[an error occurred while processing this directive][an error occurred while processing this directive]

Example: Layer 2 Port Mirroring at a Logical Interface

The following steps describe an example in which the global port-mirroring instance and a port-mirroring firewall filter are used to configure Layer 2 port mirroring for the input to a logical interface.

  1. Configure the bridge domain example-bd-with-analyzer, which contains the external packet analyzer, and the bridge domain example-bd-with-traffic, which contains the source and destination of the Layer 2 traffic being mirrored:

    [edit]bridge-domains {example-bd-with-analyzer { # Contains an external traffic analyzervlan-id 1000;interface ge-2/0/0.0; # External analyzer}example-bd-with-traffic { # Contains traffic input and output interfacesvlan-id 1000;interface ge-2/0/6.0; # Traffic input port interface ge-3/0/1.2; # Traffic output port}}
    Assume that logical interface ge-2/0/0.0 is associated with an external traffic analyzer that is to receive port-mirrored packets. Assume that logical interfaces ge-2/0/6.0 and ge-3/0/1.2 will be traffic input and output ports, respectively.
  2. Configure Layer 2 port-mirroring for the global instance, with the port-mirroring destination being the bridge domain interface associated with the external analyzer (logical interface ge-2/0/0.0 on bridge domain example-bd-with-analyzer). Be sure to enable the option that allows filters to be applied to this port-mirroring destination:

    [edit]forwarding-options {port-mirroring {input {rate 10; run-length 5; }family bridge {output {interface ge-2/0/0.0; # Mirror packets to the external analyzerno-filter-check; # Allow filters on the mirror destination interface }}}}
    The input statement at the [edit forwarding-options port-mirroring] hierarchy level specifies that sampling begins every tenth packet and that each of the first five packets selected are to be mirrored.

    The output statement at the [edit forwarding-options port-mirroring family bridge] hierarchy level specifies the output mirror interface for Layer 2 packets in a bridging environment:

    • Logical interface ge-2/0/0.0, which is associated with the external packet analyzer, is configured as the port-mirroring destination.
    • The optional no-filter-check statement allows filters to be configured on this destination interface.
  3. Configure the Layer 2 port-mirroring firewall filter example-bridge-pm-filter:

    [edit]firewall {family bridge {filter example-bridge-pm-filter {term example-filter-terms {then {accept; port-mirror;}}}}}
    When this firewall filter is applied to the input or output of a logical interface for traffic in a bridging environment, Layer 2 port mirroring is performed according to the input packet-sampling properties and mirror destination properties configured for the Layer 2 port mirroring global instance. Because this firewall filter is configured with the single, default filter action accept, all packets selected by the input properties (rate = 10 and run-length = 5) match this filter.
  4. Configure the logical interfaces:

    [edit]interfaces {ge-2/0/0 { # Define the interface to the external analyzer encapsulation ethernet-bridge;unit 0 {family bridge;}}ge-2/0/6 { # Define the traffic input portflexible-vlan-tagging;encapsulation extended-vlan-bridge; unit 0 {vlan-id 100;family bridge {filter {input example-bridge-pm-filter; # Apply the port-mirroring firewall filter}}}}ge-3/0/1 { # Define the traffic output port flexible-vlan-tagging;encapsulation extended-vlan-bridge;unit 2 {vlan-tags outer 10 inner 20;family bridge;}}}

    Packets received at logical interface ge-2/0/6.0 on bridge domain example-bd-with-traffic are evaluated by the port-mirroring firewall filter example-bridge-pm-filter. The firewall filter acts on the input traffic according to the filter actions configured in the firewall filter itself plus the input packet-sampling properties and mirror destination properties configured in the global port-mirroring instance:

    • All packets received at ge-2/0/6.0 are forwarded to their (assumed) normal destination at logical interface ge-3/0/1.2.
    • For every ten input packets, copies of the first five packets in that selection are forwarded to the external analyzer at logical interface ge-0/0/0.0 in the other bridge domain, example-bd-with-analyzer.
    If you configure the port-mirroring firewall filter example-bridge-pm-filter to take the discard action instead of the accept action, all original packets are discarded while copies of the packets selected using the global port-mirroring input properties are sent to the external analyzer.

Published: 2010-05-11

[an error occurred while processing this directive]