Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Layer 2 Port Mirroring to Multiple Destinations

    On MX Series routers and EX Series switches, you can mirror traffic to multiple destinations by configuring next-hop groups in Layer 2 port-mirroring firewall filters applied to tunnel interfaces.

    1. Configure the chassis to support tunnel services at PIC 0 on FPC 2. This configuration includes two logical tunnel interfaces on FPC 2, PIC 0, port 10.

      [edit]
      chassis { fpc 2 { pic 0 { tunnel-services { bandwidth 1g; } } } }
    2. Configure the physical and logical interfaces for three VLANs and one Layer 2 VPN CCC:

      • VLAN bd will span logical interfaces ge-2/0/1.0 and ge-2/0/1.1.
      • VLAN bd_next_hop_group will span logical interfaces ge-2/2/9.0 and ge-2/0/2.0.
      • VLAN bd_port_mirror will use the logical tunnel interface lt-2/0/10.2.
      • Layer 2 VPN CCC if_switch will connect logical interfaces ge-2/0/1.2 and lt-2/0/10.1.
      [edit]
      interfaces { ge-2/0/1 { flexible-vlan-tagging; encapsulation flexible-ethernet-services; unit 0 { # An interface on bridge domain ’bd’. encapsulation vlan-bridge; vlan-id 200; family ethernet-switching { filter { input pm_bridge; } } } unit 1 { # An interface on bridge domain ’bd’. encapsulation vlan-bridge; vlan-id 201; family ethernet-switching { filter { input pm_bridge; } } } unit 2 { encapsulation vlan-ccc; vlan-id 1000; } } ge-2/0/2 { # For ’bd_next_hop_group’ encapsulation ethernet-bridge; unit 0 { family ethernet-switching; } } lt-2/0/10 { unit 1 { encapsulation ethernet-ccc; peer-unit 2; } unit 2 { encapsulation ethernet-bridge; peer-unit 1; family ethernet-switching { filter { output redirect_to_nhg; } } } } ge-2/2/9 { encapsulation ethernet-bridge; unit 0 { # For ’bd_next_hop_group’ family ethernet-switching; } } }
    3. Configure the three VLANs and the Layer 2 VPN switching CCC:

      • VLAN bd spans logical interfaces ge-2/0/1.0 and ge-2/0/1.1.
      • VLAN bd_next_hop_group spans logical interfaces ge-2/2/9.0 and ge-2/0/2.0.
      • VLAN bd_port_mirror uses the logical tunnel interface lt-2/0/10.2.
      • Layer 2 VPN CCC if_switch connects interfaces ge-2/0/1.2 and lt-2/0/10.1.
      [edit]
      vlans { vlans { interface ge-2/0/1.0; interface ge-2/0/1.1; } bd_next_hop_group { interface ge-2/2/9.0; interface ge-2/0/2.0; } bd_port_mirror { interface lt-2/0/10.2; } }
      protocols { mpls { interface all; } connections { interface-switch if_switch { interface ge-2/0/1.2; interface lt-2/0/10.1; } } }
      For detailed information about configuring the CCC connection for Layer 2 switching cross-connects, see the MPLS Applications Feature Guide.
    4. Configure forwarding options:

      • Configure global port mirroring properties to mirror family vpls traffic to an interface on the bridge domain bd_port_mirror.
      • Configure the next-hop group nhg_mirror_to_bd to forward Layer 2 traffic to the VLAN bd_next_hop_group.

      Both of these forwarding options will be referenced by the port-mirroring firewall filter:

      [edit]
      forwarding-options { port-mirroring { # Global port mirroring properties. input { rate 1; } family vpls { output { interface lt-2/0/10.2; # Interface on ’bd_port_mirror’ bridge domain. no-filter-check; } } } next-hop-group nhg_mirror_to_bd { # Configure a next-hop group. group-type layer-2; # Specify ’layer-2’ for Layer 2; default ’inet’ is for Layer 3. interface ge-2/0/2.0; # Interface on ’bd_next_hop_group’ bridge domain. interface ge-2/2/9.0; # Interface on ’bd_next_hop_group’ bridge domain. } }
    5. Configure two Layer 2 port-mirroring firewall filters for family bridge traffic:

      • filter_pm_bridge—Sends all family bridge traffic to the global port mirroring destination.
      • filter_redirect_to_nhg—Sends all family bridge traffic to the final next-hop group nhg_mirror_to_bd.

      Layer 2 port-mirroring firewall filters for family bridge traffic applies to traffic on a physical interface configured with encapsulation ethernet-bridge.

      [edit]
      firewall { family bridge { filter filter_pm_bridge { term term_port_mirror { then port-mirror; } } filter filter_redirect_to_nhg { term term_nhg { then next-hop-group nhg_mirror_to_bd; } } } }

    Modified: 2015-02-10