Technical Documentation

Applying Layer 2 Port Mirroring to Traffic Forwarded or Flooded to a Bridge Domain

You can apply a Layer 2 port-mirroring firewall filter to traffic being forwarded or flooded to a bridge domain. Only packets of the specified family type and forwarded or flooded to that bridge domain are mirrored.

Before you begin, complete the following task:

  • Define a Layer 2 port-mirroring firewall filter to be applied to the traffic being forwarded to a bridge domain or flooded to a bridge domain. For details, see Defining a Layer 2 Port-Mirroring Firewall Filter.

    Note: This configuration task shows two Layer_2 port-mirroring firewall filters: one filter applied to the bridge domain forwarding table ingress traffic, and one filter applied to the bridge domain flood table ingress traffic.

To apply a Layer 2 port-mirroring firewall filter to the forwarding table or flood table of a bridge domain:

  1. Enable configuration of the bridge domain bridge-domain-name to which you want to apply a Layer 2 port-mirroring firewall filter for forwarded or flooded traffic:

    • For a bridge domain:

      [edit]user@host# edit bridge-domains bridge-domain-name
    • For a bridge domain under a routing instance:

      [edit]user@host# edit routing-instances routing-instance-name bridge-domains bridge-domain-nameuser@host# set instance-type vpls
      For more detailed configuration information, see Configuring a VPLS Routing Instance.
  2. Configure the bridge domain:

    [edit]user@host# set domain-type bridgeuser@host# set interface interface-nameuser@host# set routing-interface routing-interface-name
    For more detailed configuration information, see Configuring a Bridge Domain and Configuring VLAN Identifiers for Bridge Domains and VPLS Routing Instances.
  3. Enable configuration of traffic forwarding on the bridge domain:

    [edit ... bridge-domains bridge-domain-name]user@host# edit forwarding-options
  4. Apply a Layer 2 port-mirroring firewall filter to the bridge domain forwarding table or flood table.

    • To mirror packets being forwarded to the bridge domain:

      [edit ... bridge-domains bridge-domain-name forwarding-options]user@host# set filter input pm-filter-for-bd-ingress-forwarded
    • To mirror packets being flooded to the bridge domain:

      [edit ... bridge-domains bridge-domain-name forwarding-options]user@host# set flood input pm-filter-for-bd-ingress-flooded
  5. Verify the minimum configuration for applying a Layer 2 port-mirroring firewall filter to the forwarding table or flood table of the bridge domain.

    1. Navigate to the hierarchy level at which the bridge domain is configured:

      • [edit]
      • [edit routing-instances routing-instance-name]
    2. Display the bridge domain configurations:

      user@host# show bridge domains bridge-domains {bridge-domain-name {instance-type vpls; # For a bridge domain under a routing instance.domain-type bridge;interface interface-name;forwarding-options {filter { # Mirror ingress forwarded trafficinput pm-filter-for-bd-ingress-forwarded;}flood { # Mirror ingress flooded trafficinput pm-filter-for-bd-ingress-flooded;}}}}

Published: 2010-05-11