Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuration Guidelines for Port Mirroring on EX Series Switches

 

When you configure port mirroring on EX Series switches, we recommend that you follow certain guidelines to ensure that you obtain optimum benefit from port mirroring.

Best Practice

Mirror only necessary packets to reduce potential performance impact. We recommend that you:

  • Disable your configured port mirroring analyzers when you are not using them.

  • Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.

  • Limit the amount of mirrored traffic by:

    • Using statistical sampling.

    • Setting ratios to select statistical samples.

    • Using firewall filters.

With local mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output interface for an analyzer reaches capacity, packets are dropped. Thus, while configuring an analyzer, you must consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.

This document provides a workaround to the port mirroring configuration guideline that limits the number of port mirroring sessions that can be configured on an EX2300, EX3200, EX3400, or EX4300 switch to one session. While you can configure more than the specified number of analyzers on these switches, you can enable only one analyzer for a session.Table 1 summarizes further configuration guidelines for port mirroring on the switches.

Table 1: Configuration Guidelines for Port Mirroring

Guideline

Description

Comment

Note: “All other switches” or “All switches” in the Description column applies to switch platforms that support port mirroring. For details on platform support, see Feature Explorer.

Number of VLANs that you can use as ingress input to an analyzer

  • 1—EX2300 switches

  • 256—EX3200, EX4300, EX4500, EX4600, and EX6200 switches

  • Does not apply—EX8200 switches

Number of analyzers that you can enable concurrently

  • 1—EX2300, EX3200, EX4300, EX3400, and EX6200 switches

  • 7 port-based or 1 global—EX4500 and EX4600 switches

  • 7 total, with one based on a VLAN, firewall filter, or LAG and with the remaining 6 based on firewall filters—EX8200 switches

    Note: An analyzer configured using a firewall filter does not support mirroring of packets that are egressing ports.

  • You can configure more than the specified number of analyzers on the switch, but you can enable only the specified number for a session. Use disable ethernet-switching-options analyzer name to disable an analyzer.

  • See the next row entry in this table for the exception to the number of firewall filter-based analyzers allowed on EX4500 and EX4600 switches.

  • On an EX4600 Virtual Chassis, you can configure only one analyzer if ports in the input and output definitions are on different switches in a Virtual Chassis. To configure multiple analyzers, an entire analyzer session must be configured on the same switch of a Virtual Chassis.

Number of firewall filter-based analyzers that you can configure on EX4500 and EX4600 switches

  • 1—EX4500 and EX4600 switches

If you configure multiple analyzers, you cannot attach any of them to a firewall filter.

Types of ports on which you cannot mirror traffic

  • Virtual Chassis ports (VCPs)

  • Management Ethernet ports (me0 or vme0)

  • Routed VLAN interfaces (RVIs)

  • VLAN-tagged Layer 3 interfaces

If port mirroring is configured to mirror packets exiting or entering 10-Gigabit Ethernet ports, packets are dropped in both network and mirrored traffic when the mirrored packets exceed 60 percent of the 10-Gigabit Ethernet port traffic for egress traffic, and when the mirrored packets exceed 70 percent of the 10-Gigabit Ethernet port traffic for ingress traffic.

  • EX8200 switches

Traffic directions for which you can specify a ratio

  • Ingress only—EX8200 switches

  • Ingress and egress—All other switches

Protocol families that you can include in a firewall filter-based remote analyzer

  • Any except inet and inet6—EX8200 switches

  • Any—All other switches

You can use inet and inet6 on EX8200 switches in a local analyzer.

Traffic directions that you can configure for mirroring on ports in firewall filter-based configurations

  • Ingress only—All switches

Mirrored packets on tagged interfaces might contain an incorrect VLAN ID or Ethertype.

  • Both VLAN ID and Ethertype—EX2300 switches

  • VLAN ID only—EX3200 and EX4300 switches

  • Ethertype only—EX4500 and EX4600 switches

  • Does not apply—EX8200 switches

Mirrored packets exiting an interface do not reflect rewritten class-of-service (CoS) DSCP or 802.1p bits.

  • All switches

The analyzer appends an incorrect 802.1Q (dot1q) header to the mirrored packets on the routed traffic or does not mirror any packets on the routed traffic when an egress VLAN that belongs to a routed VLAN interface (RVI) is configured as the input for that analyzer.

  • EX8200 switches

  • Does not apply—All other switches

As a workaround, configure an analyzer that uses each port (member interface) of the VLAN as egress input.

Packets with physical layer errors are not sent to the local or remote analyzer.

  • All switches

Packets with these errors are filtered out and thus are not sent to the analyzer.

Port mirroring configuration on a Layer 3 interface with the output configured to a VLAN is not available on EX8200 switches.

  • EX8200 switches

  • Does not apply—All other switches

Port mirroring does not support line-rate traffic.

  • All switches

Port mirroring for line-rate traffic is done on a best-effort basis.

In an EX8200 Virtual Chassis, if you need to mirror traffic across the virtual chassis, then the output port must be a LAG.

  • EX8200 Virtual Chassis

  • Does not apply—All other switches

In an EX8200 Virtual Chassis:

  • You can configure a LAG as a monitor port only for native analyzers.

  • You cannot configure a LAG as a monitor port for analyzers based on firewall filters.

  • If an analyzer configuration contains a LAG as a monitor port, then you cannot configure VLAN in the input definition of an analyzer.

In standalone EX8200 switches, you can configure LAG in the output definition.

  • EX8200 standalone switches

  • Does not apply—All other switches

In EX8200 standalone switches:

  • You can configure a LAG as a monitor port on both native and firewall-based analyzers.

  • If a configuration contains a LAG as a monitor port, then you cannot configure VLAN in the input definition of an analyzer.