Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Port Mirroring to Analyze Traffic (CLI Procedure)

    EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets:

    • Packets entering or exiting a port
    • Packets entering a VLAN on EX2200, EX3200, EX3300, EX4200, EX4500, or EX6200 switches
    • Packets exiting a VLAN on EX8200 switches

    Best Practice: Mirror only necessary packets to reduce potential performance impact. We recommend that you:

    • Disable your configured port mirroring analyzers when you are not using them.
    • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.
    • Limit the amount of mirrored traffic by:
      • Using statistical sampling.
      • Setting ratios to select statistical samples.
      • Using firewall filters.

    Note: If you want to create additional analyzers without deleting the existing analyzer, first disable the existing analyzer using the disable analyzer analyzer-name command or the J-Web configuration page for port mirroring.

    Note: Interfaces used as output for an analyzer must be configured as family ethernet-switching.

    Configuring Port Mirroring for Local Traffic Analysis

    To mirror interface traffic or VLAN traffic on the switch to an interface on the switch:

    1. Choose a name for the analyzer—in this case, employee-monitor—and specify the input—in this case, packets entering ge-0/0/0 and ge-0/0/1:
      [edit ethernet-switching-options]
      user@switch# set analyzer employee-monitor input (Port Mirroring) ingress interface ge–0/0/0.0
      [edit ethernet-switching-options]
      user@switch# set analyzer employee-monitor input ingress interface ge–0/0/1.0
    2. Optionally, you can specify a statistical sampling of the packets by setting a ratio:
      [edit ethernet-switching-options]
      user@switch# set analyzer employee-monitor ratio 200

      When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer. You can use statistical sampling to reduce the volume of mirrored traffic, as a high volume of mirrored traffic can be performance intensive for the switch. On EX8200 switches, you can set a ratio only for ingress packets.

    3. Configure the destination interface for the mirrored packets:
      [edit ethernet-switching-options]
      user@switch# set analyzer employee-monitor output (Port Mirroring) interface ge-0/0/10.0

    Configuring Port Mirroring for Remote Traffic Analysis

    To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location:

    1. Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this documentation:
      [edit]
      user@switch# set vlans remote-analyzer vlan-id 999
    2. Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the remote-analyzer VLAN:
      [edit]
      user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk vlan members 999
    3. Configure the analyzer:
      1. Choose a name and set the loss priority to high. Loss priority should always be set to high when configuring for remote port mirroring:
        [edit ethernet-switching-options]
        user@switch# set analyzer employee-monitor loss-priority (Port Mirroring) high
      2. Specify the traffic to be mirrored—in this example the packets entering ports ge-0/0/0 and ge-0/0/1:
        [edit ethernet-switching-options]
        user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0
        [edit ethernet-switching-options]
        user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0
      3. Specify the remote-analyzer VLAN as the output for the analyzer:
        [edit ethernet-switching-options]
        user@switch# set analyzer employee-monitor output (Port Mirroring) vlan 999
    4. Optionally, you can specify a statistical sampling of the packets by setting a ratio:
      [edit ethernet-switching-options]
      user@switch# set analyzer employee-monitor ratio 200

      When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.

    Filtering the Traffic Entering an Analyzer

    To filter which packets are mirrored to an analyzer, create the analyzer and then use it as the action in the firewall filter. You can use firewall filters in both local and remote port mirroring configurations.

    If the same analyzer is used in multiple filters or terms, the packets are copied to the analyzer output port or analyzer VLAN only once.

    To filter mirrored traffic, create an analyzer and then create a firewall filter. The filter can use any of the available match conditions and must have an action of analyzer analyzer-name. The action of the firewall filter provides the input to the analyzer.

    To configure port mirroring with filters:

    1. Configure the analyzer name (here, employee-monitor) and the output:
      1. For local analysis, set the output to the local interface to which you will connect the computer running the protocol analyzer application:
        [edit ethernet-switching-options]
        user@switch# set analyzer employee-monitor output interface ge-0/0/10.0
      2. For remote analysis, set the loss priority to high and set the output to the remote-analyzer VLAN:
        [edit ethernet-switching-options]
        user@switch# set analyzer employee-monitor loss-priority high output vlan 999
    2. Create a firewall filter using any of the available match conditions and specify the action as analyzer employee-monitor:

      This step shows a firewall filter called example-filter, with two terms:

      1. Create the first term to define the traffic that should not pass through to the analyzer:
        [edit firewall family ethernet-switching]
        user@switch# set filter (Firewall Filters) example-filter term no-analyzer from source-address ip-address
        [edit firewall family ethernet-switching]
        user@switch# set filter example-filter term no-analyzer from destination-address ip-address
        [edit firewall family ethernet-switching]
        user@switch# set filter example-filter term no-analyzer then accept
      2. Create the second term to define the traffic that should pass through to the analyzer:
        [edit firewall family ethernet-switching]
        user@switch# set filter example-filter term to-analyzer from destination-port 80
        [edit firewall family ethernet-switching]
        user@switch# set filter example-filter term to-analyzer then analyzer employee–monitor
        [edit firewall family ethernet-switching]
        user@switch# set filter example-filter term to-analyzer then accept
    3. Apply the firewall filter to the interfaces or VLAN that are input to the analyzer:
      [edit]
      user@switch# set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input example-filter
      [edit]
      user@switch# set vlan (802.1Q Tagging) remote-analyzer filter input example-filter
     

    Related Documentation

     

    Published: 2012-12-07

    Previous Page Next Page