Port, VLAN, and Flow Mirroring on ACX5000 Series Routers

The ACX5000 line of routers supports the following mirroring modes:

• Port mirroring—In this mode, packets entering to a configured port are mirrored. You need to include the analyzer CLI statement at the [edit forwarding-options] hierarchy level, where input to a mirror is through a list of ports configured through the logical interface
• VLAN mirroring—In this mode, packets entering a VLAN (based on bridge domain) are mirrored. You need to include the analyzer CLI statement at the [edit forwarding-options] hierarchy level, where input to a mirror is a VLAN (based on bridge domain).
• Flow mirroring—In this mode, input parameters for mirroring are specified through a firewall filter. You need to include the port-mirror CLI statement at the [edit forwarding-options] hierarchy level. The ACX5000 line of routers supports only family ethernet-switching and family inet configurations. If the input is family ethernet-switching, then output must also be family ethernet-switching. If input is family inet, then the output must also be family inet with output option as IP address. If you configure flow-based mirroring without any firewall filter match conditions, then mirroring is based on logical interface. The ACX5000 line of routers do not support IPv6, CCC, MPLS, and VPLS family options under the [edit forwarding-options port-mirroring] hierarchy level.

Note: The ACX5000 line of routers supports both ingress and egress mirroring for the following mirroring modes: Flow and VLAN mirroring supports only ingress mirroring. Port mirroring supports both ingress and egress mirroring. In flow-based mirroring, firewall filters can be configured on a logical interface as well as on a physical interface. If the vlan-id option for a VLAN (bridge domain) is not configured, or if the vlan-id option is configured as none, then the mirrored packet is sent as is without any additional VLAN tags.

You need to consider the following limitations before configuring port, VLAN and flow mirroring on the ACX5000 line of routers:

• The maximum number of port mirror instances supported is four.
• Egress mirroring with firewall filter is not supported for port mirroring.
• When output of mirror is VLAN, then VLAN can have only one member and the mirrored traffic is sent to that member.
• The rate and maximum-packet-length parameters are not supported.
• Mirroring to multiple destination ports (using next-hop group) is not supported.
• IRB interfaces cannot be configured for mirroring.
• Only eight members per aggregated Ethernet interface are supported for mirroring.
• When both VLAN and flow mirroring matches a packet stream, then flow mirroring takes the precedence.
• If egress mirroring for a port is configured within a bridge domain, then the mirrored copy of the packet contains the vlan-only internal. This is applicable for Layer 3 routed packets.
• Logical tunnel (-lt) interfaces are not supported for port mirroring.
• You can have only one logical interface as output at the [edit forwarding-options analyzer analyzer-name output] hierarchy level. Adding another logical interface as output will override the existing logical interface configuration. Mirroring happens at the physical interface level, even though the configuration is done as a logical interface.