Understanding Port Mirroring on EX Series Switches
Use port mirroring to facilitate analyzing traffic on your Juniper Networks EX Series Ethernet Switch on a packet level. Use port mirroring as part of monitoring switch traffic for such purposes as enforcing policies concerning network usage and file sharing, and identifying sources of problems on your network by locating abnormal or heavy bandwidth usage from particular stations or applications.
Port mirroring copies packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets:
- Packets entering or exiting a port
- Packets entering a VLAN on Juniper Networks EX2200, EX3200, EX4200, or EX4500 Ethernet Switches
- Packets exiting a VLAN on Juniper Networks EX8200 Ethernet Switches
This topic describes:
Port Mirroring Overview
Port mirroring is needed for traffic analysis on a switch because a switch, unlike a hub, does not broadcast packets to every port on the device. The switch sends packets only to the port to which the destination device is connected. You configure port mirroring on the switch to send copies of unicast traffic to either a local analyzer port or an analyzer VLAN. Then you can analyze the mirrored traffic using a protocol analyzer application. The protocol analyzer application can run either on a computer connected to the analyzer output interface or on a remote monitoring station.
We recommend that you disable port mirroring when you are not using it and that you select specific interfaces as input to the port mirror analyzer in preference to using the all keyword option. You can also limit the amount of mirrored traffic by using statistical sampling, setting a ratio to select a statistical sample, or using a firewall filter. Mirroring only the necessary packets reduces any potential performance impact.
With local port mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output interface for an analyzer reaches capacity, packets are dropped. You should consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.
You can use port mirroring on a switch to mirror any of the following:
- Packets entering or exiting a port—You can mirror the packets in any combination (on up to 256 ports). For example, you can send copies of the packets entering some ports and the packets exiting other ports to the same local analyzer port or analyzer VLAN.
- Packets entering a VLAN on an EX2200, EX3200, EX4200, or EX4500 switch—You can mirror the packets entering a VLAN on these switches to either a local analyzer port or to an analyzer VLAN. (On EX3200, EX4200, and EX4500 switches, you can configure multiple VLANs [up to 256 VLANs], including a VLAN range and PVLANs, as ingress input to an analyzer.)
- Packets exiting a VLAN on an EX8200 switch—You can mirror the packets exiting a VLAN on an EX8200 switch to either a local analyzer port or to an analyzer VLAN. You can configure multiple VLANs (up to 256 VLANs), including a VLAN range and PVLANs, as egress input to an analyzer.
- Statistical sample—You
can mirror a statistical sample of packets that are
- Entering or exiting a port
- Entering a VLAN on an EX2200, EX3200, EX4200, or EX4500 switch
- Exiting a VLAN on an EX8200 switch
You specify the sample number of packets by setting the ratio. You can send the sample to either a local analyzer port or to an analyzer VLAN.
- Policy-based sample—You
can mirror a policy-based sample of packets that are
- Entering or exiting a port
- Entering a VLAN on an EX2200, EX3200, EX4200, or EX4500 switch
- Exiting a VLAN on an EX8200 switch
You configure a firewall filter to establish a policy to select certain packets. You can send the sample to a local analyzer port or to an analyzer VLAN.
 | Note: Juniper Networks Junos operating system (Junos OS) for EX Series switches implements port mirroring differently than other Junos OS packages. Junos OS for EX Series switches does not include the port-mirroring statement found in the edit forwarding-options level of the hierarchy of other Junos OS packages, nor the port-mirror action in firewall filter terms. |
Limitations of Port Mirroring
Port mirroring on EX Series switches has the following limitations:
- On an EX2200, EX3200, EX4200, or EX4500 switch, you can enable only one analyzer (port mirroring configuration).
- On an EX8208 or an EX8216 switch, you can enable a maximum of seven analyzers (port mirroring configurations).
- Packets with physical layer errors are filtered out and thus are not sent to the analyzer port or analyzer VLAN.
You cannot mirror packets exiting or entering the following ports:
- Dedicated Virtual Chassis ports (VCPs)
- Management port (me0 or vme0)
- Routed VLAN interfaces (RVIs)
- On EX8200 switches, you can set a ratio only for ingress packets.
- On EX2200, EX3200, EX4200, and EX4500 switches, mirrored packets exiting a tagged interface might contain an incorrect VLAN ID.
- On EX2200, EX3200, EX4200, and EX4500 switches, tagged packets mirrored to an analyzer port might contain an incorrect Ethertype.
- On an EX2200 switch, you cannot configure multiple VLANs (including a VLAN range or PVLANs) as ingress input to an analyzer.
Table 1 lists some port mirroring terms and their descriptions.
Port Mirroring Terminology
Table 1: Port Mirroring Terminology
| Term | Description |
|---|---|
Analyzer | A port-mirroring configuration on an EX Series switch. The analyzer includes:
|
Analyzer output interface Also known as monitor port | Interface to which mirrored traffic is sent and to which a protocol analyzer application is connected. Note: Interfaces used as output for a port mirror analyzer must be configured as family ethernet-switching. Analyzer output interfaces have the following limitations:
If the bandwidth of the analyzer output interface is not sufficient to handle the traffic from the source ports, overflow packets are dropped. |
Analyzer VLAN Also known as monitor VLAN | VLAN to which mirrored traffic is sent. The mirrored traffic can be used by a protocol analyzer application. The monitor VLAN is spread across the switches in your network. |
Firewall-based analyzer | An analyzer session that has only an “output” stanza. A firewall-based analyzer must be used along with a firewall filter to achieve the functionality of an analyzer. |
Input interface Also known as mirrored ports or monitored interfaces | An interface on the switch that is being mirrored, either on traffic entering or exiting the interface. An input interface cannot also be an output interface for an analyzer. |
Mirror ratio | See statistical sampling. |
Monitoring station | A computer running a protocol analyzer application. |
Native analyzer session | An analyzer session that has both “input” and “output” stanzas. |
Policy-based mirroring | Mirroring of packets that match the match items in the defined firewall filter term. The action item analyzer analyzer-name is used in the firewall filter to send the packets to the port mirror analyzer. |
Protocol analyzer application | An application used to examine packets transmitted across a network segment. Also commonly called network analyzer, packet sniffer, or probe. |
Remote port mirroring | Functions the same as local port mirroring, except that the mirrored traffic is not copied to a local analyzer port but is flooded into an analyzer VLAN that you create specifically for the purpose of receiving mirrored traffic. In the intermediate switch, you can avoid flooding of the mirrored traffic to the member ports of the VLAN by setting the “ingress only” attribute to the incoming ports of the VLAN and the “egress only” attribute to the outgoing port of the VLAN. |
Statistical sampling | You can configure the system to mirror a sampling of the packets, by setting a ratio of 1:x, where x is a value from 1 through 2047. For example, when the ratio is set to 1, all packets are copied to the analyzer. When the ratio is set to 200, 1 of every 200 packets is copied. |
Related Topics
- Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX Series Switches
- Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX Series Switches
- Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) or Configuring Port Mirroring to Analyze Traffic (CLI Procedure)
- Firewall Filter Match Conditions and Actions for EX Series Switches
