Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use Through a Transit Switch on EX Series Switches

    EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets:

    • Packets entering or exiting a port
    • Packets entering a VLAN on EX2200, EX3200, EX3300, EX4200, EX4300, EX4500, or EX6200 switches
    • Packets exiting a VLAN on EX8200 switches

    You can analyze the mirrored traffic using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN.

    This topic includes an example that describes how to mirror traffic entering ports on the switch to the remote-analyzer VLAN through a transit switch, so that you can perform analysis from a remote monitoring station.

    Best Practice: Mirror only necessary packets to reduce potential performance impact. We recommend that you:

    • Disable your configured port mirroring analyzers when you are not using them.
    • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.
    • Limit the amount of mirrored traffic by:
      • Using statistical sampling.
      • Setting ratios to select statistical samples.
      • Using firewall filters.

    This example describes how to configure remote port mirroring through a transit switch:

    Requirements

    This example uses the following hardware and software components:

    • Junos OS Release 9.5 or later for EX Series switches
    • EX3200 or EX4200 switch connected to another EX3200 or EX4200 switch through a third EX3200 or EX4200 switch

    Before you configure remote port mirroring, be sure that:

    • You have an understanding of port-mirroring concepts.
    • The interfaces that the analyzer will use as input interfaces have been configured on the switch.

    Overview and Topology

    This example describes how to mirror traffic entering ports on the switch to the remote-analyzer VLAN through a transit switch so that you can perform analysis from a remote monitoring station. The example shows how to configure a switch to mirror all traffic from employee computers to a remote analyzer.

    In this configuration, an analyzer session is required on the destination switch to mirror incoming traffic from the analyzer VLAN to the egress interface to which the remote monitoring station is connected. You must disable MAC learning on the transit switch for the remote-analyzer VLAN so that MAC learning is disabled for all member interfaces of the remote-analyzer VLAN on the transit switch.

    Figure 1 shows the network topology for this example.

    Figure 1: Remote Port Mirroring Example Through a Transit Switch Network Topology

    Remote Port Mirroring Example Through a Transit Switch Network Topology

    In this example:

    • Interface ge-0/0/0 is a Layer 2 interface, and interface ge-0/0/1 is a Layer 3 interface (both interfaces on the source switch) that serve as connections for employee computers.
    • Interface ge-0/0/10 is a Layer 2 interface that connects to the transit switch.
    • Interface ge-0/0/11 is a Layer 2 interface on the transit switch.
    • Interface ge-0/0/12 is a Layer 2 interface on the transit switch and connects to the destination switch.
    • Interface ge-0/0/13 is a Layer 2 interface on the destination switch .
    • Interface ge-0/0/14 is a Layer 2 interface on the destination switch and connects to the remote monitoring station.
    • VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

    Mirroring All Employee Traffic for Remote Analysis Through a Transit Switch

    To configure port mirroring for remote traffic analysis through a transit switch, for all incoming and outgoing employee traffic, perform these tasks:

    CLI Quick Configuration

    To quickly configure port mirroring for remote traffic analysis through a transit switch, for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window:

    • Copy and paste the following commands in the source switch (monitored switch) terminal window:
      [edit]
      set vlans remote-analyzer vlan-id 999
      set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
      set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999
      set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/0.0
      set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/1.0
      set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/0.0
      set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/1.0
      set ethernet-switching-options analyzer employee-monitor output vlan remote-analyzer
    • Copy and paste the following commands in the transit switch window:
      [edit]
      set vlans remote-analyzer vlan-id 999
      set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
      set vlans remote-analyzer interface ge-0/0/11 ingress
      set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode trunk
      set vlans remote-analyzer interface ge-0/0/12 egress
      set vlans remote-analyzer no-mac-learning
    • Copy and paste the following commands in the destination switch window:
      [edit]
      set vlans remote-analyzer vlan-id 999
      set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode trunk
      set vlans remote-analyzer interface ge-0/0/13 ingress
      set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk
      set ethernet-switching-options analyzer employee-monitor input ingress vlan remote-analyzer
      set ethernet-switching-options analyzer employee-monitor loss-priority high output interface ge-0/0/14.0

    Step-by-Step Procedure

    To configure remote port mirroring through a transit switch:

    1. On the source switch:
      • Configure the VLAN tag ID for the remote-analyzer VLAN:
        [edit vlans]
        user@switch# set remote-analyzer vlan-id 999
      • Configure the interfaces on the network port connected to transit switch for trunk mode and associate it with the remote-analyzer VLAN:
        [edit interfaces]
        user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk
        user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999
      • Configure the employee-monitor analyzer:
        [edit ethernet-switching-options]
        user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0
        user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0
        user@switch# set analyzer employee-monitor input egress interface ge-0/0/0.0
        user@switch# set analyzer employee-monitor input egress interface ge-0/0/1.0
        user@switch# set analyzer employee-monitor loss-priority high
        user@switch# set analyzer employee-monitor output vlan remote-analyzer
    2. On the transit switch:
      • Configure the VLAN tag ID for the remote-analyzer VLAN:
        [edit vlans]
        user@switch# set remote-analyzer vlan-id 999
      • Configure the ge-0/0/11 interface for trunk mode, associate it with the remote-analyzer VLAN, and set the interface for ingress traffic only:
        [edit interfaces]
        user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
        user@switch# set vlans remote-analyzer interface ge-0/0/11 ingress
      • Configure the ge-0/0/12 interface for trunk mode, associate it with the remote-analyzer VLAN, and set the interface for egress traffic only:
        [edit interfaces]
        user@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode trunk
        user@switch# set vlans remote-analyzer interface ge-0/0/12 egress
      • Configure the no-mac-learning option for the remote-analyzer VLAN to disable MAC learning on all interfaces that are members of the remote-analyzer VLAN:
        [edit interfaces]
        user@switch# set vlans remote-analyzer no-mac-learning
    3. On the destination switch:
      • Configure the VLAN tag ID for the remote-analyzer VLAN:
        [edit vlans]
        user@switch# set remote-analyzer vlan-id 999
      • Configure the ge-0/0/13 interface for trunk mode, associate it with the remote-analyzer VLAN, and set the interface for ingress traffic only:
        [edit interfaces]
        user@switch# set ge-0/0/13 unit 0 family ethernet-switching port-mode trunk
        user@switch# set vlans remote-analyzer interface ge-0/0/13 ingress
      • Configure the interface connected to the remote monitoring station for trunk mode:
        [edit interfaces]
        user@switch# set ge-0/0/14 unit 0 family ethernet-switching port-mode trunk
      • Configure the employee-monitor analyzer:
        [edit ethernet-switching-options]
        user@switch# set analyzer employee-monitor input ingress vlan remote-analyzer
        user@switch# set analyzer employee-monitor loss-priority high output interface ge-0/0/14.0

    Results

    Check the results of the configuration on the source switch:

    [edit] user@switch# show
    ethernet-switching-options {analyzer employee-monitor {input {ingress {interface ge-0/0/0.0;interface ge-0/0/1.0;}egress {interface ge-0/0/0.0;interface ge-0/0/1.0;}}output {vlan {remote-analyzer;}}}}
    vlans {remote-analyzer {vlan-id 999;}}
    interfaces {ge-0/0/10 {unit 0 {family ethernet-switching {port-mode trunk;vlan {member 999;}}}}}

    Check the results of the configuration on the transit switch:

    [edit] user@switch# show
    vlans {remote-analyzer {vlan-id 999;interface {ge-0/0/11.0 {ingress;}ge-0/0/12.0 {egress;}}no-mac-learning;}}
    interfaces {ge-0/0/11 {unit 0 {family ethernet-switching {port-mode trunk;}}}ge-0/0/12 {unit 0 {family ethernet-switching {port-mode trunk;}}}}

    Check the results of the configuration on the destination switch:

    [edit] user@switch# show
    vlans {remote-analyzer {vlan-id 999;interface {ge-0/0/13.0 {ingress;}}}}
    interfaces {ge-0/0/13 {unit 0 {family ethernet-switching {port-mode trunk;}}}ge-0/0/14 {unit 0 {family ethernet-switching {port-mode trunk;}}}}
    ethernet-switching-options {analyzer employee-monitor {loss-priority high;input {ingress {vlan remote-analyzer;}}output {interface {ge-0/0/14.0;}}}}

    Verification

    To confirm that the configuration is working properly, perform these tasks:

    Verifying That the Analyzer Has Been Correctly Created

    Purpose

    Verify that the analyzer named employee-monitor has been created on the switch with the appropriate input interfaces and the appropriate output interface.

    Action

    You can verify the analyzer is configured as expected by using the show analyzer command. To view previously created analyzers that are disabled, go to the J-Web interface.

    To verify that the analyzer is configured as expected while monitoring all employee traffic on the source switch, run the show analyzer command on the source switch. The following output is displayed for this example configuration:

    user@switch> show analyzer
    	Analyzer name                : employee-monitor
    	Output VLAN                  : remote-analyzer 
    	Mirror ratio                 : 1
    	Loss priority                : High 
    	Ingress monitored interfaces : ge-0/0/0.0
    	Ingress monitored interfaces : ge-0/0/1.0
    

    Meaning

    This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, the default), has a loss priority of high (set this option to high whenever the analyzer output is to a VLAN), is mirroring the traffic entering ge-0/0/0 and ge-0/0/1, and is sending the mirrored traffic to the analyzer called remote-analyzer.

    Modified: 2016-08-12