output VLAN interface cannot be an aggregated Ethernet interface (LAG).

  • On some switches, only one interface can be a member of the analyzer VLAN. This limitation does not apply on the QFX10000 switch if traffic is mirrored on ingress. In this case, multiple QFX10000 interfaces can belong to the output VLAN, and traffic is mirrored to all of those interfaces. If traffic is mirrored on egress on a QFX10000 switch, only one interface can be a member of the analyzer VLAN.

Input interface (also known as mirrored or monitored interface)

Interface that provides traffic to be mirrored. This traffic can be entering or exiting the interface. (Ingress or egress traffic can be mirrored.) An input interface cannot also be an output interface for an analyzer.

Monitoring station

Computer running an analyzer application.

Local port mirroring

Port-mirroring configuration in which the mirrored packets are sent to an interface on the same switch.

Remote port mirroring

Flooding mirrored packets to an output (analyzer) VLAN that you create to receive mirror traffic or sending the mirrored packets to a remote IP address. (You cannot send mirrored packets to a remote IP address on a QFabric system.)

Policy-based mirroring

Mirroring of packets that match the match a firewall filter term. The action analyzer analyzer-name is used in the firewall filter to send the packets to the analyzer.

Port Mirroring and STP

The behavior of STP in a port-mirroring configuration depends on the version of Junos OS you are using:

  • Junos OS 13.2X50, Junos OS 13.2X51-D25 or earlier, Junos OS 13.2X52: If you enable STP, port mirroring might not work because STP might block the mirrored packets.

  • Junos OS 13.2X51-D30, Junos OS 14.1X53: STP is disabled for mirrored traffic. You must ensure that your topology prevents loops for this traffic.

Port Mirroring Constraints and Limitations

Local and Remote Port Mirroring

The following constraints and limitations apply to local and remote port mirroring:

  • You can create a total of four port-mirroring configurations.

  • You can create a total of four port-mirroring configurations on each Node group in a QFabric system, subject to the following constraints:

    • As many as four of the configurations can be for local port mirroring.

    • As many as three of the configurations can be for remote port mirroring.

  • Regardless of whether you are configuring a standalone switch or a Node group, the following limits apply:

    • There can be no more than two configurations that mirror ingress traffic. (If you configure a firewall filter to send traffic to a port mirror—that is, you use the analyzer action modifier in a filter term—this counts as an ingress mirroring configuration for switch or Node group on which the filter is applied.)

    • There can be no more than two configurations that mirror egress traffic.

Note

On QFabric systems, there is no system-wide limit on the total number of mirror sessions.

  • You can configure no more than one type of output in one port-mirroring configuration. That is, you can use no more than one of the following to complete a set analyzer name output statement:

    • interface

    • ip-address

    • vlan

  • If you configure Junos OS to mirror egress packets, do not configure more than 2000 VLANs on a standalone switch or QFabric system. If you do so, some VLAN packets might contain incorrect VLAN IDs. This applies to any VLAN packets—not only the mirrored copies.

  • The ratio and loss-priority options are not supported.

  • Packets with physical layer errors are filtered out and are not sent to the output port or VLAN.

  • If you use sFlow monitoring to sample traffic, it does not sample the mirror copies when they exit from the output interface.

  • You cannot mirror packets exiting or entering the following ports:

    • Dedicated Virtual Chassis interfaces

    • Management interfaces (me0 or vme0)

    • Fibre Channel interfaces

    • Integrated routing and bridging (IRB) interfaces (also known as routed VLAN interfaces, or RVIs)

  • An aggregated Ethernet interface cannot be an output interface if the input is a VLAN or if traffic is sent to the analyzer by a firewall filter.

  • When packet copies are sent out the output interface, they are not modified for any changes that are normally applied on egress, such as CoS rewriting.

  • An interface can be the input interface for only one mirroring configuration. Do not use the same interface as the input interface for multiple mirroring configurations.

  • CPU-generated packets (such as ARP, ICMP, BPDU, and LACP packets) cannot be mirrored on egress.

  • VLAN-based mirroring is not supported for STP traffic.

  • (QFabric systems only) If you configure a QFabric analyzer to mirror egress traffic and the input and output interfaces are on different Node devices, the mirrored copies have incorrect VLAN IDs. This limitation does not apply if you configure a QFabric analyzer to mirror egress traffic and the input and output interfaces are on the same Node device. In this case the mirrored copies have the correct VLAN IDs (as long as you do not configure more than 2000 VLANs on the QFabric system).

  • True egress mirroring is defined as mirroring the exact number of copies and the exact packet modifications that went out the egress switched port. Because the processor on QFX5xxx (including QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210) and EX4600 (including EX4600 and EX4650) switches implements egress mirroring in the ingress pipeline, those switches do not provide accurate egress packet modifications, so egress mirrored traffic can carry incorrect VLAN tags that differ from the tags in the original traffic.

  • If you configure a port-mirroring instance to mirror traffic exiting from an interface that performs VXLAN encapsulation, the source and destination MAC addresses of the mirrored packets will not be the same as those of the original traffic.

  • Mirroring on member interfaces of a LAG is not supported.

  • Egress VLAN mirroring is not supported.

Remote Port Mirroring Only

The following constraints and limitations apply to remote port mirroring:

  • If you configure an output IP address, the address cannot be in the same subnetwork as any of the switch’s management interfaces.

  • If you create virtual routing instances and also create an analyzer configuration that includes an output IP address, the output address belongs to the default virtual routing instance (inet.0 routing table).

  • An output VLAN cannot be a private VLAN or VLAN range.

  • An output VLAN cannot be shared by multiple analyzer statements.

  • An output VLAN interface cannot be a member of any other VLAN.

  • An output VLAN interface cannot be an aggregated Ethernet interface.

  • If the output VLAN has more than one member interface, then traffic is mirrored only to the first member of the VLAN, and other members of the same VLAN do not carry any mirrored traffic.

  • If you attempt to configure more than one analyzer session for remote port mirroring to an IP address (GRE encapsulation) and the IP addresses of the analyzers are reachable through the same interface, then only one analyzer session is configured.

Port Mirroring Constraints on OCX Series Switches

The following constraints and limitations apply to port mirroring on OCX Series switches:

  • You can create a total of four port-mirroring configurations. The following constraints also apply:

    • There can be no more than two configurations that mirror ingress traffic.

    • There can be no more than two configurations that mirror egress traffic.

  • If you use sFlow monitoring to sample traffic, it does not sample the mirror copies when they exit from the output interface.

  • You can create only one port-mirroring session.

  • You cannot mirror packets exiting or entering the following ports:

    • Dedicated Virtual Chassis interfaces

    • Management interfaces (me0 or vme0)

    • Fibre Channel interfaces

    • Routed VLAN interfaces or IRB interfaces

  • An aggregated Ethernet interface cannot be an output interface.

  • Do not include an 802.1Q subinterface that has a unit number other than 0 in a port mirroring configuration. Port mirroring does not work with subinterfaces if their unit number is not 0. (You configure 802.1Q subinterfaces using the vlan-tagging statement.)

  • When packet copies are sent out the output interface, they are not modified for any changes that are normally applied on egress, such as CoS rewriting.

  • An interface can be the input interface for only one mirroring configuration. Do not use the same interface as the input interface for multiple mirroring configurations.

  • CPU-generated packets (such as ARP, ICMP, BPDU, and LACP packets) cannot be mirrored on egress.

  • VLAN-based mirroring is not supported for STP traffic.