Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Multiple Port Mirroring Sessions on an EX4300 Switch

 

You can configure port mirroring to mirror packets from a single port or from multiple ports to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy packets entering or exiting a port, or packets entering or exiting a VLAN.

When you configure port mirroring on an EX Series switch, you must follow certain guidelines discussed in Configuration Guidelines for Port Mirroring on EX Series Switches to obtain maximum benefit from port mirroring. A guideline in this table mentions that you can define multiple port mirroring configurations for an EX2300, EX3200, EX3400, or EX4300 switch, but you can enable only one port mirroring configuration or session at any point in time. If you want to enable multiple port mirroring sessions, follow the workaround provided in this example.

This example describes how to configure multiple port mirroring sessions on an EX4300 switch for local monitoring.

Requirements

This example uses the following hardware and software components:

  • One Juniper Networks EX4300 switch

  • Junos® operating system (Junos OS) Release 12.1 or later for EX Series switches

Before you configure port mirroring, be sure that you have an understanding of port mirroring concepts. See Understanding Port Mirroring on EX Series Switches for an overview on port mirroring.

Overview

Configuring port mirroring is a way to monitor network traffic by sending a copy of packets entering or exiting a port (or VLAN) on a switch to a local or remote destination for monitoring. Port mirroring enables a network administrator to monitor the performance of the network and to take corrective actions when appropriate. You can configure port mirroring for ingress or egress traffic on a single interface (or multiple interfaces) or on a VLAN (or multiple VLANs).

When you configure port mirroring on EX Series Ethernet Switches, we recommend that you follow certain guidelines to achieve optimum benefit from port mirroring. As per the configuration guidelines mentioned in Configuration Guidelines for Port Mirroring on EX Series Switches, you can enable only one port mirroring configuration at any point in time on an EX2300, EX3200, EX3400, or EX4300 switch. You can configure more than the specified number of port mirroring configurations on these switches, but you can enable only one port mirroring session. A workaround to this configuration guideline is to configure many-to-many port mirroring sessions so that multiple port mirroring sessions can be enabled at the same time. This example discusses how to configure and enable two port mirroring sessions on an EX4300 switch. You can use the same workaround for EX2300, EX3200, and EX3400 switches.

Topology

In the topology discussed in this document, 10 hosts are connected to an EX4300 switch, and the IP addresses of those 10 hosts are configured to be within range 10.0.0.1 – 10.0.0.10. The purpose is to configure two port mirroring sessions, which will mirror all IP traffic from 10.0.0.1 – 10.0.0.5 hosts to a monitoring station and from the 10.0.0.6 – 10.0.0.10 hosts to another monitoring station. You can achieve this configuration by connecting a physical-loopback cable and by configuring a firewall filter, which can be used to segregate traffic between the monitoring stations.

Figure 1 shows a topology to configure and enable two port mirroring sessions on an EX4300 switch.

Figure 1: Network Topology for Configuring and Enabling Two Port Mirroring Sessions on an EX4300 Switch
Network Topology for Configuring and Enabling
Two Port Mirroring Sessions on an EX4300 Switch

This topology shows the following connections and configurations:

  • Ports 1–10 are connected to 10 different hosts.

  • All hosts are configured to be part of the vl1 VLAN.

  • The ge-0/0/11.0 port is connected to the ge-0/0/12.0 port with an Ethernet cable to form a physical loop.

  • An analyzer is configured to accept mirrored IP traffic from the ingressing and egressing interfaces from ge-0/0/1.0 to ge-0/0/10.0. The output port for the analyzer is ge-0/0/11.0.

  • Rapid Spanning-Tree Protocol (RSTP) is disabled on ge-0/0/12.0, ge-0/0/13.0, and ge-0/0/14.0.

  • The ge-0/0/12.0, ge-0/0/13.0, and ge-0/0/14.0 ports are configured to be a part of a VLAN, and MAC learning is disabled on this VLAN.

  • Monitoring stations are connected on the ge-0/0/13.0 and ge-0/0/14.0 ports.

  • A firewall filter is applied in the output direction on the ge-0/0/13.0 and ge-0/0/14.0 ports to allow specific mirrored traffic, which is based on the source and destination IP addresses.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vl1
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vl1
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vl1
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vl1
set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vl1
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vl1
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vl1
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members vl1
set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members vl1
set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vl1
set interfaces ge-0/0/11 unit 0 family ethernet-switching
set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/1.0
set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/2.0
set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/3.0
set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/4.0
set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/5.0
set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/6.0
set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/7.0
set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/8.0
set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/9.0
set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/10.0
set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/1.0
set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/2.0
set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/3.0
set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/4.0
set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/5.0
set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/6.0
set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/7.0
set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/8.0
set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/9.0
set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/10.0
set ethernet-switching-options analyzer multi-session output interface ge-0/0/11.0
set protocols rstp interface ge-0/0/12.0 disable
set protocols rstp interface ge-0/0/13.0 disable
set protocols rstp interface ge-0/0/14.0 disable
set vlans mirror vlan-id 100
set vlans mirror no-mac-learning
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members mirror
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members mirror
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members mirror
set firewall family ethernet-switching filter first-5-ff term 10 from source-address 10.0.0.1/32
set firewall family ethernet-switching filter first-5-ff term 10 from source-address 10.0.0.2/32
set firewall family ethernet-switching filter first-5-ff term 10 from source-address 10.0.0.3/32
set firewall family ethernet-switching filter first-5-ff term 10 from source-address 10.0.0.4/32
set firewall family ethernet-switching filter first-5-ff term 10 from source-address 10.0.0.5/32
set firewall family ethernet-switching filter first-5-ff term 10 then accept
set firewall family ethernet-switching filter first-5-ff term 20 from destination-address 10.0.0.1/32
set firewall family ethernet-switching filter first-5-ff term 20 from destination-address 10.0.0.2/32
set firewall family ethernet-switching filter first-5-ff term 20 from destination-address 10.0.0.3/32
set firewall family ethernet-switching filter first-5-ff term 20 from destination-address 10.0.0.4/32
set firewall family ethernet-switching filter first-5-ff term 20 from destination-address 10.0.0.5/32
set firewall family ethernet-switching filter first-5-ff term 20 then accept
set firewall family ethernet-switching filter first-5-ff term default then discard
set interfaces ge-0/0/13 unit 0 family ethernet-switching filter output first-5-ff
set firewall family ethernet-switching filter last-5-ff term 10 from source-address 10.0.0.6/32
set firewall family ethernet-switching filter last-5-ff term 10 from source-address 10.0.0.7/32
set firewall family ethernet-switching filter last-5-ff term 10 from source-address 10.0.0.8/32
set firewall family ethernet-switching filter last-5-ff term 10 from source-address 10.0.0.9/32
set firewall family ethernet-switching filter last-5-ff term 10 from source-address 10.0.0.10/32
set firewall family ethernet-switching filter last-5-ff term 10 then accept
set firewall family ethernet-switching filter last-5-ff term 20 from destination-address 10.0.0.6/32
set firewall family ethernet-switching filter last-5-ff term 20 from destination-address 10.0.0.7/32
set firewall family ethernet-switching filter last-5-ff term 20 from destination-address 10.0.0.8/32
set firewall family ethernet-switching filter last-5-ff term 20 from destination-address 10.0.0.9/32
set firewall family ethernet-switching filter last-5-ff term 20 from destination-address 10.0.0.10/32
set firewall family ethernet-switching filter last-5-ff term 20 then accept
set firewall family ethernet-switching filter last-5-ff term default then discard
set interfaces ge-0/0/14 unit 0 family ethernet-switching filter output last-5-ff

Configuring Two Port Mirroring Sessions

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure and enable two port mirroring sessions on an EX4300 switch:

  1. Configure the port mode for the ge-0/0/1.0 through ge-0/0/10 .0 ports as access ports, and configure those ports to be part of the vl1 VLAN.
    [edit]
    user@host# set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
    user@host# set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vl1
    user@host# set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
    user@host# set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vl1
    user@host# set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode access
    user@host# set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vl1
    user@host# set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
    user@host# set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vl1
    user@host# set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access
    user@host# set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vl1
    user@host# set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
    user@host# set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vl1
    user@host# set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
    user@host# set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vl1
    user@host# set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode access
    user@host# set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members vl1
    user@host# set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode access
    user@host# set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members vl1
    user@host# set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode access
    user@host# set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vl1
     
  2. Configure an analyzer named multi-session, and assign the ge-0/0/11.0 port to be the output port for multi-session to mirror traffic for all the ports.
    [edit]
    user@host# set interfaces ge-0/0/11 unit 0 family ethernet-switching
    user@host# set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/1.0
    user@host# set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/2.0
    user@host# set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/3.0
    user@host# set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/4.0
    user@host# set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/5.0
    user@host# set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/6.0
    user@host# set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/7.0
    user@host# set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/8.0
    user@host# set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/9.0
    user@host# set ethernet-switching-options analyzer multi-session input ingress interface ge-0/0/10.0
    user@host# set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/1.0
    user@host# set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/2.0
    user@host# set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/3.0
    user@host# set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/4.0
    user@host# set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/5.0
    user@host# set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/6.0
    user@host# set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/7.0
    user@host# set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/8.0
    user@host# set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/9.0
    user@host# set ethernet-switching-options analyzer multi-session input egress interface ge-0/0/10.0
    user@host# set ethernet-switching-options analyzer multi-session output interface ge-0/0/11.0
     
  3. Define a VLAN named mirror and tag it as 100.
    [edit]
    user@host# set vlans mirror vlan-id 100
     
  4. Configure the ge-0/0/12.0, ge-0/0/13.0, and ge-0/0/14.0 ports to be part of the mirror VLAN.
    [edit]
    user@host# set vlans mirror vlan-id 100
    user@host# set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members mirror
    user@host# set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members mirror
    user@host# set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members mirror
     
  5. Disable MAC learning on the mirror VLAN so that the switch acts like a hub and floods all the received mirrored traffic to the ge-0/0/13.0 and ge-0/0/14.0 ports.
    [edit]
    user@host# set vlans mirror no-mac-learning
     
  6. Disable RSTP on the ge-0/0/12.0, ge-0/0/13.0, and ge-0/0/14.0 ports because RSTP is enabled by default on all ports in a switch.
    [edit]
    user@host# set protocols rstp interface ge-0/0/12.0 disable
    user@host# set protocols rstp interface ge-0/0/13.0 disable
    user@host# set protocols rstp interface ge-0/0/14.0 disable
     
  7. Create and apply an outgoing firewall filter on the ge-0/0/13.0 port. This port is connected to the first monitoring station that listens to the mirrored traffic for the first five hosts 10.0.0.1 through 10.0.0.5.
    [edit]
    user@host# set firewall family ethernet-switching filter first-5-ff term 10 from source-address 10.0.0.1/32
    user@host# set firewall family ethernet-switching filter first-5-ff term 10 from source-address 10.0.0.2/32
    user@host# set firewall family ethernet-switching filter first-5-ff term 10 from source-address 10.0.0.3/32
    user@host# set firewall family ethernet-switching filter first-5-ff term 10 from source-address 10.0.0.4/32
    user@host# set firewall family ethernet-switching filter first-5-ff term 10 from source-address 10.0.0.5/32
    user@host# set firewall family ethernet-switching filter first-5-ff term 10 then accept
    user@host# set firewall family ethernet-switching filter first-5-ff term 20 from destination-address 10.0.0.1/32
    user@host# set firewall family ethernet-switching filter first-5-ff term 20 from destination-address 10.0.0.2/32
    user@host# set firewall family ethernet-switching filter first-5-ff term 20 from destination-address 10.0.0.3/32
    user@host# set firewall family ethernet-switching filter first-5-ff term 20 from destination-address 10.0.0.4/32
    user@host# set firewall family ethernet-switching filter first-5-ff term 20 from destination-address 10.0.0.5/32
    user@host# set firewall family ethernet-switching filter first-5-ff term 20 then accept
    user@host# set firewall family ethernet-switching filter first-5-ff term default then discard
    user@host# set interfaces ge-0/0/13 unit 0 family ethernet-switching filter output first-5-ff
     
  8. Create and apply an outgoing firewall filter on the ge-0/0/14.0 port. This port is connected to the second monitoring station, which listens to the mirrored traffic for the last five hosts 10.0.0.6 through 10.0.0.10.
    [edit]
    user@host# set firewall family ethernet-switching filter last-5-ff term 10 from source-address 10.0.0.6/32
    user@host# set firewall family ethernet-switching filter last-5-ff term 10 from source-address 10.0.0.7/32
    user@host# set firewall family ethernet-switching filter last-5-ff term 10 from source-address 10.0.0.8/32
    user@host# set firewall family ethernet-switching filter last-5-ff term 10 from source-address 10.0.0.9/32
    user@host# set firewall family ethernet-switching filter last-5-ff term 10 from source-address 10.0.0.10/32
    user@host# set firewall family ethernet-switching filter last-5-ff term 10 then accept
    user@host# set firewall family ethernet-switching filter last-5-ff term 20 from destination-address 10.0.0.6/32
    user@host# set firewall family ethernet-switching filter last-5-ff term 20 from destination-address 10.0.0.7/32
    user@host# set firewall family ethernet-switching filter last-5-ff term 20 from destination-address 10.0.0.8/32
    user@host# set firewall family ethernet-switching filter last-5-ff term 20 from destination-address 10.0.0.9/32
    user@host# set firewall family ethernet-switching filter last-5-ff term 20 from destination-address 10.0.0.10/32
    user@host# set firewall family ethernet-switching filter last-5-ff term 20 then accept
    user@host# set firewall family ethernet-switching filter last-5-ff term default then discard
    user@host# set interfaces ge-0/0/14 unit 0 family ethernet-switching filter output last-5-ff
     

Results

From configuration mode, confirm your configuration by entering the show firewall, show interfaces, show ethernet-switching-options, show protocols, and show vlans commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying That the Analyzer Has Been Created Properly

Purpose

Verify that the analyzer has been created on the switch with the appropriate input and output interfaces.

Action

Issue the following command:

Meaning

The output shows the multi-session analyzer has the following configuration:

  • Has a mirroring ratio of 1 (mirroring every packet, the default setting).

  • Has a loss priority of low (set this option to high only when the analyzer output is to a VLAN).

  • Mirrors traffic entering the ge-0/0/1.0 through ge-0/0/10.0 interfaces and traffic exiting the ge-0/0/1.0 through ge-0/0/10.0 interfaces.

  • Sends the mirrored traffic to the ge-0/0/11.0 interface.

Verifying That the Firewall Filter Is Configured Properly to Obtain Traffic from the First Five Hosts

Purpose

Verify that traffic from the first five hosts is mirrored to the first monitoring interface. You can verify this by checking whether the firewall filter is configured to obtain traffic from the first five hosts and by checking whether this traffic is directed to the first monitoring interface.

Action

Verify that the firewall filter configured to obtain traffic from the first five ports (10.0.0.1 through 10.0.0.5) connected to the first five hosts.

user@host# show firewall family ethernet-switching filter first-5-ff

Meaning

This configuration shows that the first-5-ff filter allows traffic originating from and destined to addresses 10.0.0.1 through 10.0.0.5 that are connected to the first five hosts, and that traffic from any other source or destination address is discarded. When this firewall filter is applied to the ge-0/0/13.0 interface, this interface obtains traffic only from those five addresses, even though traffic from other sources or destinations is passing through the interface.

Verifying That the First Monitoring Interface Is Configured Properly

Purpose

Verify the configuration for the ge-0/0/13 interface, which is connected to the first monitoring station (that listens to the mirrored traffic for the first five hosts).

Action

Verify that the ge-0/0/13.0 interface is configured as expected by using the show interfaces ge-0/0/13.0 command.

user@host# show interfaces ge-0/0/13.0

Meaning

This output indicates that the first-5-ff firewall filter is configured as an egress filter to the ge-0/0/13.0 interface. This means that the ge-0/0/13.0 interface allows traffic from the first five hosts connected to the switch, as per the configuration in the first-5-ff firewall filter configuration. The monitoring station connected to this interface can now monitor traffic from these five hosts.

Verifying That the Firewall Filter Is Configured Properly to Obtain Traffic from the Last Five Hosts

Purpose

Verify that traffic from the last five hosts is mirrored to the second monitoring interface by checking whether the firewall filter is configured properly to obtain traffic from the last five hosts connected to the switch and by checking whether this traffic is directed to the second monitoring interface.

Action

Verify that the firewall filter is configured to obtain traffic from the last five ports from 10.0.0.6 through 10.0.0.10 that are connected to the last five hosts.

user@host# show firewall family ethernet-switching filter last-5-ff

Meaning

This configuration shows that the last-5-ff filter allows traffic originating from and destined to addresses 10.0.0.6.0 through 10.0.0.10.0 that are connected to the last five hosts, and that traffic from any other source or destination address is discarded. When this firewall filter is applied to the ge-0/0/14.0 interface, this interface receives traffic only from those five addresses even though traffic from other sources or destinations are passing through that interface.

Verifying That the Second Monitoring Interface Is Configured Properly

Purpose

Verify the configuration for the ge-0/0/14.0 interface, which is connected to the second monitoring station (that listens to the mirrored traffic for the last five hosts).

Action

Verify that the ge-0/0/14.0 interface is configured as expected by using the show interfaces ge-0/0/14.0 command.

user@host# show interfaces ge-0/0/14.0

Meaning

This output indicates that the last-5-ff firewall filter is configured as an egress filter to the ge-0/0/14.0 interface. This means that the ge-0/0/14.0 interface allows traffic from the last five hosts connected to the switch, as per the configuration in the last-5-ff firewall filter configuration. The monitoring station connected to this interface can now monitor traffic from these five hosts.