ON THIS PAGE
Configure Packet Mirroring with Layer 2 Headers for Layer 3 Forwarded Traffic
SUMMARY Selective packet mirroring filters can serve as a highly effective troubleshooting mechanism and can also be used for performance monitoring purposes.
Understanding Packet Mirroring with Layer 2 Headers for Layer 3 Forwarded Traffic
This document focuses on a capability to select traffic using a wide variety of IPv4 or IPv6 filter match conditions and to mirror entire packets with their original Layer 2 header information.
Layer 2 header information might be essential to identify a specific customer in an edge router deployment or a specific Internet peer in a public peering case.
- Features of Packet Mirroring with Layer 2 Headers for Layer 3 Forwarded Traffic
- Limitations for the Packet-Level Mirroring Configuration
Features of Packet Mirroring with Layer 2 Headers for Layer 3 Forwarded Traffic
In a nutshell, you can mirror the original Layer 2 packet header when the
l2-mirror
action is configured in a family
inet
or family inet6
filter. Packets can be
mirrored locally or remotely by using GRE tunnels.
If you specify the output interface in your mirroring configuration as a GRE tunnel interface, packets are encapsulated in GRE before transmission. A port-mirroring instance can be configured with multiple output protocol families.
Limitations for the Packet-Level Mirroring Configuration
-
The new action,
l2-mirror
, is only supported forfamily inet
andfamily inet6
filters. - Layer 2 mirroring is not supported on gr-*/*/* interfaces.
Configure a Filter with a Port-Mirroring Instance or with Global Port Mirroring
You configure l2-mirror
under either firewall family (inet |
inet6) filter filter-name term then port-mirror
(global port mirroring) or firewall (inet | inet6) filter
filter-name term then port-mirror-instance
instance-name
(port-mirroring instances, or "PM
instances").
Having l2-mirror
configured for a term indicates that for packets
matching this term, the Layer 2 packet is mirrored. The software performs commit
checks for invalid configurations, such as when l2-mirror
is
configured but no port-mirroring output interface is configured for family
any
in the global-level or instance-level port mirroring configuration.
If you deactivate l2-mirror
, the mirroring behavior reverts to
Layer 3 mirroring.
The following two examples show the configuration of a filter (the filter name in the examples is f1) with a port-mirroring instance and with global port mirroring. In both examples traffic is mirrored to the remote destination over a GRE tunnel.
The port-mirroring configurations, which are under
forwarding-options
, are configured with family
any
, but the match conditions in the filter configuration are done
under family inet
. Using family any
enables
the mirroring of Layer 2 packets.
Configure Mirroring for FTI Tunnels
When the data path traverses a flexible tunnel interface (FTI) tunnel, the output packet is sent with tunnel encapsulation. You can set up a configuration that mirrors the original packet as well as the packet with all encapsulations as it egresses out.
To mirror the original packet, configure input mirroring on the ingress WAN interface.
To mirror the packet with all encapsulations, enable output mirroring on the egress WAN interface.
To enable mirroring based on a filter installed on the FTI interface, you use a two-step process:
- You mark packets for mirroring using the policy action at the fti- interface. The policy action is typically used to select the egress rewrite rule, but in this case, the policy action is used to mark interesting packets with an internal policy attribute, without any special rewrite rule configured.
- You have the software intercept packets that match the specific policy on the
egress WAN side and initiate the
l2-mirror
action. Packets are reported with Layer 2 header information, including tunnel encapsulation.
The following example shows Layer 3 port mirroring. To obtain Layer 2 port
mirroring, simply configure the l2-mirror
action as shown in
the preceding examples in this document.
Attachment Points for Filters
Filter Attachment Point | Interface Type | Mirrored Packet Layer 2 Header |
Input | Any Ethernet except gr- and fti- | Layer 2 header of the incoming packet is reported |
Output | Any Ethernet except gr- and fti- | Layer 2 header of the incoming packet is reported |
Input or output | gr- interface | Not supported |
Input | fti- interface | Incoming Layer 2 header of the original packet (as it was seen on the WAN port) |
Output | fti- interface | Incoming Layer 2 header of the original packet (as it was seen on the WAN port) |
Input | irb interface | Incoming Layer 2 header of the original packet (as it was seen on the WAN port) |
Output | irb interface | Not supported |
Suggestions for Enhancements to Your Packet-Filtering Configuration
Consider the following as an additional practice to enhance your filter network telemetry setup:
You can use input-chain and output-chain filters to separate the filter configuration used for mirroring from existing filters, thus helping you to avoid inadvertent configuration errors while troubleshooting. For details of this feature, see Example: Using Firewall Filter Chains.