Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding Port Mirroring

    Port Mirroring Overview

    Port mirroring copies packets entering or exiting a port or entering a VLAN and sends the copies to a local interface for local monitoring or to a VLAN for remote monitoring. Use port mirroring to send traffic to applications that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events, and so on.

    Port mirroring is needed for traffic analysis on a switch because a switch normally sends packets only to the port to which the destination device is connected. You configure port mirroring on the switch to send copies of unicast traffic to a local interface or a VLAN and run an analyzer application on a device connected to the interface or VLAN. You configure port mirroring by using the analyzer statement.

    Keep performance in mind when configuring port mirroring. For example, If you mirror traffic from multiple ports, the mirrored traffic may exceed the capacity of the output interface. We recommend that you limit the amount of copied traffic by selecting specific interfaces instead of using the all keyword. You can also limit the amount of mirrored traffic by using a firewall filter. Mirroring only the necessary packets reduces the possibility of a performance impact.

    You can use port mirroring to copy any of the following:

    • All packets entering or exiting an interface (in any combination)—For example, you can send copies of the packets entering some interfaces and the packets exiting other interfaces to the same local interface or VLAN. If you configure port mirroring to copy packets exiting an interface, traffic that originates on that switch or Node device (in a QFabric system) is not copied when it egresses. Only switched traffic is copied on egress. (See the limitation on egress mirroring below.)
    • All packets entering a VLAN—You cannot use port mirroring to copy packets exiting a VLAN.
    • Firewall-filtered sample—Sample of packets entering a port or VLAN. Configure a firewall filter to select certain packets for mirroring.

      Note: Firewall filters are not supported on egress ports; therefore, you cannot specify policy-based sampling of packets exiting an interface.

    Port-Mirroring Terminology

    TermDescription

    Analyzer

    Port-mirroring configuration. The analyzer includes a name, source interfaces or source VLAN and a destination for mirrored packets (either a local access interface or a VLAN).

    Output interface (also known as monitor interface)

    Access interface to which packet copies are sent and to which a device running an analyzer application is connected.

    The following limitations apply to an output interface:

    • Cannot also be a source port.
    • Cannot be used for switching.
    • Cannot be an aggregated Ethernet interface (LAG).
    • Does not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP).
    • Loses any existing VLAN associations when you configure it as an analyzer output interface.

    If the capacity of the output interface is insufficient to handle the traffic from the source ports, overflow packets are dropped.

    Output VLAN

    Also known as monitor or analyzer VLAN

    VLAN to which copies are sent and to which a device running an analyzer application is connected. The analyzer VLAN can span multiple switches.

    The following limitations apply to an output VLAN:

    • Cannot be a private VLAN or VLAN range.
    • Cannot be shared by multiple analyzer statements.
    • An output VLAN interface cannot be a member of any other VLAN.
    • An output VLAN interface cannot be an aggregated Ethernet interface (LAG).
    • On the source (monitored) switch, only one interface can be a member of the analyzer VLAN.

    Input interface (also known as mirrored or monitored interface)

    Interface that provides traffic to be mirrored. This traffic can be entering or exiting the interface. (Ingress or egress traffic can be mirrored.) An input interface cannot also be an output interface for an analyzer.

    Monitoring station

    Computer running an analyzer application.

    Remote port mirroring

    Packet copies are flooded to an analyzer VLAN that you create specifically for the purpose of receiving mirror traffic instead of sending it to an access interface.

    Policy-based mirroring

    Mirroring of packets that match the match a firewall filter term. The action analyzer analyzer-name is used in the firewall filter to send the packets to the analyzer.

    Port Mirroring Constraints and Limitations

    Local and Remote Port Mirroring

    The following constraints and limitations apply to local and remote port mirroring with the QFX Series:

    • You can create a total of four port-mirroring configurations on QFX Series switches (including QFabric systems), subject to the following limits:
      • There can be no more than two configurations that mirror ingress traffic.
      • There can be no more than two configurations that mirror egress traffic.
    • You cannot configure local and remote port mirroring with the same port-mirroring configuration. That is, you cannot use the interface and vlan options in one set analyzer name output statement.
    • If you configure Junos OS to mirror egress packets, do not configure more than 2000 VLANs on a QFX3500 device or QFabric system. If you do so, some VLAN packets might contain incorrect VLAN IDs. This applies to any VLAN packets—not only the mirror copies.
    • The ratio and loss-priority options are not supported.
    • Packets with physical layer errors are filtered out and are not sent to the output port or VLAN.
    • If you use sFlow monitoring to sample traffic, it does not sample the mirror copies when they egress from the output interface.

    • You cannot mirror packets exiting or entering the following ports:

      • Dedicated Virtual Chassis interfaces
      • Management interfaces (me0 or vme0)
      • Fibre Channel interfaces
      • Routed VLAN interfaces
    • When packet copies are sent out the output interface, they are not modified for any changes that are normally applied on egress, such as CoS rewriting.
    • An interface can be the input interface for only one mirroring configuration. Do not use the same interface as the input interface for multiple mirroring configurations.
    • (QFabric systems only) If you configure a QFabric analyzer to mirror egress traffic and the input and output interfaces are on different Node devices, the mirror copies have incorrect VLAN IDs. This limitation does not apply if you configure a QFabric analyzer to mirror egress traffic and the input and output interfaces are on the same Node device. In this case the mirror copies will have the correct VLAN IDs (as long as you do not configure more than 2000 VLANs on the QFabric system).

    Remote Port Mirroring Only

    The following constraints and limitations apply to remote port mirroring with the QFX Series:

    • The output VLAN cannot be a private VLAN or VLAN range.
    • An output VLAN cannot be shared by multiple analyzer statements.
    • An output VLAN interface cannot be a member of any other VLAN.
    • An output VLAN interface cannot be an aggregated Ethernet interface (LAG).
    • On the source (monitored) switch, only one interface can be a member of the analyzer VLAN.
     

    Related Documentation

     

    Published: 2012-10-31

    Previous Page Next Page