[an error occurred while processing this directive][an error occurred while processing this directive]

Applying Layer 2 Port Mirroring to a Logical Interface

You can apply a Layer 2 port-mirroring firewall filter to the input or to the output of a logical interface, including an aggregated Ethernet logical interface. Only packets of the address-type family specified by the filter action are mirrored.

Before you begin, complete the following task:

  • Define a Layer 2 port-mirroring firewall filter to be applied to the input to a logical interface or output to a logical interface. For details, see Defining a Layer 2 Port-Mirroring Firewall Filter.

    Note: This configuration task shows two Layer 2 port-mirroring firewall filters: one filter applied to the logical interface ingress traffic, and one filter applied to the logical interface egress traffic.

To apply a Layer 2 port-mirroring firewall filter to an input or output logical interface:

  1. Configure the underlying physical interface for the logical interface.

    1. Enable configuration of the underlying physical interface:

      [edit]user@host# edit interfaces interface-name

      Note: A port-mirroring firewall filter can also be applied to an aggregated-Ethernet logical interface.

    2. For Fast Ethernet and Gigabit Ethernet interfaces and aggregated Ethernet interfaces configured for VPLS, enable the reception and transmission of 802.1Q VLAN-tagged frames on the interface:

      [edit interfaces interface-name]user@host# set vlan-tagging
    3. For Ethernet interfaces that have IEEE 802.1Q VLAN tagging and bridging enabled and that must accept packets carrying TPID 0x8100 or a user-defined TPID, set the logical link-layer encapsulation type:

      [edit interfaces interface-name]user@host# set encapsulation extended-vlan-bridge
  2. Configure the logical interface to which you want to apply a Layer 2 port-mirroring firewall filter.

    1. Specify the logical unit number:

      [edit interfaces interface-name]user@host# edit unit logical-unit-number
    2. For a Fast Ethernet, Gigabit Ethernet, or Aggregated Ethernet interface, bind an 802.1Q VLAN tag ID to the logical interface:

      [edit interfaces interface-name unit logical-unit-number]user@host# set vlan-id number
  3. Enable specification of an input or output filter to be applied to Layer 2 packets that are part of bridging domain, Layer 2 switching cross-connects, or virtual private LAN service (VPLS).

    • If the filter is to be evaluated when packets are received on the interface:

      [edit interfaces interface-name unit logical-unit-number]user@host# set family family filter input pm-filter-name-a
    • If the filter is to be evaluated when packets are sent on the interface:

      [edit interfaces interface-name unit logical-unit-number]user@host# set family family filter output pm-filter-name-b
    The value of the family option can be bridge, ccc, or vpls.

    Note: If port-mirroring firewall filters are applied at both the input and output of a logical interface, two copies of each packet are mirrored. To prevent the router from forwarding duplicate packets to the same destination, include the optional mirror-once statement at the [edit forwarding-options] hierarchy level.

  4. Verify the minimum configuration for applying a named Layer 2 port mirroring firewall filter to a logical interface:

    [edit interfaces interface-name unit logical-unit-number family family filter ... ]user@host# top[edit]user@host# show interfaces interfaces {interface-name {vlan-tagging;encapsulation extended-vlan-bridge;unit number { # Apply a filter to the input of this interfacevlan-id number;family (bridge | ccc | vpls) {filter {input pm-filter-for-logical-interface-input;}}}unit number { # Apply a filter to the output of this interface vlan-id number;family (bridge | ccc | vpls) {filter {output pm-filter-for-logical-interface-output;}}}}}

Published: 2010-05-11

[an error occurred while processing this directive]