Technical Documentation

Example: Layer 2 Port Mirroring for a Layer 2 VPN

The following example is not a complete configuration, but shows all the steps needed to configure port mirroring on an L2VPN using family ccc.

  1. Configure the bridge domain port-mirror-bd, which contains the external packet analyzer:

    [edit]bridge-domains {port-mirror-bd { # Contains an external traffic analyzerinterface ge-2/2/9.0; # External analyzer}}
  2. Configure the Layer 2 VPN CCC to connect logical interface ge-2/0/1.0 and logical interface ge-2/0/1.1:

    [edit]protocols {mpls {interface all;}connections {interface-switch if_switch {interface ge-2/0/1.0;interface ge-2/0/1.1;}}}
  3. Configure Layer 2 port mirroring for the global instance, with the port-mirroring destination being the bridge domain interface associated with the external analyzer (logical interface ge-2/2/9.0 on bridge domain example-bd-with-analyzer):

    [edit]forwarding-options {port-mirroring {input {rate 1; maximum-packet-length 200; }family ccc {output {interface ge-2/2/9.0; # Mirror packets to the external analyzer}}instance {inst1 {input {rate 1; maximum-packet-length 300; }family ccc {output {interface ge-2/2/9.0;}{}}}}
  4. Define the Layer 2 port-mirroring firewall filter pm_filter_ccc for family ccc:

    [edit]firewall {family ccc {filter pm_filter_ccc {term pm {then port-mirror;}}}}
  5. Apply the port mirror instance to the chassis:

    [edit]chassis {fpc 2 {port-mirror-instance inst1;}}
  6. Configure interface ge-2/2/9 for the VLANs, and configure interface ge-2/0/1 for port mirroring with the pm_filter_ccc firewall filter:

    [edit]interfaces {ge-2/2/9 {encapsulation ethernet-bridge;unit 0 {family bridge;}}ge-2/0/1 {vlan-tagging;encapsulation extended-vlan-ccc;unit 0 {vlan-id 10;family ccc {filter {input pm_filter_ccc;}}}unit 1 {vlan-id 20;family ccc {filter {output pm_filter_ccc;}}}}}

Published: 2010-05-11