Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Port Mirroring for Remote Analysis

    Use port mirroring to send traffic to applications that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events, and so on. Port mirroring copies packets entering or exiting an interface or entering a VLAN and sends the copies either to a local interface for local monitoring or to a VLAN for remote monitoring. This example describes how to configure port mirroring for remote analysis.

    Note: This example uses a release of Junos OS that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Example: Configuring Port Mirroring for Remote Analysis. For ELS details, see Getting Started with Enhanced Layer 2 Software.

    Requirements

    This example uses the following hardware and software components:

    • Junos OS Release 12.1 for the QFX Series
    • A switch

    Overview and Topology

    This topic includes two related examples that describe how to mirror traffic entering ports on the switch to an analyzer VLAN so that you can perform analysis using a remote device. The first example shows how to mirror all traffic sent by employee computers to the switch. The second example includes a filter to mirror only the employee traffic going to the Web.

    In this example:

    • Interfaces ge-0/0/0 and ge-0/0/1 are Layer 2 interfaces that connect to employee computers.
    • Interface ge-0/0/10 is a Layer 2 interface that connects to another switch.
    • VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

    Note: In addition to performing the configuration steps described here, you must also configure the analyzer VLAN (remote-analyzer in this example) on the other switches that are used to connect the source switch (the one in this configuration) to the one that the monitoring station is connected to.

    Mirroring All Employee Traffic for Remote Analysis

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the edit hierarchy level:

    [edit]
    set vlans remote-analyzer vlan-id 999
    set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
    set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999
    set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/0.0
    set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/1.0
    set ethernet-switching-options analyzer employee-monitor output vlan remote-analyzer

    Step-by-Step Procedure

    To configure basic remote port mirroring:

    1. Configure the analyzer VLAN (called remote-analyzer in this example):
      [edit vlans]
      user@switch# set vlans remote-analyzer vlan-id 999
    2. Configure the interface connected to another switch for trunk mode and associate it with the remote-analyzer VLAN:
      [edit interfaces]
      user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
      user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999
    3. Configure the employee-monitor analyzer:
      [edit ethernet-switching-options]
      user@switch# set analyzer employee–monitor
      user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0
      user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0
      user@switch# set analyzer employee-monitor output vlan remote-analyzer
    4. Configure the remote-analyzer VLAN on the switches that connect this switch to the monitoring workstation.

    Results

    Check the results of the configuration:

    [edit] user@switch# show
    ethernet-switching-options {analyzer employee-monitor {input {ingress {interface ge-0/0/0.0;interface ge-0/0/1.0;}}output {vlan {remote-analyzer;}}}}

    Mirroring Employee-to-Web Traffic for Remote Analysis

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the edit hierarchy level:

    [edit]
    set vlans remote-analyzer vlan-id 999
    set interfaces ge-0/0/10 unit 0 family ethernet-switching port mode trunk
    set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999set ethernet-switching-options analyzer employee-web-monitor loss-priority high output vlan 999
    set firewall family ethernet-switching filter watch-employee term employee-to-web from destination-port 80
    set firewall family ethernet-switching filter watch-employee term employee-to-web then analyzer employee-web-monitor
    set ge-0/0/0 unit 0 family ethernet-switching filter input watch-employee
    set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee

    Step-by-Step Procedure

    1. Configure the analyzer VLAN (called remote-analyzer in this example):
      [edit vlans]
      user@switch# set remote-analyzer vlan-id 999
    2. Configure an interface to associate it with the remote-analyzer VLAN:
      [edit interfaces]
      user@switch# set interfaces ge-0/0/10 unit 0 family ethernet-switching port mode trunk
      user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999
    3. Configure the employee-web-monitor analyzer. (Configure only the output—the input comes from the filter.)
      [edit ethernet-switching-options]
      user@switch# set ethernet-switching-optionsanalyzer employee-web-monitor output vlan 999
    4. Configure a firewall filter called watch-employee to match traffic sent to the Web and send it to the analyzer employee-web-monitor:
      [edit firewall family ethernet-switching]
      user@switch# set filter watch-employee term employee-to-web from destination-port 80
      user@switch# set filter watch-employee term employee-to-web then analyzer employee-web-monitor
    5. Apply the firewall filter to the appropriate interfaces as an ingress filter:
      [edit interfaces]
      user@switch# set ge-0/0/0 unit 0 family ethernet-switching filterinput watch-employee
      user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee
    6. Configure the remote-analyzer VLAN on the switches that connect this switch to the monitoring workstation.

    Results

    Check the results of the configuration:

    [edit] user@switch# show
    interfaces {...ge-0/0/10 {unit 0 {family ethernet-switching {port-mode trunk;vlan {members remote-analyzer;}}}}ge-0/0/0 {unit 0 {family ethernet-switching {filter {input watch-employee;}}}}ge-0/0/1 {unit 0 {family ethernet-switching {filter {input watch-employee;}}}}}
    ...
    firewall { family ethernet-switching {...filter watch-employee {term employee-to-web {from {destination-port 80;}then analyzer employee-web-monitor;}}}}
    ethernet-switching-options {analyzer employee-web-monitor {output {vlan {999;}}}
    vlans {remote-analyzer {vlan-id 999;}}

    Verification

    Verifying That the Analyzer Has Been Correctly Created

    Purpose

    Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.

    Action

    You can verify the port mirror analyzer is configured as expected using the show analyzer command.

    user@switch> show analyzer
    	Analyzer name                : employee-monitor
    	Output VLAN                  : remote-analyzer 
    	Ingress monitored interfaces : ge-0/0/0.0
    	Ingress monitored interfaces : ge-0/0/1.0
    

    Meaning

    This output shows that the employee-monitor analyzer is mirroring the traffic entering ge-0/0/0 and ge-0/0/1 and is sending the mirror traffic to the analyzer remote-analyzer.

    Modified: 2016-04-29