[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Port Mirroring

On routing platforms containing an Internet Processor II ASIC, you can send a copy of an IPv4 packet from the routing platform to an external host address or a packet analyzer for analysis. This is known as port mirroring.

Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the packet header is sent to the Routing Engine. There, the key can be placed in a file, or cflowd packets based on the key can be sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through a next-hop interface.

One application for port mirroring sends a duplicate packet to a virtual tunnel. Then, a next-hop group can be configured to forward copies of this duplicate packet to several interfaces. For more information about next-hop groups, see Configuring a Next-Hop Group.

To configure port mirroring, include the port-mirroring statement at the [edit forwarding-options] hierarchy level:



[edit forwarding-options]

port-mirroring {


family (inet | inet6) {


input {
rate number;
run-length number;
}




output {


interface interface-name {
next-hop address;
}


no-filter-check;
}


}


}

To configure port mirroring, include the port-mirroring statement. To configure the address family, rate of sampling, and length of sampling for port mirroring, include the input statement. To specify on which interface to send duplicate packets and the next-hop address to send packets, include the output statement. To see if there are any filters on the specified interface, include the no-filter-check statement.

For information about the rate and run-length statements, see Configuring Traffic Sampling.

In typical applications, you send the sampled packets to an analyzer or a workstation for analysis, not to another router. If you must send this traffic over a network, you should use tunnels. For more information about tunnel interfaces, see the JUNOS Network Interfaces Configuration Guide.

Beginning with JUNOS release 9.3, port mirroring is supported for Layer 2 traffic on MX-series routers only. For information about how to configure, see the MX-series Layer 2 Configuration Guide.

The following restrictions apply:

You can configure port mirroring for IPv4 and IPv6 simultaneously on the M120 and M320 routers and the MX-series routers.
You can configure either IPv4 or IPv6 port mirroring but not both on M-series routers, except for the M120 and M320 routers, which support port mirroring for IPv4 and IPv6 simultaneously.
You cannot configure firewall filters on the port-mirroring interface.
The interface you configure for port mirroring should not participate in any kind of routing activity.
The destination address you specify should not have a route to the ultimate traffic destination. For example, if the sampled IPv4 packets have a destination address of 190.68.9.10 and the port-mirrored traffic is sent to 190.68.20.15 for analysis, the device associated with the latter address should not know a route to 190.68.9.10. Also, it should not send the sampled packets back to the source address.
Only transit data is supported.
You can configure only one port-mirroring interface per router. If you include more than one interface in the port-mirroring statement, the previous one is overwritten.
You must include a firewall filter with both the accept action and the port-mirror action modifier on the inbound interface. Do not include the discard action, or port mirroring will not work.

[Contents] [Prev] [Next] [Index] [Report an Error]