Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Defining a Layer 2 Port-Mirroring Firewall Filter

 

For virtual private LAN service (VPLS) traffic (family bridge or family vpls) and for Layer 2 VPNs with family cccon MX Series routers and on EX Series switches only, you can define a firewall filter that specifies Layer 2 port mirroring as the action to be performed if a packet matches the conditions configured in the firewall filter term

You can use a Layer 2 port-mirroring firewall filter in the following ways:

  • To mirror packets received or sent on a logical interface.

  • To mirror packets forwarded or flooded to a bridge domain.

  • To mirror packets forwarded or flooded to a VPLS routing instance.

  • To mirror tunnel interface input packets only to multiple destinations.

For a summary of the three types of Layer 2 port-mirroring you can configure on an MX Series router, see Application of Layer 2 Port Mirroring Types.

To define a firewall filter with a Layer 2 port-mirroring action:

  1. Enable configuration of firewall filters for Layer 2 packets that are part of a bridge domain, a Layer 2 switching cross-connect, or a virtual private LAN service (VPLS):

    The value of the family option can be bridge,ccc, or vpls.

  2. Enable configuration of a firewall filter pm-filter-name:

  3. Enable configuration of a firewall filter term pm-filter-term-name:

  4. (Optional) Specify the firewall filter match conditions based on the route source address only if you want to mirror a subset of the sampled packets. Note

    If you want all sampled packets to be considered to match (and be subjected to the actions specified in the then statement), then omit the from statement altogether.

  5. Enable configuration of the action and action-modifier to apply to matching packets:

  6. Specify the actions to be taken on matching packets:

    The recommended value for the action is accept. If you do not specify an action, or if you omit the then statement entirely, all packets that match the conditions in the from statement are accepted.

  7. Specify Layer 2 port mirroring or a next-hop group as the action-modifier:

    • To reference the Layer 2 port mirroring properties currently in effect for the Packet Forwarding Engine or PIC associated with the underlying physical interface, use the port-mirror statement:

    • To reference the Layer 2 port mirroring properties configured in a specific named instance, use the port-mirror-instance pm-instance-name action modifier:

      If the underlying physical interface is not bound to a named instance of Layer 2 port mirroring but instead is implicitly bound to the global instance of Layer 2 port mirroring, then traffic at the logical interface is mirrored according to the properties specified in the named instance referenced by the port-mirror-instance action modifier.

    • To reference a next-hop group that specifies the next-hop addresses (for sending additional copies of packets to an analyzer), use the next-hop-group pm-next-hop-group-name action modifier:

      For configuration information about next-hop groups, see Defining a Next-Hop Group for Layer 2 Port Mirroring. If you specify a next-hop group for Layer 2 port mirroring, the firewall filter term applies to the tunnel interface input only.

  8. Verify the minimum configuration of the Layer 2 port-mirroring firewall filter:

    In the firewall filter term then statement, the action-modifier can be port-mirror, port-mirror-instance , or next-hop-group pm-next-hop-group-name.

Related Documentation