Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Applying Layer 2 Port Mirroring to a Logical Interface

 

You can apply a Layer 2 port-mirroring firewall filter to the input or to the output of a logical interface, including an aggregated Ethernet logical interface. Only packets of the address-type family specified by the filter action are mirrored.

Before you begin, complete the following task:

  • Define a Layer 2 port-mirroring firewall filter to be applied to the input to a logical interface or output to a logical interface. For details, see Defining a Layer 2 Port-Mirroring Firewall Filter.

    Note

    This configuration task shows two Layer 2 port-mirroring firewall filters: one filter applied to the logical interface ingress traffic, and one filter applied to the logical interface egress traffic.

To apply a Layer 2 port-mirroring firewall filter to an input or output logical interface:

  1. Configure the underlying physical interface for the logical interface.

    1. Enable configuration of the underlying physical interface:

      Note

      A port-mirroring firewall filter can also be applied to an aggregated-Ethernet logical interface.

    2. For Fast Ethernet and Gigabit Ethernet interfaces and aggregated Ethernet interfaces configured for VPLS, enable the reception and transmission of 802.1Q VLAN-tagged frames on the interface:

    3. For Ethernet interfaces that have IEEE 802.1Q VLAN tagging and bridging enabled and that must accept packets carrying TPID 0x8100 or a user-defined TPID, set the logical link-layer encapsulation type:

  2. Configure the logical interface to which you want to apply a Layer 2 port-mirroring firewall filter.

    1. Specify the logical unit number:

    2. For a Fast Ethernet, Gigabit Ethernet, or Aggregated Ethernet interface, bind an 802.1Q VLAN tag ID to the logical interface:

  3. Enable specification of an input or output filter to be applied to Layer 2 packets that are part of bridging domain, Layer 2 switching cross-connects, or virtual private LAN service (VPLS).

    • If the filter is to be evaluated when packets are received on the interface:

    • If the filter is to be evaluated when packets are sent on the interface:

    The value of the family option can be bridge, ccc, or vpls.Note

    If port-mirroring firewall filters are applied at both the input and output of a logical interface, two copies of each packet are mirrored. To prevent the router from forwarding duplicate packets to the same destination, include the optional mirror-once statement at the [edit forwarding-options] hierarchy level.

  4. Verify the minimum configuration for applying a named Layer 2 port-mirroring firewall filter to a logical interface: