1:N Port Mirroring to Multiple Destinations on Switches
SUMMARY You can use the port mirroring feature described in this document to mirror traffic to multiple Layer 2 destinations.
1:N Port Mirroring—Description and Configuration Guidelines
- What Is 1:N Port Mirroring?
- Getting Ready to Configure 1:N Port Mirroring—Guidelines and Limitations
- Overview of Configuration Tasks for 1:N Port Mirroring
What Is 1:N Port Mirroring?
We use the term 1:N port mirroring in this document to refer to the feature that enables you to mirror packets to multiple destinations. "1" represents the packet source being mirrored and "N" represents the multiple destinations the packet is sent to. You might also see this feature described as multipacket mirroring.
Port mirroring helps network administrators to debug network problems and to fend off attacks on the network. You can use port mirroring for traffic analysis on network devices such as routers and switches that, unlike hubs, do not broadcast packets to every interface on the destination device. Port mirroring sends copies of all packets to local or remote analyzers where you can monitor and analyze the data.
You use 1:N port mirroring to mirror traffic to multiple Layer 2 destinations. You use next-hop groups in this feature configuration.
You configure these multiple observing ports with connections to different monitoring devices.
Getting Ready to Configure 1:N Port Mirroring—Guidelines and Limitations
You can configure the 1:N port mirroring feature in the following two configuration methods:-
Port mirroring (using a firewall filter-based method) at the
[edit forwarding-options port-mirroring instance]hierarchy -
Native analyzer at the
[edit forwarding-options analyzer]hierarchy
You can configure both of the preceding methods on the same device. See Sample Configuration Results for an example.
The following address families are supported in 1:N port mirroring:
-
ethernet-switching -
inet -
inet6
Here are the limitations that you need to keep in mind as you configure the feature:
-
Next-hop group members can be Layer 2 only, not Layer 3.
- You can configure
next-hop-group outputsupport only for local port mirroring—that is, not for remote port mirroring or for remote port mirroring to an IP address (GRE encapsulation). -
You can configure as many as 4 next-hop groups, and you can add up to 4 interfaces to each next-hop group. You must define at least 2 destinations to send packets to more than one destination; however, you can define just one destination in a next-hop group.
Table 1 lists the configuration-hierarchy combinations you use to build your 1:N mirroring topology:
| Configuration Method | Hierarchies |
|---|---|
|
Port mirroring (filter-based) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Native analyzer |
|
|
|
|
|
|
|
|
|
You can read through the configuration task subsections, or you can jump to the Sample Configuration Results that shows the combined task results.
Overview of Configuration Tasks for 1:N Port Mirroring
The following configuration task subsections show you how to configure each of the hierarchies listed in Table 1. You can read through the configuration task subsections, or you can jump to the Sample Configuration Results that shows the combined task results.
Configure the Port-Mirroring Instance
To configure the port-mirroring instance, enter the following commands in the
configuration mode [edit]:
Configure the Native Analyzer
To configure the native analyzer, enter the following commands in the
configuration mode [edit]:
- set forwarding-options analyzer analyzer-name input ingress interface interface-name
- set forwarding-options analyzer analyzer-name output next-hop-group next-hop-group-name
Configure Next-Hop Groups
To configure next-hop groups, enter the following command in the configuration
mode [edit]:
You must configure the group-type value as
layer-2.
Configure the Firewall Filter
To configure the firewall filter, enter the following commands in the
configuration mode [edit]:
Define a firewall filter that references the next-hop group as the filter action.
For information about configuring firewall filters in general, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.
- set firewall family family-name filter filter-name term term-name then port-mirror-instance instance-name
- set firewall family family-name filter filter-name term term-name from source-port port-number
Configure the Interfaces
To configure the interfaces, enter the following commands in the configuration
mode [edit]:
- set interfaces interface-name unit logical-unit-number family family-name interface-mode mode
- set interfaces interface-name unit logical-unit-number family family-name filter input filter-name
Configure the VLANs
To configure VLANs, enter the following commands in the configuration mode
[edit]:
Sample Configuration Results
set interfaces ge-2/1/9 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-2/1/9 unit 0 family ethernet-switching vlan members 100-102 set interfaces ge-2/2/7 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-2/2/7 unit 0 family ethernet-switching vlan members 100-102 set interfaces ge-2/3/0 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-2/3/0 unit 0 family ethernet-switching vlan members 100-102 set interfaces ge-2/3/0 unit 0 family ethernet-switching filter input f1 set forwarding-options analyzer analyz1 input ingress interface ge-2/3/0.0 set forwarding-options analyzer analyz1 output next-hop-group nhg1 set forwarding-options port-mirroring instance inst1 family ethernet-switching output next-hop-group nhg1 set forwarding-options next-hop-group nhg1 group-type layer-2 set forwarding-options next-hop-group nhg1 interface ge-2/2/7.0 set firewall family ethernet-switching filter f1 term t1 from source-port 7023 set firewall family ethernet-switching filter f1 term t1 then port-mirror-instance inst1