Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Port Mirroring

 

Port mirroring is the ability of a router to send a copy of an IPv4 or IPv6 packet to an external host address or a packet analyzer for analysis. Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the packet header is sent to the Routing Engine. There, the key can be placed in a file, or cflowd packets based on the key can be sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through a next-hop interface.

One application for port mirroring sends a duplicate packet to a virtual tunnel. A next-hop group can then be configured to forward copies of this duplicate packet to several interfaces. For more information about next-hop groups, see Configuring Next-Hop Groups to Use Multiple Interfaces to Forward Packets Used in Port Mirroring.

All M Series Multiservice Edge Routers, T Series Core Routers, and MX Series 5G Universal Routing Platforms support port mirroring for IPv4 or IPv6. The M120, M320, and MX Series routers support port mirroring for IPv4 and IPv6 simultaneously.

Port mirroring for VPLS traffic is supported on M7i and M10i routers configured with an Enhanced CFEB (CFEB-E), on M120 routers, on M320 routers configured with an Enhanced III Flexible PIC Concentrators (FPCs), and MX Series routers.

In Junos OS Release 9.3 and later, port mirroring is supported for Layer 2 traffic on MX Series routers. For information about how to configure port mirroring for Layer 2 traffic, see the Junos OS Layer 2 Switching and Bridging Library .

In Junos OS Release 9.6 and later, port mirroring is supported for Layer 2 VPN traffic on M120 routers and M320 routers configured with an Enhanced III FPC. You can also set the maximum length of the mirrored packet. When set, the mirrored packet is truncated to the specified length.

In the MPCs on M Series and MX Series routers, GRE and MPLS header information is not contained in the port-mirrored traffic corresponding to MPLS packets transmitted through IP-GRE tunnels.

Port Mirroring Configuration Guidelines

When configuring port mirroring, the following restrictions apply:

  • Only transit data is supported.

  • You can configure either IPv4 or IPv6 port mirroring but not both on M Series routers, except for the M120 and M320 routers, which support port mirroring for IPv4 and IPv6 simultaneously.

  • You can configure port mirroring for IPv4 and IPv6 simultaneously on the M120 and M320 routers and the MX Series routers.

  • Port mirroring in the ingress and egress direction is not supported for link services IQ (lsq-) interfaces.

  • Ingress filtering of multicast packets is supported on all Dense Port Concentrators (DPCs) in MX Series routers. Egress filtering of multicast packets is supported for interfaces on MPCs in MX Series routers only. Filtering of multicast packets based on destination address is not supported on M Series routers or T Series routers and is not supported for interfaces on I-chip ASIC-based DPCs in MX Series routers.

    For Layer 3 port mirroring (family inet and family inet6), if the traffic being mirrored is multicast (in other words, if the packet's destination IP address is a multicast address), the destination MAC address in the mirrored copy corresponds to this multicast destination IP address and not to the unicast MAC address specified in the [edit forwarding-options port-mirroring family (inet | inet6) output] configuration.

  • By default, firewall filters cannot be applied to port-mirroring destination interfaces. To enable port-mirroring destination interfaces to support firewall filters, use the no-filter-check statement to disable filter checking on the interfaces. You can include the no-filter-check statement at the following hierarchy levels:

    • [edit forwarding-options port-mirroring family (inet | inet6 | ccc | vpls) output]

    • [edit forwarding-options port-mirroring instance instance-name family (inet | ccc | vpls) output]

  • You must include a firewall filter with both the accept action and the port-mirror action modifier on the inbound interface.

  • The interface you configure for port mirroring should not participate in any kind of routing activity.

  • The destination address you specify should not have a route to the ultimate traffic destination. For example, if the sampled IPv4 packets have a destination address of 192.68.9.10 and the port-mirrored traffic is sent to 192.68.20.15 for analysis, the device associated with the latter address should not know a route to 192.68.9.10. Also, it should not send the sampled packets back to the source address.

  • On all routers except the MX Series router, you can configure only one port-mirroring interface per router. If you include more than one interface in the port-mirroring statement, the previous one is overwritten. MX Series routers support more than one port-mirroring interface per router.

  • You can configure multiple port-mirroring instances on the M120, M320, and MX Series routers.

  • You can specify both host (cflowd) sampling and port mirroring in the same configuration. You can perform RE-sampling and port mirroring actions simultaneously. However, you cannot perform PIC-sampling and port mirroring actions simultaneously.

  • In typical applications, you send the sampled packets to an analyzer or a workstation for analysis, not to another router. If you must send this traffic over a network, you should use tunnels.

Configuring Port Mirroring

To configure port mirroring, include the port-mirroring statement at the [edit forwarding-options] hierarchy level:

Configuring the Port-Mirroring Address Family and Interface

To configure port mirroring, include the port-mirroring statement. To configure the address family type of traffic to sample, include the family statement. To configure the rate of sampling, length of sampling, and the maximum size for the mirrored packet, include the input statement. To specify on which interface to send duplicate packets and the next-hop address to send packets, include the output statement. To determine whether there are any filters on the specified interface, include the no-filter-check statement.

For information about the rate and run-length statements, see Configuring Traffic Sampling .

Configuring Multiple Port-Mirroring Instances

In Junos OS Release 9.5 and later, you can configure multiple port-mirroring instances on the M120, M320, and MX Series routers. On the M120 router, you can associate each instance with a specific Forwarding Engine Board (FEB). You cannot associate a port-mirroring instance with an FEB configured as a backup FEB. On the M320 router, you can associate each instance with a specific Flexible PIC Concentrator (FPC). Associating a port-mirroring instance with an FPC or an FEB enables you to mirror packets to different destinations. Multiple port-mirroring instances are also supported on MX Series routers. For information about configuring multiple port-mirroring instances on MX Series routers, see the Junos OS Layer 2 Switching and Bridging Library .

Note

In MX80 and MX104 routers, port-mirroring instances should always be associated with FPC 0, because associating port-mirroring instances to FPC 1 or FPC 2 can result in inconsistent behavior due to the underlying architecture.

To configure a port-mirroring instance, include the instance port-mirroring-instance statement at the [edit forwarding-options port-mirroring] hierarchy level:

Configuring Port-Mirroring Instances

You can configure multiple port-mirroring instances. Specify a unique port-mirroring-instance-name for each instance you configure.

Associating a Port-Mirroring Instance on M320 Routers

You can associate a port-mirroring instance with a specific FPC on an M320 router or with a specific FEB on an M120 router. You can associate only one port-mirroring instance with each FPC on an M320 router or with each FEB on an M120 router. On an M120 router, you cannot associate a port-mirroring instance with a FEB configured as a backup FEB.

To associate a port-mirroring instance with an FPC on an M320 router, include the port-mirror-instance port-mirroring-instance-name statement at the [edit chassis fpc slot-number] hierarchy level:

For slot-number, specify the slot number of the FPC you want to associate with the port-mirroring instance. For port-mirroring-instance-name, specify the name of a port-mirroring instance you configured at the [edit forwarding-options port-mirroring] hierarchy level. For more information about configuring an FPC on an M320 router, see the Junos OS Administration Library.

Associating a Port-Mirroring Instance on M120 Routers

To associate a port-mirroring instance with a FEB on an M120 router, include the port-mirror-instance port-mirroring-instance-name statement at the [edit chassis feb slot-number] hierarchy level:

For slot-number, specify the slot number of the FEB you want to associate with the port-mirroring instance. For port-mirroring-instance-name, specify the name of a port-mirroring instance you configured at the [edit forwarding-options port-mirroring] hierarchy level. For information about configuring FEB redundancy on an M120 router, see the High Availability User Guide. For information about configuring FPC-to-FEB connectivity on an M120 router, see the Junos OS Administration Library.

Configuring MX Series 5G Universal Routing Platforms and M120 Routers to Mirror Traffic Only Once

On MX Series and M120 routers only, you can configure port mirroring so that the router mirrors traffic only once. If you configure port mirroring on both ingress and egress interfaces, the same packet could be mirrored twice. To mirror packets only once and prevent the router from sending duplicate sampled packets to the same mirroring destination, include the mirror-once statement at the [edit forwarding-options port-mirroring] hierarchy level:

Note

The mirror-once statement is supported only in the global port-mirroring instance.