Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Port Mirroring Constraints and Limitations

 

Local and Remote Port Mirroring

The following constraints and limitations apply to local and remote port mirroring:

  • You can create a total of four port-mirroring configurations.

  • You can create a total of four port-mirroring configurations on each Node group in a QFabric system, subject to the following constraints:

    • As many as four of the configurations can be for local port mirroring.

    • As many as three of the configurations can be for remote port mirroring.

  • Regardless of whether you are configuring a standalone switch or a Node group, the following limits apply:

    • There can be no more than two configurations that mirror ingress traffic. (If you configure a firewall filter to send traffic to a port mirror—that is, you use the analyzer action modifier in a filter term—this counts as an ingress mirroring configuration for switch or Node group on which the filter is applied.)

    • There can be no more than two configurations that mirror egress traffic.

Note

On QFabric systems, there is no system-wide limit on the total number of mirror sessions.

  • You can configure no more than one type of output in one port-mirroring configuration. That is, you can use no more than one of the following to complete a set analyzer name output statement:

    • interface

    • ip-address

    • vlan

  • If you configure Junos OS to mirror egress packets, do not configure more than 2000 VLANs on a standalone switch or QFabric system. If you do so, some VLAN packets might contain incorrect VLAN IDs. This applies to any VLAN packets—not only the mirrored copies.

  • The ratio and loss-priority options are not supported.

  • Packets with physical layer errors are filtered out and are not sent to the output port or VLAN.

  • If you use sFlow monitoring to sample traffic, it does not sample the mirror copies when they exit from the output interface.

  • You cannot mirror packets exiting or entering the following ports:

    • Dedicated Virtual Chassis interfaces

    • Management interfaces (me0 or vme0)

    • Fibre Channel interfaces

    • Integrated routing and bridging (IRB) interfaces (also known as routed VLAN interfaces, or RVIs)

  • An aggregated Ethernet interface cannot be an output interface if the input is a VLAN or if traffic is sent to the analyzer by a firewall filter.

  • When packet copies are sent out the output interface, they are not modified for any changes that are normally applied on egress, such as CoS rewriting.

  • An interface can be the input interface for only one mirroring configuration. Do not use the same interface as the input interface for multiple mirroring configurations.

  • CPU-generated packets (such as ARP, ICMP, BPDU, and LACP packets) cannot be mirrored on egress.

  • VLAN-based mirroring is not supported for STP traffic.

  • (QFabric systems only) If you configure a QFabric analyzer to mirror egress traffic and the input and output interfaces are on different Node devices, the mirrored copies have incorrect VLAN IDs. This limitation does not apply if you configure a QFabric analyzer to mirror egress traffic and the input and output interfaces are on the same Node device. In this case the mirrored copies have the correct VLAN IDs (as long as you do not configure more than 2000 VLANs on the QFabric system).

  • True egress mirroring is defined as mirroring the exact number of copies and the exact packet modifications that went out the egress switched port. Because the processor on QFX5xxx (including QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210) and EX4600 (including EX4600 and EX4650) switches implements egress mirroring in the ingress pipeline, those switches do not provide accurate egress packet modifications, so egress mirrored traffic can carry incorrect VLAN tags that differ from the tags in the original traffic.

  • If you configure a port-mirroring instance to mirror traffic exiting from an interface that performs VXLAN encapsulation, the source and destination MAC addresses of the mirrored packets will not be the same as those of the original traffic.

  • Mirroring on member interfaces of a LAG is not supported.

  • Egress VLAN mirroring is not supported.

Remote Port Mirroring Only

The following constraints and limitations apply to remote port mirroring:

  • If you configure an output IP address, the address cannot be in the same subnetwork as any of the switch’s management interfaces.

  • If you create virtual routing instances and also create an analyzer configuration that includes an output IP address, the output address belongs to the default virtual routing instance (inet.0 routing table).

  • An output VLAN cannot be a private VLAN or VLAN range.

  • An output VLAN cannot be shared by multiple analyzer statements.

  • An output VLAN interface cannot be a member of any other VLAN.

  • An output VLAN interface cannot be an aggregated Ethernet interface.

  • If the output VLAN has more than one member interface, then traffic is mirrored only to the first member of the VLAN, and other members of the same VLAN do not carry any mirrored traffic.

  • If you attempt to configure more than one analyzer session for remote port mirroring to an IP address (GRE encapsulation) and the IP addresses of the analyzers are reachable through the same interface, then only one analyzer session is configured.

Port Mirroring Constraints on OCX Series Switches

The following constraints and limitations apply to port mirroring on OCX Series switches:

  • You can create a total of four port-mirroring configurations. The following constraints also apply:

    • There can be no more than two configurations that mirror ingress traffic.

    • There can be no more than two configurations that mirror egress traffic.

  • If you use sFlow monitoring to sample traffic, it does not sample the mirror copies when they exit from the output interface.

  • You can create only one port-mirroring session.

  • You cannot mirror packets exiting or entering the following ports:

    • Dedicated Virtual Chassis interfaces

    • Management interfaces (me0 or vme0)

    • Fibre Channel interfaces

    • Routed VLAN interfaces or IRB interfaces

  • An aggregated Ethernet interface cannot be an output interface.

  • Do not include an 802.1Q subinterface that has a unit number other than 0 in a port mirroring configuration. Port mirroring does not work with subinterfaces if their unit number is not 0. (You configure 802.1Q subinterfaces using the vlan-tagging statement.)

  • When packet copies are sent out the output interface, they are not modified for any changes that are normally applied on egress, such as CoS rewriting.

  • An interface can be the input interface for only one mirroring configuration. Do not use the same interface as the input interface for multiple mirroring configurations.

  • CPU-generated packets (such as ARP, ICMP, BPDU, and LACP packets) cannot be mirrored on egress.

  • VLAN-based mirroring is not supported for STP traffic.