Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Port Mirroring on M, T MX, ACX, and PTX Series Routers

 

To prepare traffic for port mirroring, include the filter statement at the [edit firewall family inet] hierarchy level:

This filter at the [edit firewall family (inet | inet6)] hierarchy level selects traffic to be port-mirrored:

To configure port mirroring on a logical interface, configure the following statements at the [edit forwarding-options port-mirroring] hierarchy level:

Note

The PTX series does not support egress port mirroring.

The ACX6360 router does not support egress port mirroring.

Specify the port-mirroring destination by including the next-hop statement at the [edit forwarding-options port-mirroring family (inet | inet6) output interface interface-name] hierarchy level:

Note

For IPv4 port mirroring to reach a next-hop destination, you must manually include a static Address Resolution Protocol (ARP) entry in the router configuration.

You can also specify the port-mirroring destination by including the next-hop-group statement at the [edit forwarding-options port-mirroring family (inet | inet6) output] hierarchy level. Starting in Junos OS Release 14.2R1, the next-hop-group statement for the port-mirroring destination is supported for inet6.

Note

The ACX6360 router does not support the next-hop, next-hop-group, and the maximum-packet-lengthstatements.

The no-filter-check statement is required when you send port-mirrored traffic to a Tunnel PIC that has a filter applied to it.

The interface used to send the packets to the analyzer is the output interface configured above at the [edit forwarding-options port-mirroring family (inet | inet6) output] hierarchy level. You can use any physical interface type, including generic routing encapsulation (GRE) tunnel interfaces. The next-hop address specifies the destination address; this statement is mandatory for non point-to-point interfaces, such as Ethernet interfaces.

To configure the sampling rate or duration, include the rate or run-length statement at the [edit forwarding-options port-mirroring input] hierarchy level.

You can trace port-mirroring operations the same way you trace sampling operations. For more information, see Tracing Traffic Sampling Operations.

For more information about port mirroring, see the following sections:

Configuring Tunnels

In typical applications, you send the sampled packets to an analyzer or a workstation for analysis, rather than another router. If you must send this traffic over a network, you should use tunnels. For more information about tunnel interfaces, see Tunnel Services Overview.

The MX Series routers support Dense Port Concentrators (DPCs) with built-in Ethernet ports, which do not support Tunnel Services PICs. To create tunnel interfaces on an MX Series router with a DPC, you configure the DPC and the corresponding Packet Forwarding Engine to use for tunneling services at the [edit chassis] hierarchy level. You also configure the amount of bandwidth reserved for tunnel services. The Junos OS creates tunnel interfaces on the Packet Forwarding Engine.

To create tunnel interfaces on MX Series routers, include the following statements at the [edit chassis] hierarchy level:

Include the fpc slot-number statement to specify the slot number of the DPC. If two SCBs are installed, the range is 0 through . If three SCBs are installed, the range is 0 through 5 and 7 through .

Include the pic number statement to specify the number of the Packet Forwarding Engine on the DPC. The range is 0 through 3.

You can also specify the amount of bandwidth to allocate for tunnel traffic on each Packet Forwarding Engine by including the bandwidth bandwidth-value statement at the [edit chassis fpc slot-number pic pic-number] hierarchy level:

  • 1g indicates that 1 Gbps of bandwidth is reserved for tunnel traffic. Configure this option only for a Packet Forwarding Engine on a Gigabit Ethernet 40-port DPC.

  • 10g indicates that 10 Gbps of bandwidth is reserved for tunnel traffic. Configure this option only for a Packet Forwarding Engine on a 10-Gigabit Ethernet 4-port DPC.

  • 20g or 40g—Configure 20 gigabits per second or 40 gigabits per second only on an MX Series router with the MPC3E and the 100-Gigabit CFP MIC.

If you specify a bandwidth that is not compatible with the type of DPC and Packet Forwarding Engine, tunnel services are not activated. For example, you cannot specify a bandwidth of 1 Gbps for a Packet Forwarding Engine on a 10-Gigabit Ethernet 4-port DPC.

When you configure tunnel interfaces on the Packet Forwarding Engine of a 10-Gigabit Ethernet 4-port DPC, the Ethernet interfaces for that port are removed from service and are no longer visible in the command-line interface (CLI). The Packet Forwarding Engine of a 10-Gigabit Ethernet 4-port DPC supports either tunnel interfaces or Ethernet interfaces, but not both. Each port on the 10-Gigabit Ethernet 4-port DPC includes two LEDs, one for tunnel services and one for Ethernet services, to indicate which type of service is being used. On the Gigabit Ethernet 40-port DPC, you can configure both tunnel and Ethernet interfaces at the same time.

If your router is equipped with a Tunnel PIC, you can forward duplicate packets to multiple interfaces by configuring a next-hop group. To configure a next-hop group, include the next-hop-group statement at the [edit forwarding-options] hierarchy level:

The interface statement specifies the interface that sends out sampled information. The next-hop statement specifies the next-hop addresses to which to send the sampled information.

Starting in Junos OS Release 14.2, for IPv6 port mirroring to reach next-hop destination, you can configure a next-hop-group statement at the [edit forwarding-options port-mirroring family inet6 output] hierarchy level:

Next-hop groups have the following restrictions:

  • Next-hop groups are supported for inet, inet6, and bridge family.

  • Next-hop groups are supported on M Series and MX Series routers.

  • Next-hop groups or next-hop subgroups support up to 16 next-hop addresses.

  • Up to 30 next-hop groups are supported.

  • Each next-hop group is expected to have at least two next-hop addresses.

  • Each next-hop subgroup supports up to 16 next-hop groups.

Port Mirroring with Next-Hop Groups

You can configure next-hop groups for M Series, MX Series, and TX Series routers using either IP addresses or Layer 2 addresses for the next hops. Use the group-type [ inet | inet6 | layer-2 ] statement at [edit forwarding-options next-hop-group next-hop-group-name] hierarchy level to establish the next-hop groups. (The inet6 option is available starting in Junos OS Release 14.2.) You can reference more than one port mirroring instance in a filter on MX Series routers. Use the port-mirror-instance instance-name statement at the [edit firewall family family-name filter filter-name term term-name] hierarchy level to refer to one of several port mirroring instances.

Note

On MX Series routers with MPCs, port mirroring instances can only be bound to the FPC level and not up to the PIC level. For MX Series routers with a DPC card, both levels are supported.

On M Series, MX Series, and T Series routers only, you can configure port mirroring using next-hop groups, also known as multipacket port mirroring, without the presence of a Tunnel PIC. To configure this functionality, include the next-hop-group statement at the [edit forwarding-options port-mirror family [inet | inet6] output] (the inet6 option is available starting in Junos OS Release 14.2.) or [edit forwarding-options port-mirror instance instance-name family inet output] hierarchy level:

or

or

You define the next-hop group by including the next-hop-group statement at the [edit forwarding-options] hierarchy level. For an example, see Examples: Configuring Port Mirroring. This configuration is supported with IPv4 and IPv6 addresses.

You can disable this configuration by including a disable or disable-all-instances statement at the [edit forwarding-options port-mirror] hierarchy level or by including a disable statement at the [edit forwarding-options port-mirror instance instance-name] hierarchy level. You can display the settings and network status by issuing the show forwarding-options next-hop-group and show forwarding-options port-mirroring operational commands.

Note

If you try to bind any derived instance to the FPC, a commit error occur.

Configuring Inline Port Mirroring

Inline port mirroring provides you with the ability to specify instances that are not bound to the flexible PIC concentrator (FPC) in the firewall filter’s then port-mirror-instance action. This way, you are not limited to only two port-mirror instances per FPC. Inline port mirroring decouples the port-mirror destination from the input parameters like rate. While the input parameters are programmed in the switch interface board, the next-hop destination of the mirrored packet is available in the packet itself. Inline port mirroring is supported only on MX Series routers with MPCs.

Using inline port mirroring, a port-mirror instance have an option to inherit input parameters from another instance that specifies it, as shown in the following CLI configuration example:

Multiple levels of inheritance are not allowed. One instance can be referred by multiple instances. An instance can refer to another instance that is defined before it. Forward references are not allowed and an instance cannot refer to itself, doing so cause an error during configuration parsing.

The user can specify an instance that is not bound to the FPC in the firewall filter. The specified filter should inherit one of the two instances that have been bound to the FPC. If it does not, the packet is not marked for port-mirroring. If it does, then the packet is sampled using the input parameters specified by the referred instance but the copy is sent to the its own destination.

Filter-Based Forwarding with Multiple Monitoring Interfaces

If port-mirrored packets are to be distributed to multiple monitoring or collection interfaces based on patterns in packet headers, it is helpful to configure a filter-based forwarding (FBF) filter on the port-mirroring egress interface.

When an FBF filter is installed as an output filter, a packet that is forwarded to the filter has already undergone at least one route lookup. After the packet is classified at the egress interface by the FBF filter, it is redirected to another routing table for additional route lookup. Obviously, the route lookup in the latter routing table (designated by an FBF routing instance) must result in a different next hop from those from the previous tables the packet has passed through, to avoid packet looping inside the Packet Forwarding Engine.

For more information about FBF configuration, see the Junos OS Routing Protocols Library. For an example of FBF applied to an output interface, see Examples: Configuring Port Mirroring.

Restrictions

The following restrictions apply to port-mirroring configurations:

  • The interface you configure for port mirroring should not participate in any kind of routing activity.

  • The destination address you specify should not have a route to the ultimate traffic destination. For example, if the sampled IPv4 packets have a destination address of 10.68.9.10 and the port-mirrored traffic is sent to 10.68.20.15 for analysis, the device associated with the latter address should not know a route to 10.68.9.10. Also, it should not send the sampled packets back to the source address.

  • IPv4 and IPv6 traffic is supported. For IPv6 port mirroring, you must configure the next-hop router with an IPv6 neighbor before mirroring the traffic, similar to an ARP request for IPv4 traffic. All the restrictions applied to IPv4 configurations should also apply to IPv6.

  • On M120 and M320 Series routers, multiple next-hop mirroring is not supported.

  • Because M320 Series routers do not support multiple bindings of port-mirror instances per FPC, the port-mirror-instance action is not supported in firewall filters for these routers.

  • Port mirroring in the ingress and egress direction is not supported for link services IQ (lsq-) interfaces.

  • The PTX platform does not support egress port mirroring.

  • On M Series routers other than the M120 and M320 Series routers, only one family protocol (either IPv4 or IPv6) is supported at a time.

  • Port mirroring supports up to 16 next hops.

  • Only transit data is supported.

  • You can configure multiple port-mirroring interfaces per router.

  • On routers containing an Internet Processor II application-specific integrated circuit (ASIC), you must include a firewall filter with both the accept action and the port-mirror action modifier on the inbound interface. Do not include the discard action, or port mirroring does not work.

  • If the port-mirroring interface is a non-point-to-point interface, you must include an IP address under the port-mirroring statement to identify the other end of the link. This IP address must be reachable for you to see the sampled traffic. If the port-mirroring interface is an Ethernet interface, the router should have an Address Resolution Protocol (ARP) entry for it. The following sample configuration sets up a static ARP entry.

  • You do not need to configure firewall filters on both inbound and outbound interfaces, but at least one is necessary on the inbound interface to provide the copies of the packets to send to an analyzer.

  • Inline port mirroring is supported only on MX Series routers with MPCs.

  • Configuration for both port mirroring and traffic sampling are handled by the same daemon, so in order to view a trace log file for port mirroring, you must configure the traceoptions option under traffic sampling.

Configuring Port Mirroring on Services Interfaces

A special situation arises when you configure unit 0 of a services interface (AS or Multiservices PIC) to be the port-mirroring logical interface, as in the following example:

Since any traffic directed to unit 0 on a services interface is targeted for monitoring (cflowd packets are generated for it), the sample port-mirroring configuration indicates that the customer wants to have cflowd records generated for the port-mirrored traffic.

However, generation of cflowd records requires the following additional configuration; if it is missing, the port-mirrored traffic is simply dropped by the services interface without generating any cflowd packets.

Note

Another way to configure sp-1/0/0 to generate cflowd records is to use only the sampling configuration, but include a firewall filter sample action instead of a port-mirror action.

Examples: Configuring Port Mirroring

The following example sends port-mirrored traffic to multiple cflowd servers or packet analyzers:

The following example demonstrates configuration of filter-based forwarding at the output interface. In this example, the packet flow follows this path:

  1. A packet arrives at interface fe-1/2/0.0 with source and destination addresses 10.50.200.1 and 10.50.100.1, respectively.

  2. The route lookup in routing table inet.0 points to the egress interface so-0/0/3.0.

  3. The output filter installed at so-0/0/3.0 redirects the packet to routing table fbf.inet.0.

  4. The packet matches the entry 10.50.100.0/25, and finally leaves the router from interface so-2/0/0.0.

The following example shows configuration of port mirroring using next-hop groups or multipacket port mirroring:

The following example shows configuration of port mirroring using next-hop groups or multipacket port mirroring on a T Series router:

The following example shows configuration of inline port mirroring using PM1, PM2, and PM3 as our port mirror instances.

The packets be sampled at a rate of 3, and the copy is sent to 192.0.2.3.

Release History Table
Release
Description
Starting in Junos OS Release 14.2R1, the next-hop-group statement for the port-mirroring destination is supported for inet6.
Starting in Junos OS Release 14.2, for IPv6 port mirroring to reach next-hop destination, you can configure a next-hop-group statement at the [edit forwarding-options port-mirroring family inet6 output] hierarchy level:
The inet6 option is available starting in Junos OS Release 14.2.
the inet6 option is available starting in Junos OS Release 14.2.