Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Port Mirroring

    You use port mirroring to copy packets and send the copies to a device running an application such as a network analyzer or intrusion detection application so that you can analyze traffic without delaying it. You can mirror traffic entering or exiting a port or entering a VLAN, and you can send the copies to a local access interface or to a VLAN through a trunk interface.

    We recommend that you disable port mirroring when you are not using it. To avoid creating a performance issue If you do enable port mirroring, we recommend that you select specific input interfaces instead of using the all keyword. You can also limit the amount of mirrored traffic by using a firewall filter.

    Note: This task uses a release of Junos OS that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Configuring Port Mirroring. For ELS details, see Getting Started with Enhanced Layer 2 Software.

    Note: If you want to create additional analyzers without deleting an existing analyzer, first disable the existing analyzer using the disable analyzer analyzer-name command.

    Note: You must configure port mirroring output interfaces as family ethernet-switching.

    Configuring Port Mirroring for Local Analysis

    To mirror interface traffic to a local interface on the switch:

    1. If you want to mirror traffic that is ingressing or egressing specific interfaces, choose a name for the port-mirroring configuration and configure what traffic should be mirrored by specifying the interfaces and direction of traffic:
      [edit ethernet-switching-options]
      user@switch# set analyzer analyzer-name input (ingress | egress) interface interface-name

      Note: If you configure Junos OS to mirror egress packets, do not configure more than 2000 VLANs. If you do so, some VLAN packets might contain incorrect VLAN IDs.

      Note: If you configure mirroring for packets that egress an access interface, the original packets lose any VLAN tags when they exit the access interface, but the mirrored (copied) packets retain the VLAN tags when they are sent to the analyzer system.

    2. If you want to specify that all traffic entering a VLAN should be mirrored, choose a name for the port-mirroring configuration and specify the VLAN:
      [edit ethernet-switching-options]
      user@switch# set analyzer analyzer-name input ingress vlan vlan-name

      Note: You cannot configure port mirroring to copy traffic that egresses a VLAN.

    3. Configure the destination interface for the mirrored packets:
      [edit ethernet-switching-options]
      user@switch# set analyzer analyzer-name output interface interface-name

    Configuring Port Mirroring for Remote Analysis

    To mirror traffic to a VLAN for analysis at a remote location:

    1. Configure a VLAN to carry the mirrored traffic:
      [edit]
      user@switch# set vlans vlan-name vlan-id number
    2. Configure the interface that connects to another switch (the uplink interface) to trunk mode and associate it with the appropriate VLAN:
      [edit]
      user@switch# set interfaces interface-name unit 0 family ethernet-switching port-mode trunk vlan members (vlan-name | vlan-id)
    3. Configure the analyzer:
      1. Choose a name for the analyzer:
        [edit ethernet-switching-options]
        user@switch# set analyzer analyzer-name
      2. Specify the interface to be mirrored and whether the traffic should be mirrored on ingress or egress:
        [edit ethernet-switching-options]
        user@switch# set analyzer analyzer-name input (ingress | egress) interface interface-name
      3. Specify the appropriate IP address or VLAN as the output (a VLAN is specified in this example:
        [edit ethernet-switching-options]
        user@switch# set analyzer analyzer-name output vlan (vlan-name | vlan-id)

        If you specify an IP address as the output, note the following constraints:

        • The address cannot be in the same subnetwork as any of the switch’s management interfaces.
        • If you create virtual routing instances and also create an analyzer configuration that includes an output IP address, the output address belongs to the default virtual routing instance (inet.0 routing table).
        • The analyzer device must be able to de-encapsulate GRE-encapsulated packets, or the GRE-encapsulated packets must be de-encapsulated before reaching the analyzer device. (You can use a network sniffer to de-encapsulate the packets.)

    Filtering the Traffic Entering an Analyzer

    In addition to specifying which traffic to mirror by configuring an analyzer, you can also use a firewall filter to exercise more control over which packets are copied. For example, you might use a filter to specify that only traffic from certain applications be mirrored. The filter can use any of the available match conditions and must have an action of analyzer analyzer-name. If you use the same analyzer in multiple filters or terms, the output packets are copied only once.

    Note: You can include the action analyzer in ingress firewall filters only. You can apply ingress filters with this action to ports (Layer 2 interfaces), Layer 3 interfaces, and VLANs.

    When you use a firewall filter as the input to an analyzer, you output the copied traffic to a local interface or a VLAN just as you do when a firewall is not involved.

    To configure port mirroring with filters:

    1. Configure an analyzer for local or remote analysis. Configure only the output. For example, for local analysis enter:
      [edit ethernet-switching-options]
      user@switch# set analyzer analyzer-name output interface interface-name

      Note: Do not configure input to this analyzer.

    2. Create a firewall filter using any of the available match conditions and specify the action as analyzer analyzer-name.
    3. Apply the firewall filter to the interfaces or VLAN that should provide the input to the analyzer:
      [edit]
      user@switch# set interfaces interface-name unit 0 family ethernet-switching filter input filter-name
      [edit]
      user@switch# set vlan (vlan-name | vlan-id) filter input filter-name

    Modified: 2017-01-05