Applying Layer 2 Port Mirroring to a Logical Interface

1. Configure the underlying physical interface for the logical interface.

   1. Enable configuration of the underlying physical interface:

      [edit]user@host# edit interfaces interface-name

      Note: A port-mirroring firewall filter can also be applied to an aggregated-Ethernet logical interface.

   2. For Fast Ethernet and Gigabit Ethernet interfaces and aggregated Ethernet interfaces configured for VPLS, enable the reception and transmission of 802.1Q VLAN-tagged frames on the interface:

      [edit interfaces interface-name]user@host# set vlan-tagging

   3. For Ethernet interfaces that have IEEE 802.1Q VLAN tagging and bridging enabled and that must accept packets carrying TPID 0x8100 or a user-defined TPID, set the logical link-layer encapsulation type:

      [edit interfaces interface-name]user@host# set encapsulation extended-vlan-bridge

2. Configure the logical interface to which you want to apply a Layer 2 port-mirroring firewall filter.

   1. Specify the logical unit number:

      [edit interfaces interface-name]user@host# edit unit logical-unit-number

   2. For a Fast Ethernet, Gigabit Ethernet, or Aggregated Ethernet interface, bind an 802.1Q VLAN tag ID to the logical interface:

      [edit interfaces interface-name unit logical-unit-number]user@host# set vlan-id number

3. Enable specification of an input or output filter to be applied to Layer 2 packets that are part of bridging domain, Layer 2 switching cross-connects, or virtual private LAN service (VPLS).

   • If the filter is to be evaluated when packets are received on the interface:

     [edit interfaces interface-name unit logical-unit-number]user@host# set family family filter input pm-filter-name-a

   • If the filter is to be evaluated when packets are sent on the interface:

     [edit interfaces interface-name unit logical-unit-number]user@host# set family family filter output pm-filter-name-b
   The value of the family option can be bridge, ccc, or vpls.

   Note: If port-mirroring firewall filters are applied at both the input and output of a logical interface, two copies of each packet are mirrored. To prevent the router from forwarding duplicate packets to the same destination, include the optional mirror-once statement at the [edit forwarding-options] hierarchy level.

4. Verify the minimum configuration for applying a named Layer 2 port mirroring firewall filter to a logical interface:

   [edit interfaces interface-name unit logical-unit-number family family filter ... ]user@host# top[edit]user@host# show interfaces interfaces {interface-name {vlan-tagging;encapsulation extended-vlan-bridge;unit number { # Apply a filter to the input of this interfacevlan-id number;family (bridge | ccc | vpls) {filter {input pm-filter-for-logical-interface-input;}}}unit number { # Apply a filter to the output of this interface vlan-id number;family (bridge | ccc | vpls) {filter {output pm-filter-for-logical-interface-output;}}}}}