Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Protocol-Independent Firewall Filter for Port Mirroring

 

On MX Series routers with MPCs, you can configure a firewall filter to mirror Layer 2 and Layer 3 packets at a global level and at an instance level. When port mirror is configured at ingress or egress, the packet entering or exiting an interface is copied and the copies are sent to the local interface for local monitoring.

Note

Starting with Junos OS Release 13.3R6, only MPC interfaces support family any to do port mirroring. DPC interfaces do not support family any.

Typically, the firewall filter is configured such that it mirrors either Layer 2 or Layer 3 packets based on the family configured at the interface. However, in case of an integrated routing and bridging (IRB) interface, Layer 2 packets are not completely mirrored because IRB interfaces are configured to mirror only Layer 3 packets. On such an interface, you can configure a firewall filter and port mirroring parameters in the family any to ensure that a packet is completely mirrored irrespective of whether it is a Layer 2 or a Layer 3 packet.

Note
  • For port mirroring at an instance, you can configure one or more families such as inet, inet6, ccc, and vpls simultaneously for the same instance.

  • In case of Layer 2 port mirroring, VLAN tags, MPLS headers are retained and can be seen in the mirrored copy at egress.

  • For VLAN normalization, the information before normalization is seen for a mirrored packet at ingress. Similarly, at egress, the information after normalization is seen for the mirrored packet.

Before you begin configuring port mirroring, you must configure valid physical interfaces.

To configure a protocol-independent firewall filter for port mirroring:

  1. Configure a global firewall filter for port-mirroring egress or ingress traffic.
  2. Configure a firewall filter to port-mirror traffic for an instance.
  3. Configure port-mirroring parameters for egress and ingress traffic.
  4. Configure port-mirroring parameters for an instance. In this configuration, you can specify the output or destination for the Layer 2 packets to be either a valid next-hop group or a Layer 2 interface.
  5. Configure the firewall filter at the ingress or egress interface on which the packets are transmitted.
Release History Table
Release
Description
Starting with Junos OS Release 13.3R6, only MPC interfaces support family any to do port mirroring.