Example: Configuring Port Mirroring for Local Analysis
Use port mirroring to send traffic to applications that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, correlating events, and so on. Port mirroring copies packets entering or exiting an interface or entering a VLAN and sends the copies to a local interface for local monitoring.
This example describes how to configure port mirroring to copy traffic sent by employee computers to a switch to an access interface on the same switch.
Requirements
This example uses the following hardware and software components:
- Junos OS Release 11.1
- A switch
Overview and Topology
This topic includes two related examples that describe how to mirror traffic entering interfaces on the switch to an access interface on the same switch. The first example shows how to mirror all traffic sent by employee computers to the switch. The second example includes a filter to mirror only the employee traffic going to the Web.
In this example, xe-0/0/0 and xe-0/0/6 serve as connections for employee computers. Interface xe-0/0/47 is connected to a device running an analyzer application.
 | Note: Multiple ports mirrored to one interface can cause buffer overflow and dropped packets. |
Figure 1 shows the network topology for this example.
Figure 1: Network Topology for Local Port Mirroring Example
Mirroring All Employee Traffic for Local Analysis
To configure port mirroring for all traffic sent by employee computers for local analysis, perform the tasks explained in this section.
CLI Quick Configuration
To quickly configure local port mirroring for ingress traffic to the two ports connected to employee computers, copy the following commands and paste them into a switch terminal window:
[edit] set interfaces xe-0/0/0 unit 0 family ethernet-switching set interfaces xe-0/0/6 unit 0 family ethernet-switching set interfaces xe-0/0/47 unit 0 family ethernet-switching set ethernet-switching options analyzer employee-monitor
input ingress interface xe-0/0/0.0 set ethernet-switching options analyzer employee-monitor
input ingress interface xe-0/0/6.0 set ethernet-switching options analyzer employee-monitor
output interface xe-0/0/47.0Step-by-Step Procedure
To configure an analyzer called employee-monitor and specify the input (source) interfaces and the output interface:
- Configure the interfaces connected to employee computers
as input interfaces for the port-mirror analyzer employee-monitor:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor input ingress interface xe–0/0/0.0
user@switch# set analyzer employee-monitor input ingress interface xe–0/0/6.0 - Configure the output analyzer interface for the employee-monitor analyzer. This will be the destination interface for the mirrored
packets:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor output interface xe-0/0/47.0
Results
Check the results of the configuration:
Mirroring Employee-to-Web Traffic for Local Analysis
To mirror only traffic sent by employees to the Web for local analysis, perform the tasks explained in this section.
CLI Quick Configuration
To quickly configure local port mirroring of traffic from employee computers that is destined for the Web, copy the following commands and paste them into a switch terminal window:
[edit] set ethernet-switching-options analyzer employee–web–monitor
output interface xe-0/0/47.0 set firewall family ethernet-switching filter
watch-employee term employee-to-corp from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter
watch-employee term employee-to-corp from source-address 192.0.2.16/28 set firewall family ethernet-switching filter
watch-employee term employee-to-corp then accept set firewall family ethernet-switching filter
watch-employee term employee-to-web from destination-port 80 set firewall family ethernet-switching filter
watch-employee term employee-to-web then analyzer employee-web-monitor set interfaces xe-0/0/0 unit 0 family ethernet-switching
filter input watch-employee set interfaces xe-0/0/6 unit 0 family ethernet-switching
filter input watch-employeeStep-by-Step Procedure
To configure local port mirroring of employee-to-web traffic from the two ports connected to employee computers:
- Configure the output interface:
[edit interfaces]
user@switch# set xe-0/0/47 unit 0 family ethernet-switching - Configure the employee-web-monitor analyzer output.
(Configure only the output—the input comes from the filter.)
[edit ethernet-switching-options]
user@switch# set analyzer employee-web-monitor output interface xe-0/0/47.0 - Configure a firewall filter called watch-employee that includes a term to match traffic sent to the Web and send it
to the analyzer employee-web-monitor. Traffic to and from
the corporate subnet (destination or source address of 192.0.2.16/28) does not need to be copied, so create another term to accept that
traffic before it reaches the term that sends Web traffic to the analyzer:
[edit firewall family ethernet-switching]
user@switch# set filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp from source-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp then accept
user@switch# set filter watch-employee term employee-to-web from destination-port 80
user@switch# set filter watch-employee term employee-to-web then analyzer employee-web-monitor - Apply the firewall filter to the appropriate interfaces
as an ingress filter (egress filters do not allow analyzers):
[edit interfaces]
user@switch# set xe-0/0/0 unit 0 family ethernet-switching filter input watch-employee
user@switch# set xe-0/0/6 unit 0 family ethernet-switching filter input watch-employee
Results
Check the results of the configuration:
Verification
Verifying That the Analyzer Has Been Correctly Created
Purpose
Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.
Action
You can verify that the port mirror analyzer has been configured as expected using the show analyzer command.
user@switch> show analyzerAnalyzer name : employee-monitor Output interface : xe-0/0/47.0 Mirror ratio : 1 Loss priority : Low Ingress monitored interfaces : xe-0/0/0.0 Ingress monitored interfaces : xe-0/0/6.0 Egress monitored interfaces : None
Meaning
This output shows that the employee-monitor analyzer:
- Has a ratio of 1 (mirroring every packet, the default setting)
- Has a loss priority of low (set this option to high only when the analyzer output is to a VLAN)
- Is mirroring the traffic entering the xe-0/0/0 and xe-0/0/6 interfaces
- Is sending the mirrored traffic to the xe-0/0/47 interface
