Example: Layer 2 Port Mirroring at a Logical Interface
The following steps describe an example in which the global port-mirroring instance and a port-mirroring firewall filter are used to configure Layer 2 port mirroring for the input to a logical interface.
- Assume that logical interface ge-2/0/0.0 is associated with an external traffic analyzer that is to receive port-mirrored packets. Assume that logical interfaces ge-2/0/6.0 and ge-3/0/1.2 will be traffic input and output ports, respectively.
Configure the bridge domain example-bd-with-analyzer, which contains the external packet analyzer, and the bridge domain example-bd-with-traffic, which contains the source and destination of the Layer 2 traffic being mirrored:
[edit]bridge-domains {example-bd-with-analyzer { # Contains an external traffic analyzervlan-id 1000;interface ge-2/0/0.0; # External analyzer}example-bd-with-traffic { # Contains traffic input and output interfacesvlan-id 1000;interface ge-2/0/6.0; # Traffic input portinterface ge-3/0/1.2; # Traffic output port}} - The input statement at the [edit forwarding-options port-mirroring] hierarchy level specifies that sampling begins every tenth packet and that each of the first five packets selected are to be mirrored.
Configure Layer 2 port mirroring for the global instance, with the port-mirroring destination being the bridge domain interface associated with the external analyzer (logical interface ge-2/0/0.0 on bridge domain example-bd-with-analyzer). Be sure to enable the option that allows filters to be applied to this port-mirroring destination:
[edit]forwarding-options {port-mirroring {input {rate 10;run-length 5;}family bridge {output {interface ge-2/0/0.0; # Mirror packets to the external analyzerno-filter-check; # Allow filters on the mirror destination interface}}}}The output statement at the [edit forwarding-options port-mirroring family bridge] hierarchy level specifies the output mirror interface for Layer 2 packets in a bridging environment:
Logical interface ge-2/0/0.0, which is associated with the external packet analyzer, is configured as the port-mirroring destination.
The optional no-filter-check statement allows filters to be configured on this destination interface.
- When this firewall filter is applied to the input or output of a logical interface for traffic in a bridging environment, Layer 2 port mirroring is performed according to the input packet-sampling properties and mirror destination properties configured for the Layer 2 port mirroring global instance. Because this firewall filter is configured with the single, default filter action accept, all packets selected by the input properties (rate = 10 and run-length = 5) match this filter.
Configure the Layer 2 port-mirroring firewall filter example-bridge-pm-filter:
[edit]firewall {family bridge {filter example-bridge-pm-filter {term example-filter-terms {then {accept;port-mirror;}}}}} Configure the logical interfaces:
[edit]interfaces {ge-2/0/0 { # Define the interface to the external analyzerencapsulation ethernet-bridge;unit 0 {family bridge;}}ge-2/0/6 { # Define the traffic input portflexible-vlan-tagging;encapsulation extended-vlan-bridge;unit 0 {vlan-id 100;family bridge {filter {input example-bridge-pm-filter; # Apply the port-mirroring firewall filter}}}}ge-3/0/1 { # Define the traffic output portflexible-vlan-tagging;encapsulation extended-vlan-bridge;unit 2 {vlan-tags outer 10 inner 20;family bridge;}}}Packets received at logical interface ge-2/0/6.0 on bridge domain example-bd-with-traffic are evaluated by the port-mirroring firewall filter example-bridge-pm-filter. The firewall filter acts on the input traffic according to the filter actions configured in the firewall filter itself plus the input packet-sampling properties and mirror destination properties configured in the global port-mirroring instance:
All packets received at ge-2/0/6.0 are forwarded to their (assumed) normal destination at logical interface ge-3/0/1.2.
For every ten input packets, copies of the first five packets in that selection are forwarded to the external analyzer at logical interface ge-0/0/0.0 in the other bridge domain, example-bd-with-analyzer.