[an error occurred while processing this directive][an error occurred while processing this directive]

Example: Layer 2 Port Mirroring to Multiple Destinations

On MX Series routers, you can mirror traffic to multiple destinations by configuring next-hop groups in Layer 2 port-mirroring firewall filters applied to tunnel interfaces.

  1. Configure the chassis to support tunnel services at PIC 0 on FPC 2. This configuration includes two logical tunnel interfaces on FPC 2, PIC 0, port 10.

    [edit]chassis {fpc 2 {pic 0 {tunnel-services {bandwidth 1g;}}}}
  2. Configure the physical and logical interfaces for three bridge domains and one Layer 2 VPN CCC:

    • Bridge domain bd will span logical interfaces ge-2/0/1.0 and ge-2/0/1.1.
    • Bridge domain bd_next_hop_group will span logical interfaces ge-2/2/9.0 and ge-2/0/2.0.
    • Bridge domain bd_port_mirror will use the logical tunnel interface lt-2/0/10.2.
    • Layer 2 VPN CCC if_switch will connect logical interfaces ge-2/0/1.2 and lt-2/0/10.1.
    [edit]interfaces {ge-2/0/1 {flexible-vlan-tagging;encapsulation flexible-ethernet-services;unit 0 { # An interface on bridge domain ’bd’.encapsulation vlan-bridge;vlan-id 200;family bridge {filter {input pm_bridge;}}}unit 1 { # An interface on bridge domain ’bd’.encapsulation vlan-bridge;vlan-id 201;family bridge {filter {input pm_bridge;}}}unit 2 {encapsulation vlan-ccc;vlan-id 1000;}}ge-2/0/2 { # For ’bd_next_hop_group’encapsulation ethernet-bridge;unit 0 {family bridge;}}lt-2/0/10 {unit 1 {encapsulation ethernet-ccc;peer-unit 2;}unit 2 {encapsulation ethernet-bridge;peer-unit 1;family bridge {filter {output redirect_to_nhg;}}}}ge-2/2/9 {encapsulation ethernet-bridge;unit 0 { # For ’bd_next_hop_group’family bridge;}}}
  3. Configure the three bridge domains and the Layer 2 VPN switching CCC:

    • Bridge domain bd spans logical interfaces ge-2/0/1.0 and ge-2/0/1.1.
    • Bridge domain bd_next_hop_group spans logical interfaces ge-2/2/9.0 and ge-2/0/2.0.
    • Bridge domain bd_port_mirror uses the logical tunnel interface lt-2/0/10.2.
    • Layer 2 VPN CCC if_switch connects interfaces ge-2/0/1.2 and lt-2/0/10.1.
    [edit]bridge-domains {bd {interface ge-2/0/1.0;interface ge-2/0/1.1;}bd_next_hop_group {interface ge-2/2/9.0;interface ge-2/0/2.0;}bd_port_mirror {interface lt-2/0/10.2;}}protocols {mpls {interface all;}connections {interface-switch if_switch {interface ge-2/0/1.2;interface lt-2/0/10.1;}}}
    For detailed information about configuring the CCC connection for Layer 2 switching cross-connects, see the Junos MPLS Applications Configuration Guide.
  4. Configure forwarding options:

    • Configure global port mirroring properties to mirror family vpls traffic to an interface on the bridge domain bd_port_mirror.
    • Configure the next-hop group nhg_mirror_to_bd to forward Layer 2 traffic to the bridge domain bd_next_hop_group.

    Both of these forwarding options will be referenced by the port-mirroring firewall filter:

    [edit]forwarding-options {port-mirroring { # Global port mirroring properties.input {rate 1;}family vpls {output {interface lt-2/0/10.2; # Interface on ’bd_port_mirror’ bridge domain.no-filter-check;}}}next-hop-group nhg_mirror_to_bd { # Configure a next-hop group.group-type layer-2; # Specify ’layer-2’ for Layer 2; default ’inet’ is for Layer 3.interface ge-2/0/2.0; # Interface on ’bd_next_hop_group’ bridge domain.interface ge-2/2/9.0; # Interface on ’bd_next_hop_group’ bridge domain.}}
  5. Configure two Layer 2 port-mirroring firewall filters for family bridge traffic:

    • filter_pm_bridge—Sends all family bridge traffic to the global port mirroring destination.
    • filter_redirect_to_nhg—Sends all family bridge traffic to the final next-hop group nhg_mirror_to_bd.

    Layer 2 port-mirroring firewall filters for family bridge traffic applies to traffic on a physical interface configured with encapsulation ethernet-bridge.

    [edit]firewall {family bridge {filter filter_pm_bridge {term term_port_mirror {then port-mirror;}}filter filter_redirect_to_nhg {term term_nhg {then next-hop-group nhg_mirror_to_bd;}}}}

Published: 2010-05-11

[an error occurred while processing this directive]