ON THIS PAGE
Example: Configure Port Mirroring with Family any and a Firewall Filter
Overview
• Family any (for family any, ccc,
ethernet-switching, or mpls)
You use the family any configuration option to process all 4
families.
You use [edit forwarding-options port-mirroring] for local port
mirroring or [edit forwarding-options port-mirroring instance
instance-name] for remote port mirroring, with
both of those configurations also requiring a firewall filter.
The following text lists the caveats and limitations you need to know about when you configure this feature:
Caveats
-
If you need to change the port-mirroring output configuration, first delete the existing output configuration and then configure the new output configuration.
-
If the number of remote port mirror instances exceeds 15, no commit error is displayed.
-
A Packet Forwarding Engine error message is generated if the number of port mirror instances exceeds 15. However, if you delete one of the existing instances, the sixteenth instance is not programmed automatically. You must first delete the sixteenth instance and then add it again.
-
One sampled packet can be sent to only one NMS device.
-
Each family consumes one instance, so
maximum number of instances = number of instances + number of families
-
An FTI interface must operate in loopback mode.
Note:FTI interfaces are included in remote port-mirroring configurations.
-
You can configure maximum packet length as a multiple of 128 bytes; an exported packet is 22 bytes less than the configured value.
-
Do not configure multiple interfaces for the same instance—they are not supported, and no commit error is created if you try to commit multiple interfaces for the same instance.
-
The restart of the mirror daemon (mirrord) and GRES both have a momentary drop.
-
Tunnel-terminated packets in the egress direction are not mirrored.
-
Combined actions
port-mirroranddiscardin the egress direction are not supported. -
Jumbo traffic in the egress direction for the FTI interface is not supported.
Limitations
-
Enterprise–provider-style L2 configuration (
ethernet-switching) is not supported by the familyanyfilter. -
One sampled packet can be sent to only one remote port mirror instance. The same sampled packet cannot be sent to multiple NMS devices.
-
Statistics related to port-mirrored packets must be verified through the firewall filter or the FTI.
-
MPLS traffic on egress is not supported by the family
anyfilter. -
An aggregated Ethernet (ae) interface is not supported as the outgoing interface on the family
anyfilter.
Requirements
-
PTX10008 or PTX10016
-
Junos OS Evolved Release 22.2R1 or later
Topology
The following example shows a configuration of local port mirroring with family
any and a firewall filter.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set interfaces ae10 vlan-tagging set interfaces ae10 encapsulation flexible-ethernet-services set interfaces ae10 aggregated-ether-options lacp active set interfaces ae10 aggregated-ether-options lacp periodic fast set interfaces ae10 unit 1038 encapsulation vlan-bridge set interfaces ae10 unit 1038 vlan-id 1038 set interfaces ae10 unit 1038 filter input mirror_to_analytics set interfaces ae10 unit 1046 encapsulation vlan-bridge set interfaces ae10 unit 1046 vlan-id 1046 set interfaces ae10 unit 1046 filter input mirror_to_analytics set interfaces et-0/0/0:3 encapsulation ethernet-ccc set interfaces et-0/0/0:3 unit 0 family ccc set firewall family any filter mirror_to_analytics term port-mirror from learn-vlan-id 1024-1055 set firewall family any filter mirror_to_analytics term port-mirror then count c1 set firewall family any filter mirror_to_analytics term port-mirror then port-mirror set firewall family any filter mirror_to_analytics term all-else then accept set forwarding-options port-mirroring input rate 1 set forwarding-options port-mirroring family any output interface et-0/0/0:3.0
Results
Check the results of the configuration:
firewall {
family any {
filter mirror_to_analytics {
term port-mirror {
from {
learn-vlan-id 1024-1055;
}
then count c1;
then port-mirror;
}
term all-else {
then accept;
}
}
}
}
interfaces {
ae10 {
encapsulation flexible-ethernet-services;
aggregated-ether-options {
lacp {
active;
periodic fast;
}
}
unit 1038 {
encapsulation vlan-bridge;
filter {
input mirror_to_analytics;
}
vlan-id 1038;
unit 1046 {
encapsulation vlan-bridge;
filter {
input mirror_to_analytics;
}
vlan-id 1046;
}
} vlan-tagging;
}
et-0/0/0:3 {
encapsulation ethernet ccc;
unit 0 {
family ccc;
}
forwarding-options {
port-mirroring {
input {
rate 1; (We recommend 1:1000 so you don't mirror all the traffic.)
}
family any {
output {
interface et-0/0/0:3.0;
}
}
}
}