Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX Series Switches

    EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets:

    • Packets entering or exiting a port
    • Packets entering a VLAN on Juniper Networks EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, or EX6200 Ethernet Switches
    • Packets exiting a VLAN on Juniper Networks EX8200 Ethernet Switches

    You can analyze the mirrored traffic using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN.

    This topic includes two related examples that describe how to mirror traffic entering ports on the switch to the remote-monitor VLAN so that you can perform analysis from a remote monitoring station. The first example shows how to mirror all traffic entering the ports connected to employee computers. The second example shows the same scenario but includes a filter to mirror only the employee traffic going to the Web.

    Best Practice: Mirror only necessary packets to reduce potential performance impact. We recommend that you:

    • Disable your configured port mirroring analyzers when you are not using them.
    • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.
    • Limit the amount of mirrored traffic by:
      • Using statistical sampling.
      • Setting ratios to select statistical samples.
      • Using firewall filters.

    This example describes how to configure remote port mirroring:

    Requirements

    This example uses the following hardware and software components:

    • Junos OS Release 9.5 or later for EX Series switches
    • EX Series switch connected to another EX Series switch

    Before you configure remote port mirroring, be sure that:

    • You have an understanding of port-mirroring concepts.
    • The interfaces that the analyzer will use as input interfaces have been configured on the switch.

    Overview and Topology

    This topic includes two related examples that describe how to configure port mirroring to the remote-monitor VLAN so that analysis can be performed from a remote monitoring station. The first example shows how to configure a switch to mirror all traffic from employee computers. The second example shows the same scenario, but the setup includes a filter to mirror only the employee traffic going to the Web.

    Figure 1 shows the network topology for both these example scenarios.

    Figure 1: Remote Port Mirroring Example Network Topology

    Remote Port
Mirroring Example Network Topology

    In this example:

    • Interface ge-0/0/0 is a Layer 2 interface, and interface ge-0/0/1 is a Layer 3 interface (both interfaces on the source switch) that serve as connections for employee computers.
    • Interface ge-0/0/10 is a Layer 2 interface that connects the source switch to the destination switch.
    • Interface ge-0/0/5 is a Layer 2 interface that connects the destination switch to the remote monitoring station.
    • VLAN remote-monitor is configured on all switches in the topology to carry the mirrored traffic.

    Mirroring All Employee Traffic for Remote Analysis

    To configure port mirroring for remote traffic analysis for all incoming and outgoing employee traffic, perform these tasks:

    CLI Quick Configuration

    To quickly configure port mirroring for remote traffic analysis for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window:

    • Copy and paste the following commands in the source switch terminal window:
      [edit]
      set vlans remote-monitor vlan-id 999
      set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
      set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999
      set vlans remote-monitor interface ge-0/0/10 egress
      set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/0.0
      set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/1.0
      set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/0.0
      set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/1.0
      set ethernet-switching-options analyzer employee-monitor loss-priority high
      set ethernet-switching-options analyzer employee-monitor output vlan remote-monitor
    • Copy and paste the following commands in the destination switch terminal window:
      [edit]
      set vlans remote-monitor vlan-id 999
      set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
      set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999
      set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode trunk
      set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 999

    Step-by-Step Procedure

    To configure basic remote port mirroring:

    1. On the source switch:
      • Configure the VLAN tag ID for the remote-monitor VLAN:
        [edit vlans]
        user@switch# set remote-monitor vlan-id 999
      • Configure the interface on the network port connected to the destination switch for trunk mode and associate it with the remote-monitor VLAN:
        [edit interfaces]
        user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
        user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999
      • Configure the ge-0/0/10 interface for egress-only traffic so that traffic can only egress from the interface:
        [edit vlans]
        user@switch# set remote-monitor interface ge-0/0/10 egress
      • Configure the employee-monitor analyzer:
        [edit ethernet-switching-options]
        user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0
        user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0
        user@switch# set analyzer employee-monitor input egress interface ge-0/0/0.0
        user@switch# set analyzer employee-monitor input egress interface ge-0/0/1.0
        user@switch# set analyzer (Port Mirroring) employee-monitor loss-priority high
        user@switch# set analyzer employee-monitor output vlan remote-monitor

    2. On the destination switch:
      • Configure the VLAN tag ID for the remote-monitor VLAN:
        [edit vlans]
        user@switch# set remote-monitor vlan-id 999
      • Configure the interface on the destination switch for trunk mode and associate it with the remote-monitor VLAN:
        [edit interfaces]
        user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
        user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999
      • Configure the interface connected to the destination switch for trunk mode and associate it with the remote-monitor VLAN:
        [edit interfaces]
        user@switch# set ge-0/0/5 unit 0 family ethernet-switching port-mode trunk
        user@switch# set ge-0/0/5 unit 0 family ethernet-switching vlan members 999

    Results

    Check the results of the configuration on the source switch:

    [edit] user@switch# show
    ethernet-switching-options {analyzer employee-monitor {loss-priority high;input {ingress {interface ge-0/0/0.0;interface ge-0/0/1.0;}egress {interface ge-0/0/0.0;interface ge-0/0/1.0;}}output {vlan {remote-monitor;}}}}
    interfaces {ge-0/0/10 {unit 0 {family ethernet-switching {port-mode trunk;vlan {members 999;}}}}}
    vlans {remote-monitor {vlan-id 999;interface {ge-0/0/10.0egress;}}}}

    Check the results of the configuration on the destination switch:

    [edit] user@switch# show
    interfaces {ge0/0/5 {unit 0 {family ethernet-switching {port-mode trunk;vlan {members 999;}}}}ge-0/0/10 {unit 0 {family ethernet-switching {port-mode trunk;vlan {members 999;}}}}}
    vlans {remote-monitor {vlan-id 999;}}

    Mirroring Employee-to-Web Traffic for Remote Analysis

    To configure port mirroring for remote traffic analysis of employee to web traffic, perform these tasks:

    CLI Quick Configuration

    To quickly configure port mirroring to mirror employee traffic to the external Web, copy the following commands and paste them into the switch terminal window:

    • Copy and paste the following commands in the source switch terminal window:
      [edit]
      set ethernet-switching-options analyzer employee-web-monitor loss-priority high output vlan 999
      set vlans remote-monitor vlan-id 999
      set interfaces ge-0/0/10 unit 0 family ethernet-switching port mode trunk
      set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999
      set firewall family ethernet-switching filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28
      set firewall family ethernet-switching filter watch-employee term employee-to-corp from source-address 192.0.2.16/28
      set firewall family ethernet-switching filter watch-employee term employee-to-corp then accept
      set firewall family ethernet-switching filter watch-employee term employee-to-web from destination-port 80
      set firewall family ethernet-switching filter watch-employee term employee-to-web then analyzer employee-web-monitor
      set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input watch-employee
      set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee
    • Copy and paste the following commands in the destination switch terminal window:
      [edit]
      set vlans remote-monitor vlan-id 999
      set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
      set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999
      set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode trunk
      set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 999

    Step-by-Step Procedure

    To configure port mirroring of all traffic from the two ports connected to employee computers to the remote-monitor VLAN for use from a remote monitoring station:

    1. On the source switch:
      • Configure the employee-web-monitor analyzer:
        [edit ethernet-switching-options]
        user@switch# set interfaces ge-0/0/10 unit 0 family ethernet-switching port mode trunk
        user@switch# set analyzer (Port Mirroring) employee-web-monitor loss-priority high output vlan 999
      • Configure the VLAN tag ID for the remote-monitor VLAN:
        [edit vlans]
        user@switch# set remote-monitor vlan-id 999
      • Configure the interface to associate it with the remote-monitor VLAN:
        [edit interfaces]
        user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999
      • Configure the firewall filter called watch-employee:
        [edit firewall family ethernet-switching]
        user@switch# set filter (Firewall Filters) watch-employee term employee-to-corp from destination-address 192.0.2.16/28
        user@switch# set filter watch-employee term employee-to-corp from source-address 192.0.2.16/28
        user@switch# set filter watch-employee term employee-to-corp then accept
        user@switch# set filter watch-employee term employee-to-web from destination-port 80
        user@switch# set filter watch-employee term employee-to-web then analyzer employee-web-monitor
      • Apply the firewall filter to the employee interfaces:
        [edit interfaces]
        user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter input (Port Mirroring) watch-employee
        user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee
    2. On the destination switch:
      • Configure the VLAN tag ID for the remote-monitor VLAN:
        [edit vlans]
        user@switch# set remote-monitor vlan-id 999
      • Configure the interface on the destination switch for trunk mode and associate it with the remote-monitor VLAN:
        [edit interfaces]
        user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
        user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999
      • Configure the interface connected to the destination switch for trunk mode and associate it with the remote-monitor VLAN:
        [edit interfaces]
        user@switch# set ge-0/0/5 unit 0 family ethernet-switching port-mode trunk
        user@switch# set ge-0/0/5 unit 0 family ethernet-switching vlan members 999

    Results

    Check the results of the configuration on the source switch:

    [edit] user@switch# show
    interfaces {ge-0/0/10 {unit 0 {family ethernet-switching {port-mode trunk;vlan {members remote-monitor;}}}}ge-0/0/0 {unit 0 {family ethernet-switching {filter {input watch-employee;}}}}ge-0/0/1 {unit 0 {family ethernet-switching {filter {input watch-employee;}}}}}
    firewall { family ethernet-switching {filter watch-employee {term employee-to-corp {from {source-address {192.0.2.16/28;}destination-address {192.0.2.16/28;}}then accept;}term employee-to-web {from {destination-port 80;}then analyzer employee-web-monitor;}}}}
    ethernet-switching-options {analyzer employee-web-monitor {loss-priority high;output {vlan {999;}}}
    vlans {remote-monitor {vlan-id 999;}}

    Check the results of the configuration on the destination switch:

    [edit] user@switch# show
    vlans {remote-monitor {vlan-id 999;}}
    interfaces {ge-0/0/10 {unit 0 {family ethernet-switching {port-mode trunk;vlan {members 999;}}}}ge-0/0/5 {unit 0 {family ethernet-switching {port-mode trunk;vlan {members 999;}}}}}

    Verification

    To confirm that the configuration is working properly, perform these tasks:

    Verifying That the Analyzer Has Been Correctly Created

    Purpose

    Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.

    Action

    You can verify the analyzer is configured as expected by using the show analyzer command. To view previously created analyzers that are disabled, go to the J-Web interface.

    To verify that the analyzer is configured as expected while monitoring all employee traffic on the source switch, run the show analyzer command on the source switch. The following output is displayed for this example configuration:

    user@switch> show analyzer
    	Analyzer name                : employee-monitor
    	Output VLAN                  : remote-monitor 
    	Mirror ratio                 : 1
    	Loss priority                : High 
    	Ingress monitored interfaces : ge-0/0/0.0
    	Ingress monitored interfaces : ge-0/0/1.0
    

    Meaning

    This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, the default), has a loss priority of high (this indicates that mirrored packets are dropped on priority in case of a congestion; the default loss-priority value is low), is mirroring the traffic entering or exiting ge-0/0/0 and ge-0/0/1 to the remote vlan called remote-monitor.

    Modified: 2016-12-06