Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configure Packet Mirroring with Layer 2 Headers for Layer 3 Forwarded Traffic

SUMMARY Selective packet mirroring filters can serve as a highly effective troubleshooting mechanism and can also be used for performance monitoring purposes.

Understanding Packet Mirroring with Layer 2 Headers for Layer 3 Forwarded Traffic

This document focuses on a capability to select traffic using a wide variety of IPv4 or IPv6 filter match conditions and to mirror entire packets with their original Layer 2 header information.

Layer 2 header information might be essential to identify a specific customer in an edge router deployment or a specific Internet peer in a public peering case.

Features of Packet Mirroring with Layer 2 Headers for Layer 3 Forwarded Traffic

In a nutshell, you can mirror the original Layer 2 packet header when the l2-mirror action is configured in a family inet or family inet6 filter. Packets can be mirrored locally or remotely by using GRE tunnels.

If you specify the output interface in your mirroring configuration as a GRE tunnel interface, packets are encapsulated in GRE before transmission. A port-mirroring instance can be configured with multiple output protocol families.

Limitations for the Packet-Level Mirroring Configuration

  • The new action, l2-mirror, is only supported for family inet and family inet6filters.

  • Layer 2 mirroring is not supported on gr-*/*/* interfaces.

Configure a Filter with a Port-Mirroring Instance or with Global Port Mirroring

You configure l2-mirror under either firewall family (inet | inet6) filter filter-name term then port-mirror (global port mirroring) or firewall (inet | inet6) filter filter-name term then port-mirror-instance instance-name (port-mirroring instances, or "PM instances").

Having l2-mirror configured for a term indicates that for packets matching this term, the Layer 2 packet is mirrored. The software performs commit checks for invalid configurations, such as when l2-mirror is configured but no port-mirroring output interface is configured for family any in the global-level or instance-level port mirroring configuration. If you deactivate l2-mirror, the mirroring behavior reverts to Layer 3 mirroring.

The following two examples show the configuration of a filter (the filter name in the examples is f1) with a port-mirroring instance and with global port mirroring. In both examples traffic is mirrored to the remote destination over a GRE tunnel.


The port-mirroring configurations, which are under forwarding-options, are configured with family any, but the match conditions in the filter configuration are done under family inet. Using family any enables the mirroring of Layer 2 packets.

  1. To configure the filter with a port-mirroring instance:

    You can specify a gr- interface as your mirror destination. See Configuring Generic Routing Encapsulation Tunneling on ACX Series for information on configuring gr- interfaces (the document refers specifically to ACX Series routers; the same information applies to various other routers, including MX10003.)

  2. To configure the filter with global port mirroring:

Configure Mirroring for FTI Tunnels

When the data path traverses a flexible tunnel interface (FTI) tunnel, the output packet is sent with tunnel encapsulation. You can set up a configuration that mirrors the original packet as well as the packet with all encapsulations as it egresses out.

To mirror the original packet, configure input mirroring on the ingress WAN interface.

To mirror the packet with all encapsulations, enable output mirroring on the egress WAN interface.

To enable mirroring based on a filter installed on the FTI interface, you use a two-step process:

  1. You mark packets for mirroring using the policy action at the fti- interface. The policy action is typically used to select the egress rewrite rule, but in this case, the policy action is used to mark interesting packets with an internal policy attribute, without any special rewrite rule configured.
  2. You have the software intercept packets that match the specific policy on the egress WAN side and initiate the l2-mirror action. Packets are reported with Layer 2 header information, including tunnel encapsulation.

The following example shows Layer 3 port mirroring. To obtain Layer 2 port mirroring, simply configure the l2-mirror action as shown in the preceding examples in this document.

  1. Define policy-map policy-map-name under the class-of-service stanza:
  2. Apply an output filter on the FTI with action policy-map pm1:
  3. The following configuration output shows the FTI configuration on interface fti0.1001. (For more detail on configuring an FTI tunnel, see Flexible Tunnel Interfaces Overview.)
  4. Add a filter (here named mirror-all) on the egress WAN interface with match from policy-map pm1 then port-mirror:

Attachment Points for Filters

Filter Attachment Point Interface Type Mirrored Packet Layer 2 Header
Input Any Ethernet except gr- and fti- Layer 2 header of the incoming packet is reported
Output Any Ethernet except gr- and fti- Layer 2 header of the incoming packet is reported
Input or output gr- interface Not supported
Input fti- interface Incoming Layer 2 header of the original packet (as it was seen on the WAN port)
Output fti- interface Incoming Layer 2 header of the original packet (as it was seen on the WAN port)
Input irb interface Incoming Layer 2 header of the original packet (as it was seen on the WAN port)
Output irb interface Not supported

Suggestions for Enhancements to Your Packet-Filtering Configuration

Consider the following as an additional practice to enhance your filter network telemetry setup:

You can use input-chain and output-chain filters to separate the filter configuration used for mirroring from existing filters, thus helping you to avoid inadvertent configuration errors while troubleshooting. For details of this feature, see Example: Using Firewall Filter Chains.