Restrictions on Layer 2 Port Mirroring

• Only Layer 2 transit data (packets that contain chunks of data transiting the routing platform as they are forwarded from a source to a destination) can be mirrored. Layer 2 local data (packets that contain chunks of data that are destined for or sent by the Routing Engine, such as Layer 2 control packets) are not mirrored.
• If you apply a port-mirroring filter to the output of a logical interface, only unicast packets are mirrored. To mirror broadcast packets, multicast packets, unicast packets with an unknown destination media access control (MAC) address, or packets with MAC entry in the destination MAC (DMAC) routing table, apply a filter to the input to the flood table of a bridge domain or virtual private LAN service (VPLS) routing instance.
• The mirror destination device should be on a dedicated bridge domain and should not participate in any bridging activity: The mirror destination device should not have a bridge to the ultimate traffic destination, and the mirror destination device should not send the mirrored packets back to the source address.
• For either the global port-mirroring instance or a named port-mirroring instance, you can configure only one mirror output interface per port-mirroring instance and packet address family. If you include more than one interface statement under the family (bridge | ccc | vpls) output statement, the previous interface statement is overridden.
• Layer 2 port-mirroring firewall filtering is not supported for logical systems.

  In a Layer 2 port-mirroring firewall filter definition, the filter action-modifier (port-mirror or port-mirror-instance pm-instance-name) relies on port-mirroring properties defined in the global instance or named instances of Layer 2 port mirroring, which are configured under the [edit forwarding-options port-mirroring] hierarchy. Therefore, the filter term cannot support Layer 2 port mirroring for logical systems.

• For a Layer 2 port mirroring firewall filter in which you implicitly reference Layer 2 port mirroring properties by including the port-mirror statement, if multiple named instances of Layer 2 port mirroring are bound to the underlying physical interface, then only the first binding in the stanza (or the only binding) is used at the logical interface. This is done mainly for backward compatibility.
• Layer 2 port-mirroring firewall filters do not support the use of next-hop subgroups for load-balancing mirrored traffic.